Privacy Policy
Version: 2026-05-11
1. Data Controller
The controller responsible for processing personal data for PolySimulator is:
2. Scope and Short Summary
This Privacy Policy explains how PolySimulator processes personal data when you use our website, simulated trading features, accounts, paid plans, API beta, waitlists, alerts, analytics, support, and related services. It is intended to be a concrete GDPR Article 13 notice rather than a generic checklist.
3. Processing Activities, Legal Bases, Recipients, and Retention
The table below maps our main processing activities to data categories, legal bases, recipients, and retention periods. Exact retention can vary if we must preserve records for legal claims, security incidents, tax/accounting obligations, backups, or abuse investigations.
Where we rely on legitimate interests under Art. 6(1)(f) GDPR, our interest is operating a secure, stable, and fairly administered Service and preventing fraud, unauthorized access, abuse, manipulation, outages, and harm to users or the platform.
| Purpose | Data Categories | Legal Basis | Recipients | Retention |
|---|---|---|---|---|
| Account creation, authentication, and session management | Email address, name or profile data from OAuth providers, account IDs, login/session metadata, IP address, device/browser basics. | Art. 6(1)(b) GDPR for account access; Art. 6(1)(f) GDPR for account security and abuse prevention. | Supabase Auth and the OAuth provider you choose, plus hosting/security providers. | For the life of the account; self-service deletion requests normally use a 14-day grace period before final anonymization; session/security logs are normally kept for up to 30 days unless needed for security or legal reasons. |
| Simulated trading, virtual wallets, seasons, leaderboards, and account history | User ID, simulated balances, orders, fills, positions, P&L, season entries, leaderboard records, portfolio and API balance state. | Art. 6(1)(b) GDPR to provide the Service; Art. 6(1)(f) GDPR for fair operation, ranking integrity, and abuse prevention. | PolySimulator infrastructure, database, monitoring, and security providers. | While the account exists; fraud, dispute, and integrity records may be retained for up to 3 years after closure where needed. |
| Paid plans, billing, refunds, chargebacks, and entitlement checks | Billing identifiers, plan, purchase status, invoices, tax/accounting metadata, refund and dispute records. We do not store full card numbers. | Art. 6(1)(b) GDPR for purchases/subscriptions; Art. 6(1)(c) GDPR for tax and accounting duties. | Stripe and infrastructure/accounting systems where required. | Billing and tax records are generally retained for 10 years under German statutory retention rules. |
| API access, API keys, rate limits, beta programs, and developer support | API keys, user/account ID, request metadata, IP addresses, usage volumes, rate-limit state, beta status, onboarding progress, feedback, and support messages. | Art. 6(1)(b) GDPR for API access; Art. 6(1)(f) GDPR for security, stability, rate limits, abuse prevention, and beta administration. | Hosting, database, logging, monitoring, communications, and support providers. | API keys while active; API/security logs normally up to 90 days, longer for incidents, abuse, disputes, or legal obligations. |
| Waitlists and beta-access programs | Email address, IP address, consent timestamp, selected program, invitation status, reminder and feedback-follow-up status. | Art. 6(1)(a) GDPR where you sign up or consent; Art. 6(1)(f) GDPR for fraud prevention and program integrity. | Hosting/database providers and communications providers used for program email or support. | Until withdrawal, or normally up to 6 months after the relevant program launch/end; suppression records may be retained to honor opt-outs. |
| Service, account, and configured alert communications | Email address, user ID, account status, billing/API/season/beta status, alert preferences, delivery metadata, support context. | Art. 6(1)(b) GDPR for account/service messages; Art. 6(1)(f) GDPR for security, reliability, support, and configured alerts; Art. 6(1)(c) GDPR for legal notices where required. | Email, support, Telegram, and infrastructure providers depending on the channel you use or configure. | For the account life or as needed for support, security, disputes, legal notices, and suppression records. |
| Marketing and product-update communications | Email address, consent or customer-relationship status, preference and unsubscribe state, campaign delivery metadata, and optional engagement data. | Art. 6(1)(a) GDPR for consent-based marketing; a narrow existing-customer exception only where legally valid; Art. 6(1)(f) GDPR to maintain suppression lists. | Email/communications providers and consent or suppression-management systems. | Until consent withdrawal or objection; suppression records are retained as needed to ensure we do not contact you again for that purpose. |
| Cookies, analytics, product diagnostics, and session recording where enabled | Consent state, pseudonymous visitor/session IDs, pageviews, clicks, device/browser data, referrers, performance events, and session recordings where enabled. | Consent under Art. 6(1)(a) GDPR and applicable cookie rules for optional analytics, PostHog, Clarity, GA/GTM, Plausible, and first-party pageview tracking; Art. 6(1)(f) GDPR for strictly necessary security logs. | Google, PostHog, Microsoft Clarity, Plausible, Axiom, Grafana/Loki, Cloudflare, and first-party analytics systems where enabled. | Consent records and analytics identifiers normally up to 24 months; raw security logs normally 30 days unless needed longer. |
| AI-assisted content, summaries, support tooling, and trading analytics | Market context, public data, simulated portfolio/trade context, prompts, outputs, and limited account context where needed to provide the feature. | Art. 6(1)(b) GDPR where AI features are part of the Service; Art. 6(1)(f) GDPR for product improvement and support tooling, with data minimization. | OpenAI API and infrastructure/monitoring providers. We aim to avoid sending unnecessary personal data in prompts. | Feature logs normally 30-90 days unless saved to the account, needed for safety, or required for legal reasons. |
| Support, contact forms, feedback, and legal requests | Name, email address, message content, attachments if provided, account context, timestamps, and support history. | Art. 6(1)(b) GDPR for account/support requests; Art. 6(1)(f) GDPR for response, documentation, and dispute handling; Art. 6(1)(c) GDPR for legal requests. | Formspree, email/support providers, and hosting/logging systems. | Usually up to 3 years after final response unless a shorter or longer legal period applies. |
4. Communications, Marketing, and Your Right to Object
Service messages about account access, security, authentication, billing, legal changes, API/beta access, season resets, support, and alerts you configure are processed where needed for contract performance, security, legal compliance, or reliable delivery of the Service.
