Sibyl Quantitative — Privacy Policy
Last updated: 2026-05-26
This Privacy Policy describes how Sibyl Quantitative ("Sibyl," "we," "us," or "our") collects, uses, shares, and protects information from users ("you" or "User") of the Sibyl Quantitative website at sibyl-ai.com and related services (collectively, the "Service"). By using the Service, you consent to this Privacy Policy.
1. Information We Collect
1.1 Information you provide directly
When you create an Account or use the Service, you may provide:
- Email address — required for sign-in, transactional notifications, and account recovery.
- Username — optional, chosen at signup.
- Password — if you create a password-based Account. Passwords are never stored in plaintext; we store a one-way bcrypt hash (rounds=12) computed in our auth.py.
- Google account identifier — if you sign in with Google ("sub" claim from the OAuth ID token), plus your Google-verified email and profile name.
- Payment information — if you start a Subscription, payment details (card number, expiration, CVC, billing address) are collected directly by Stripe, our payment processor. Sibyl does not store or have access to your credit-card number. We store only the Stripe customer ID and subscription status returned to us by Stripe.
- Watchlist tickers — ticker symbols you save to your personal watchlist.
- User preferences — display language, theme, notification settings.
- Feedback — any messages or feedback you submit through the in-app feedback bubble or by emailing [email protected].
- Auto-Trade configuration — if you enable Auto-Trade, the parameters you configure (position-size cap, ticker scope, exit ladder thresholds, etc.). The Service stores the Sibyl signals that triggered each order; the actual order routing and execution data are held by Alpaca Securities LLC subject to its own privacy policy.
1.2 Information collected automatically
When you use the Service, we automatically collect:
- Sign-in events — timestamp, user agent string, IP address. Used for account security and audit (rate-limiting sign-in codes, detecting unauthorized access).
- Session cookies — a 90-day cookie (
sibyl_session) containing a server-side session token. The token is random and revocable; the cookie is HttpOnly, Secure, SameSite=Lax, and scoped to the.sibyl-ai.comdomain. No third-party tracking cookies are set. - Server logs — IP, page accessed, timestamp, response status. Used for operational troubleshooting and security; retained ~30 days.
- Auto-Trade ledger — for every order placed by Auto-Trade, we record: ticker, side, quantity, entry price, the Sibyl signal that triggered it, the exit ladder applied, and the realized P&L on close.
- Forecast viewing telemetry — minimal counts of which tickers and time-horizons you view. Used to size compute load.
1.3 Information we do NOT collect
- We do not collect your Social Security Number, government ID, date of birth, or financial-account routing numbers.
- We do not collect or store your credit card information (this is handled exclusively by Stripe).
- We do not collect precise geolocation; we collect only the IP address from network requests.
- We do not use advertising trackers, and we do not use analytics that build behavioral profiles or track you across other websites. We do use Cloudflare Web Analytics — a privacy-preserving, cookieless measurement of aggregate traffic (see §3 and §7).
2. How We Use Information
We use the information we collect to:
- Provide the Service, including authenticating you, displaying forecasts, generating Sibyl Take AI synthesis, processing your Subscription, and (if enabled) executing Auto-Trade orders.
- Send transactional emails (sign-in codes, subscription receipts, trial-ending reminders, security alerts).
- Improve the Service, including measuring forecast accuracy on resolved predictions and refining prompts.
- Detect and prevent fraud, abuse, and security incidents.
- Comply with legal obligations.
- Communicate about service updates, new features, and (with your consent) marketing announcements.
3. Information We Share
We share information with the following third-party service providers, each governed by its own privacy policy and contractually obligated to handle data confidentially:
| Provider | What we share | Purpose |
|---|---|---|
| Stripe, Inc. | Email, name, Subscription metadata | Payment processing |
| Anthropic, PBC | Per-forecast input (price history, signals, fundamentals) | AI synthesis (Sibyl Take). Anthropic does not retain or train on this data under commercial terms. |
| Alpaca Securities LLC | Account linking credentials, order parameters | Brokerage order execution (Auto-Trade users only) |
| Resend.com | Email address, message content | Transactional email delivery |
| DigitalOcean, LLC | Server data and user database | Cloud hosting infrastructure |
| RunPod, Inc. | Forecast inputs (anonymized — no user PII) | GPU compute for model inference |
| Google LLC | OAuth ID token (only if you sign in with Google) | Authentication |
| Apple Inc. | Apple Sign In identity token (only if you sign in with Apple); APNS device token (if you grant iOS push notification permission) | Authentication + push notification delivery |
| Cloudflare, Inc. | IP and request metadata; aggregate page-view/referrer/performance data (Web Analytics — cookieless, not linked to your identity) | DNS, SSL termination, bot mitigation, privacy-preserving web analytics |
Bundled software components. Our apps include third-party software that runs on your device and does not transmit your personal information to its vendor: Capacitor (the open-source runtime that packages our web app as a native iOS app) and TradingView lightweight-charts (the open-source library that renders price charts locally in your browser/app). These are libraries we ship, not services we send your data to.
