Sibyl Quantitative — Privacy Policy
Last updated: 2026-05-23
This Privacy Policy describes how Sibyl Quantitative ("Sibyl," "we," "us," or "our") collects, uses, shares, and protects information from users ("you" or "User") of the Sibyl Quantitative website at sibyl-ai.com and related services (collectively, the "Service"). By using the Service, you consent to this Privacy Policy.
DRAFT — NOT YET ATTORNEY-REVIEWED. This document was generated from Sibyl's actual data flows on 2026-05-13. Before publishing live, an attorney should review at minimum: Section 3 (Sharing — third-party vendor list), Section 6 (Your Rights — CCPA + GDPR compliance), and Section 8 (Children). See
legal/README.mdfor the review checklist.
1. Information We Collect
1.1 Information you provide directly
When you create an Account or use the Service, you may provide:
- Email address — required for sign-in, transactional notifications, and account recovery.
- Username — optional, chosen at signup.
- Password — if you create a password-based Account. Passwords are never stored in plaintext; we store a one-way bcrypt hash (rounds=12) computed in our auth.py.
- Google account identifier — if you sign in with Google ("sub" claim from the OAuth ID token), plus your Google-verified email and profile name.
- Payment information — if you start a Subscription, payment details (card number, expiration, CVC, billing address) are collected directly by Stripe, our payment processor. Sibyl does not store or have access to your credit-card number. We store only the Stripe customer ID and subscription status returned to us by Stripe.
- Watchlist tickers — ticker symbols you save to your personal watchlist.
- User preferences — display language, theme, notification settings.
- Feedback — any messages or feedback you submit through the in-app feedback bubble or by emailing support@sibyl-ai.com.
- Auto-Trade configuration — if you enable Auto-Trade, the parameters you configure (position-size cap, ticker scope, exit ladder thresholds, etc.). The Service stores the Sibyl signals that triggered each order; the actual order routing and execution data are held by Alpaca Securities LLC subject to its own privacy policy.
1.2 Information collected automatically
When you use the Service, we automatically collect:
- Sign-in events — timestamp, user agent string, IP address. Used for account security and audit (rate-limiting sign-in codes, detecting unauthorized access).
- Session cookies — a 90-day cookie containing a server-side session token. The token is random and revocable; we use the streamlit-cookies-controller library and HTTPS-only cookies. No third-party tracking cookies are set.
- Server logs — IP, page accessed, timestamp, response status. Used for operational troubleshooting and security; retained ~30 days.
- Auto-Trade ledger — for every order placed by Auto-Trade, we record: ticker, side, quantity, entry price, the Sibyl signal that triggered it, the exit ladder applied, and the realized P&L on close.
- Forecast viewing telemetry — minimal counts of which tickers and time-horizons you view. Used to size compute load.
1.3 Information we do NOT collect
- We do not collect your Social Security Number, government ID, date of birth, or financial-account routing numbers.
- We do not collect or store your credit card information (this is handled exclusively by Stripe).
- We do not collect precise geolocation; we collect only the IP address from network requests.
- We do not use third-party advertising trackers or analytics services that build behavioral profiles.
2. How We Use Information
We use the information we collect to:
- Provide the Service, including authenticating you, displaying forecasts, generating Sibyl Take AI synthesis, processing your Subscription, and (if enabled) executing Auto-Trade orders.
- Send transactional emails (sign-in codes, subscription receipts, trial-ending reminders, security alerts).
- Improve the Service, including measuring forecast accuracy on resolved predictions and refining prompts.
- Detect and prevent fraud, abuse, and security incidents.
- Comply with legal obligations.
- Communicate about service updates, new features, and (with your consent) marketing announcements.
3. Information We Share
We share information with the following third-party service providers, each governed by its own privacy policy and contractually obligated to handle data confidentially:
| Provider | What we share | Purpose |
|---|---|---|
| Stripe, Inc. | Email, name, Subscription metadata | Payment processing |
| Anthropic, PBC | Per-forecast input (price history, signals, fundamentals) | AI synthesis (Sibyl Take). Anthropic does not retain or train on this data under commercial terms. |
| Alpaca Securities LLC | Account linking credentials, order parameters | Brokerage order execution (Auto-Trade users only) |
| Resend.com | Email address, message content | Transactional email delivery |
| DigitalOcean, LLC | Server data and user database | Cloud hosting infrastructure |
| RunPod, Inc. | Forecast inputs (anonymized — no user PII) | GPU compute for model inference |
| Google LLC | OAuth ID token (only if you sign in with Google) | Authentication |
| Cloudflare, Inc. | IP and request metadata | DNS, SSL termination, bot mitigation |
We do not sell, rent, or share your personal information with third parties for their independent marketing purposes.
We may disclose information if required by law (e.g., subpoena, court order, regulatory request), to enforce these Terms or the Privacy Policy, to protect the safety of users or the public, or in connection with a merger, acquisition, or sale of business assets (in which case we will give you notice and an opportunity to opt out of the transfer where applicable).
