Privacy Policy
This Privacy Policy is published by Nguyen Ngoc Minh Quan (d/b/a Sigma Terminal), organized under the laws of Hanoi, Vietnam, with a place of business at Hanoi, Vietnam ("Sigma Terminal," "we," "us," "our"). For privacy requests, contact terminalsigmasupport@gmail.com.
1. Overview
This Privacy Policy explains how Sigma Terminal collects, uses, discloses, retains, and protects personal information when you use our website, terminal app, subscriptions, alerts, APIs, and related services (the "Service"). It applies in addition to our Terms of Service.
2. Information We Collect
We collect the following categories of personal information:
- Account information: email address, password hash (bcrypt), email verification status, account creation and login timestamps, subscription tier, and account settings.
- Profile and trading workflow information: risk tolerance, trading style, experience level, sectors of interest, net liquidity figure, watchlists, portfolio positions, notes, alerts, prediction history, and analysis history.
- AI and prompt information: prompts you submit, AI outputs returned to you, ticker requests, portfolio context included in prompts, and related metadata needed to generate, debug, and improve responses.
- Payment information: billing status, plan, Stripe customer identifiers, subscription identifiers, invoice metadata, last four card digits, and payment events. We do not store full payment card numbers.
- API and security information: API key prefixes, salted SHA-256 hashes of API keys, last-used timestamps, IP addresses, request logs, device/browser identifiers, and authentication tokens.
- Bring-your-own-key information: if you save your own AI provider API key, it is encrypted at rest using AES-256-GCM with a server-side master key. We display only the last 4 characters of the key, the date it was set, and never log the plaintext key after acceptance.
- Technical information: pages visited, feature usage, error reports, browser type, device type, approximate location inferred from IP address, and service logs.
3. How We Use Information
We use information to:
- Operate, maintain, secure, and improve Sigma Terminal.
- Create accounts, authenticate users, verify email addresses, and reset passwords.
- Provide AI analysis, portfolio context, watchlists, charts, scanners, earnings tools, alerts, API access, and billing features.
- Enforce plan limits, prevent abuse, debug errors, and protect the Service.
- Process payments, manage subscriptions, send renewal reminders, and communicate account notices.
- Comply with legal obligations and enforce our Terms of Service.
4. AI Processing
When you request AI analysis, relevant prompts and context are sent to AI model providers (currently Anthropic, PBC) to generate responses. Depending on your request, this may include ticker symbols, watchlist information, portfolio positions, liquidity figures, preferences, or prior analysis context. Anthropic processes data under its own privacy policy. Do not submit information you do not want processed by AI providers. Elite users who supply their own Anthropic API key send prompts directly to Anthropic under their own account; Sigma still acts as the network intermediary but does not retain your prompts beyond what is needed to route and bill the request.
5. Payments
Payments and subscription management are handled by Stripe, Inc. Payment processors collect and process information under their own privacy policies. We receive limited billing metadata (customer ID, subscription ID, status, period end, invoice IDs, last 4 card digits) needed to manage your plan.
6. Cookies, Local Storage, and Analytics
Essential storage (always on). Sigma Terminal uses authentication tokens in localStorage/sessionStorage (sigma_token_v2), theme preference (sigma_theme), cookie consent preference (sigma_cookie_consent), and session-only UI flags. These are required for the Service to operate and do not require consent under EU/UK ePrivacy rules or CCPA.
Analytics cookies (consent required). If you consent via the cookie banner, we use Microsoft Clarity (a service of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052, USA) to collect heatmaps and session recordings that help us identify UX issues and improve the product. Clarity sets two cookies: _clck (persists 1 year, identifies unique visitors by assigning a random ID) and _clsk (persists 1 day, groups page views within a session). Data is sent to and processed by Microsoft under the Microsoft Privacy Statement. Microsoft may use aggregated data to improve its own products and services.
A cookie consent banner is shown on your first visit to the marketing site. You can withdraw analytics consent at any time by choosing "Essential only" in the banner (clear sigma_cookie_consent from your browser's localStorage to see the banner again), or by using your browser settings to block the clarity.ms domain. Withdrawing consent does not affect prior lawful processing. See the Cookie Policy for the full cookie table.
We do not use advertising pixels, cross-site tracking networks, or fingerprinting technologies. If we add any new non-essential technology in the future, we will update this Policy and the Cookie Policy and present a consent prompt before loading it.
7. How We Share Information
We share personal information with:
- Service providers that help us operate the Service: hosting (Railway, Vercel), database (Supabase), email delivery (Resend), authentication (Google for sign-in), AI processing (Anthropic), market data (third-party data vendors), payments (Stripe), monitoring, and security. These providers process data on our behalf under contract.
- Legal, regulatory, or security recipients when required to comply with law, respond to valid legal requests, protect rights, prevent abuse, or protect the safety of any person.
- Business transaction parties if we are involved in a merger, acquisition, financing, reorganization, or sale of assets, subject to standard confidentiality and successor-obligation protections.
We do not "sell" personal information and do not "share" personal information for cross-context behavioral advertising, as those terms are defined under the California Consumer Privacy Act (CCPA/CPRA) and similar state laws.
8. Data Retention
We keep personal information only as long as needed for the purposes described in this Policy. Typical periods are:
- Account records and profile data: while the account is active and for up to 24 months after closure.
- Billing and tax records: at least 7 years, where required by law.
- Server access logs and security logs: up to 90 days.
- Saved AI analyses, watchlist entries, portfolio positions, alerts, and predictions: while the account is active or until you delete them.
- Backups: rolling backups are purged within 60 days.
You may request deletion of your account data, subject to legal, security, billing, and backup retention needs described above.
9. Security
We use reasonable technical and organizational safeguards designed to protect personal information, including:
- Password hashing with bcrypt.