We do not sell, rent, or share your personal information with third parties for their independent marketing purposes.
We may disclose information if required by law (e.g., subpoena, court order, regulatory request), to enforce these Terms or the Privacy Policy, to protect the safety of users or the public, or in connection with a merger, acquisition, or sale of business assets (in which case we will give you notice and an opportunity to opt out of the transfer where applicable).
4. Data Retention
- Active Account data — retained for the life of your Account.
- Sign-in events — retained indefinitely for audit, with a documented purge schedule of 12 months for security logs (subject to active investigation holds).
- Session cookies — 90 days from issuance.
- One-time email codes — 15 minutes from issuance; single-use.
- Auto-Trade ledger — retained for the life of the Account plus 7 years after Account closure to support tax-reporting requests and dispute resolution.
- Backups — encrypted backups are retained for 30 days after generation.
- Deleted Accounts — see Section 6.4 below.
5. Data Security
We use industry-standard security practices:
- In transit — all traffic between your browser and the Service uses HTTPS (TLS 1.2+). The Service does not accept connections over insecure HTTP.
- At rest — passwords are hashed with bcrypt (work factor 12). The user database lives on our DigitalOcean droplet with file-system permissions restricted to the application user.
- Sessions — server-side session tokens are random (32-byte), revocable, and tied to a specific user agent + IP for theft detection. Tokens are stored as one-way hashes; the raw token only exists in your browser cookie.
- Access controls — access to production servers is limited to authorized administrators and audited.
- Vendor security — we select third-party providers with SOC 2 Type II or comparable security posture (Stripe, Anthropic, DigitalOcean, Google).
No method of data transmission or storage is 100% secure. If you become aware of a security issue, please contact [email protected].
6. Your Rights
6.1 Access and correction
You may access most of your Account data directly through the Service (Account settings, watchlist, subscription status). To request a copy of all data we hold about you, email [email protected].
6.2 California residents (CCPA / CPRA rights)
If you are a California resident, you have the right to:
- Know what personal information we collect, use, share, and sell about you.
- Request deletion of your personal information.
- Request correction of inaccurate personal information.
- Opt out of any "sale" or "sharing" of personal information (we do not sell or share personal information as those terms are defined under the CCPA/CPRA).
- Limit the use of "sensitive personal information" (we do not collect sensitive personal information as defined under the CPRA).
- Non-discrimination for exercising your rights.
To exercise these rights, email [email protected] from the email address associated with your Account. We will verify your identity before fulfilling the request. We respond to verifiable consumer requests within 45 days as required by law.
6.3 European residents (GDPR rights)
If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the right to:
- Access, rectify, or erase your personal data.
- Restrict or object to certain processing.
- Data portability.
- Withdraw consent at any time, where processing is based on consent.
- Lodge a complaint with a supervisory authority.
We process data under one or more of these GDPR lawful bases: performance of a contract (operating the Service), legitimate interests (security, fraud prevention, service improvement), legal obligations, and consent (marketing, where applicable).
To exercise GDPR rights, email [email protected].
6.4 Account deletion
You can request deletion of your Account by emailing [email protected] or by replying "delete" to any sign-in email. Upon a verified deletion request:
- We will delete or anonymize your Account, watchlist, preferences, and sign-in event records within 30 days.
- We will retain the Auto-Trade ledger and Subscription records for 7 years to satisfy tax-reporting and dispute-resolution obligations, after which they will also be deleted.
- Backups containing your data are purged on the 30-day backup rotation.
7. Cookies and Tracking
We use a small number of essential cookies:
- Session cookie — required for authentication. Set on successful sign-in, expires after 90 days, HTTPS-only, SameSite=Lax.
- localStorage payload — a redundant token stored in your browser to enable cross-tab session persistence. Same lifetime as the cookie.
We use Cloudflare Web Analytics to understand aggregate traffic — page views, referrers, and performance metrics. It is privacy-preserving: it sets no cookies, does not track you across other websites, and does not build a behavioral profile of you. We do not use advertising trackers or behavioral profiling cookies. Because Cloudflare Web Analytics sets no tracking cookies, there is nothing for the "Do Not Track" browser signal to disable; the Service does not otherwise alter behavior based on the DNT signal at this time.
8. Children
The Service is not directed to children under the age of 18. We do not knowingly collect personal information from anyone under 18. If you are under 18, do not create an Account or use the Service. If we learn that we have collected personal information from a person under 18, we will delete that information.
9. International Data Transfers
The Service operates from the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States. The data-protection laws in the United States may differ from those in your country. By using the Service, you consent to the transfer of your information to the United States.
For users in the European Economic Area or the United Kingdom, transfers of personal data to the United States are made under the Standard Contractual Clauses (or equivalent) where required by GDPR.
10. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this Policy will reflect when the latest changes took effect. For material changes, we will notify you by email or through a prominent notice on the Service at least 14 days before the changes take effect.
11. Contact
For privacy-related questions, requests, or concerns:
- Email: [email protected]
- For security issues: [email protected]
- For all other matters: [email protected]
Sibyl Quantitative Los Angeles, California United States of America