4. Data Retention
- Active Account data — retained for the life of your Account.
- Sign-in events — retained indefinitely for audit, with a documented purge schedule of 12 months for security logs (subject to active investigation holds).
- Session cookies — 90 days from issuance.
- One-time email codes — 15 minutes from issuance; single-use.
- Auto-Trade ledger — retained for the life of the Account plus 7 years after Account closure to support tax-reporting requests and dispute resolution.
- Backups — encrypted backups are retained for 30 days after generation.
- Deleted Accounts — see Section 6.4 below.
5. Data Security
We use industry-standard security practices:
- In transit — all traffic between your browser and the Service uses HTTPS (TLS 1.2+). The Service does not accept connections over insecure HTTP.
- At rest — passwords are hashed with bcrypt (work factor 12). The user database lives on our DigitalOcean droplet with file-system permissions restricted to the application user.
- Sessions — server-side session tokens are random (32-byte), revocable, and tied to a specific user agent + IP for theft detection. Tokens are stored as one-way hashes; the raw token only exists in your browser cookie.
- Access controls — access to production servers is limited to authorized administrators and audited.
- Vendor security — we select third-party providers with SOC 2 Type II or comparable security posture (Stripe, Anthropic, DigitalOcean, Google).
No method of data transmission or storage is 100% secure. If you become aware of a security issue, please contact security@sibyl-ai.com.
6. Your Rights
6.1 Access and correction
You may access most of your Account data directly through the Service (Account settings, watchlist, subscription status). To request a copy of all data we hold about you, email privacy@sibyl-ai.com.
6.2 California residents (CCPA / CPRA rights)
If you are a California resident, you have the right to:
- Know what personal information we collect, use, share, and sell about you.
- Request deletion of your personal information.
- Request correction of inaccurate personal information.
- Opt out of any "sale" or "sharing" of personal information (we do not sell or share personal information as those terms are defined under the CCPA/CPRA).
- Limit the use of "sensitive personal information" (we do not collect sensitive personal information as defined under the CPRA).
- Non-discrimination for exercising your rights.
To exercise these rights, email privacy@sibyl-ai.com from the email address associated with your Account. We will verify your identity before fulfilling the request. We respond to verifiable consumer requests within 45 days as required by law.
6.3 European residents (GDPR rights)
If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the right to:
- Access, rectify, or erase your personal data.
- Restrict or object to certain processing.
- Data portability.
- Withdraw consent at any time, where processing is based on consent.
- Lodge a complaint with a supervisory authority.
We process data under one or more of these GDPR lawful bases: performance of a contract (operating the Service), legitimate interests (security, fraud prevention, service improvement), legal obligations, and consent (marketing, where applicable).
To exercise GDPR rights, email privacy@sibyl-ai.com.
6.4 Account deletion
You can request deletion of your Account by emailing privacy@sibyl-ai.com or by replying "delete" to any sign-in email. Upon a verified deletion request:
- We will delete or anonymize your Account, watchlist, preferences, and sign-in event records within 30 days.
- We will retain the Auto-Trade ledger and Subscription records for 7 years to satisfy tax-reporting and dispute-resolution obligations, after which they will also be deleted.
- Backups containing your data are purged on the 30-day backup rotation.
7. Cookies and Tracking
We use a small number of essential cookies:
- Session cookie — required for authentication. Set on successful sign-in, expires after 90 days, HTTPS-only, SameSite=Lax.
- localStorage payload — a redundant token stored in your browser to enable cross-tab session persistence. Same lifetime as the cookie.
We do not use third-party analytics, advertising trackers, or behavioral profiling cookies. The Service does not respect the "Do Not Track" browser signal at this time because it does not set tracking cookies that DNT would affect.
8. Children
The Service is not directed to children under the age of 18. We do not knowingly collect personal information from anyone under 18. If you are under 18, do not create an Account or use the Service. If we learn that we have collected personal information from a person under 18, we will delete that information.
9. International Data Transfers
The Service operates from the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States. The data-protection laws in the United States may differ from those in your country. By using the Service, you consent to the transfer of your information to the United States.
For users in the European Economic Area or the United Kingdom, transfers of personal data to the United States are made under the Standard Contractual Clauses (or equivalent) where required by GDPR.
10. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this Policy will reflect when the latest changes took effect. For material changes, we will notify you by email or through a prominent notice on the Service at least 14 days before the changes take effect.
11. Contact
For privacy-related questions, requests, or concerns:
- Email: privacy@sibyl-ai.com
- For security issues: security@sibyl-ai.com
- For all other matters: support@sibyl-ai.com
Sibyl Quantitative [BUSINESS ADDRESS — TO BE ADDED ONCE LLC FORMED PER BUDGET.md SECTION 3] United States of America