- JWT-based session tokens with expiration.
- Encryption in transit (HTTPS/TLS).
- Encryption at rest for user-supplied AI provider keys (AES-256-GCM with server-side master key).
- SHA-256 hashing of programmatic API keys (plaintext shown to user once at creation, never stored).
- Access controls, audit logging, and provider security controls.
No system is perfectly secure. We cannot guarantee absolute security and are not responsible for breaches caused by third-party providers or events outside our reasonable control. We will notify affected users and regulators of a confirmed personal-data breach as required by applicable law.
10. Your Choices
You can update certain profile and account information in the app, delete or replace saved API keys and saved AI provider keys, cancel paid subscriptions through the billing flow, and contact us to exercise the additional rights described in Section 12 and in the Privacy Rights page.
11. Children's Privacy
Sigma Terminal is intended for users at least 18 years old, per our Terms of Service. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected personal information from a person under 18, we will delete it. If you believe a minor has provided information to us, contact terminalsigmasupport@gmail.com.
12. U.S. State Privacy Rights
Depending on your state of residence, you may have rights under one or more of these U.S. state privacy laws:
- California — CCPA/CPRA
- Virginia — VCDPA
- Colorado — CPA
- Connecticut — CTDPA
- Utah — UCPA
- Texas — TDPSA
- Oregon — OCPA
- Delaware — DPDPA
Available rights typically include the right to know what we collect, request access, correct inaccuracies, request deletion, request data portability, opt out of certain sales or sharing, limit certain uses of sensitive personal information, and not be discriminated against for exercising privacy rights. To submit a request, follow the steps in the Privacy Rights page.
13. European Economic Area, United Kingdom, and Swiss Users
If you access the Service from the EEA, UK, or Switzerland, the General Data Protection Regulation (GDPR), UK GDPR, or Swiss Federal Act on Data Protection (FADP) may apply. In that case:
- Controller. Nguyen Ngoc Minh Quan (d/b/a Sigma Terminal), Hanoi, Vietnam, is the controller of your personal information.
- EU/UK representative. Where Art. 27 GDPR applies, our representative is [appointed EU representative — see LEGAL_NEEDS_FILL.md].
- Legal bases. We process your personal information under one or more of these lawful bases: performance of a contract with you (account, billing, AI requests you submit); legitimate interests (security, fraud prevention, product improvement, communication); consent (where you provide it, such as marketing emails if we ever send them); and legal obligations (tax, accounting, law-enforcement requests).
- International transfers. The Service is operated from the United States and uses providers in the United States and other countries. Where required, transfers are made under appropriate safeguards such as the EU Standard Contractual Clauses, UK International Data Transfer Agreement, or providers' Data Privacy Framework certifications.
- Your rights. You may have rights of access, rectification, erasure, restriction, portability, objection, and to lodge a complaint with your local supervisory authority.
- Withdrawing consent. Where processing is based on consent, you can withdraw consent at any time without affecting prior lawful processing.
To exercise these rights, email terminalsigmasupport@gmail.com.
14. Singapore Users (Personal Data Protection Act 2012)
If you are in Singapore, the Personal Data Protection Act 2012 ("PDPA") may apply to your personal data. In that case:
- Organisation. Nguyen Ngoc Minh Quan (d/b/a Sigma Terminal), Hanoi, Vietnam, is the organisation responsible under the PDPA for personal data collected, used, and disclosed through the Service.
- Data Protection Officer. Our designated Data Protection Officer for PDPA matters is Nguyen Ngoc Minh Quan. Email: terminalsigmasupport@gmail.com (subject line: "DPO — PDPA request").
- Purpose and consent. We collect, use, and disclose personal data only for the purposes described in Sections 2 and 3 of this Policy. By creating an account and using the Service, you consent to those uses. You may withdraw consent at any time by emailing the DPO, but withdrawal may prevent us from providing some or all features.
- Access and correction. You may request access to your personal data and request correction of inaccurate or incomplete data. We will respond within a reasonable time and within 30 days where required by the PDPA. A reasonable fee may apply for access requests where permitted by law.
- Accuracy. Please keep your account information up to date. We rely on the information you provide.
- Protection. We protect personal data with the measures described in Section 9.
- Retention. We retain personal data only as long as needed for the purposes in this Policy or as required by law; see Section 8.
- Transfer limitation. Where we transfer your personal data out of Singapore, we will ensure that the data is protected to a standard comparable to the PDPA through contractual safeguards (such as data-processing agreements with our providers), provider certifications, or another legally recognised mechanism.
- Data breach notification. If a notifiable data breach occurs as defined by the PDPA, we will notify the Personal Data Protection Commission (PDPC) and affected users within the timeframes required by law.
- Do Not Call. We do not telemarket to Singapore numbers. If we ever do, we will check the relevant Do Not Call registers and honour your preferences.
- Complaints. If you are not satisfied with our response, you may complain to the PDPC at www.pdpc.gov.sg.
15. International Users
Sigma Terminal is operated from the United States. If you use the Service from outside the United States, your information may be processed in the United States and other countries where our providers operate. By using the Service, you understand that data protection laws in those countries may differ from those in your country of residence.
16. Do Not Track
Some browsers send a "Do Not Track" or Global Privacy Control signal. Because there is no common standard for responding to those signals, our practices apply uniformly across all users. We do not currently sell or share personal information for cross-context behavioral advertising regardless of any signal.
17. Changes to This Policy
We may update this Privacy Policy from time to time. If changes are material, we will give reasonable notice by email, in-app notice, or by updating the "Last updated" date. The updated Policy is effective when posted.
17. Contact
Nguyen Ngoc Minh Quan (d/b/a Sigma Terminal)
Hanoi, Vietnam
Email: terminalsigmasupport@gmail.com