Waitlist and beta-program emails are processed to manage the program you selected, including launch notification, access invitations, onboarding instructions, program-related reminders, and feedback follow-up.
Marketing and product-update emails are sent only with consent or, where genuinely available, a narrow existing-customer exception. Prospects and waitlist contacts are not automatically treated as marketing recipients.
We rely on an existing-customer exception only where we obtained the email address in connection with a purchase, market our own similar products or services, informed you at collection about advertising use and your right to object, include a simple free opt-out in each message, and you have not objected.
Direct Marketing Objection
You have the right to object at any time to processing of your personal data for direct marketing. Once you object, we will no longer process your data for direct marketing. You can use unsubscribe links in emails, the mailing-list controls in your profile, or contact [email protected].
5. Cookies, Analytics, and Consent Behavior
Our consent banner/CMP stores your choices against the current legal version. Essential cookies and local storage are required for login, security, consent state, and core functionality and cannot be disabled while using the Service.
- Our first-party page-view measurement (the only first-party analytics we currently run) operates consent-free under the CNIL/DSK exempted-reach-measurement framework. It collects only path, country, and a coarse browser/OS/device-type triple; it never reads your raw IP, full User-Agent, or account identifier. You can opt out at any time via Analytics opt-out.
- Optional third-party analytics tools such as Google Tag Manager/GA4, PostHog, Microsoft Clarity, and Plausible load only after analytics consent. These are not currently active by default.
- Marketing storage and Google Consent Mode advertising signals are denied by default and are set to granted only after marketing consent.
- Server, security, error, and abuse-prevention logs run independently of optional analytics consent where needed for operation and security.
- You can change your choices through .
6. Providers, Processors, Controllers, and External Third Parties
The provider inventory below separates currently active or feature-conditional providers from planned/not-yet-live providers. Notes such as "where enabled" mean the provider is used only for the relevant feature. We update this page for material changes.
Authentication
Supabase acts as our auth processor; OAuth providers act independently for their own login services.
- Privacy
Supabase Auth
Authentication, account sessions, email sign-in, and OAuth session handling
Supabase Inc. · USA
- Privacy
Google Sign-In
Single Sign-On Authentication
Google Ireland Limited · Ireland
- Privacy
GitHub OAuth
Single Sign-On Authentication
GitHub, Inc. · USA
- Privacy
Apple Sign-In
Single Sign-On Authentication
Apple Inc. · USA
- Privacy
Discord OAuth
Optional single sign-on authentication where enabled
Discord Inc. · USA
Only used if the Discord sign-in provider is enabled.
Hosting and Infrastructure
Mostly processors or infrastructure providers used to host, protect, store, deploy, and relay the Service.
Dokploy
Application deployment and service orchestration
Self-hosted Dokploy instance · Germany / USA infrastructure
- Privacy
Hetzner
Server infrastructure for production, staging, monitoring, and related services
Hetzner Online GmbH · Germany / EU and selected non-EU regions
- Privacy
Hostinger
Hosting infrastructure for selected staging, legacy, or auxiliary deployments
Hostinger International Ltd. · EU / international
- Privacy
Supabase PostgreSQL
Primary managed database and auth-adjacent backend services
Supabase Inc. · USA
- Privacy
Cloudflare
DNS, CDN, proxying, DDoS protection, security filtering, and request metadata forwarding
Cloudflare, Inc. · USA
- Privacy
Cloudflare R2
Object storage for market archives and datalake snapshots
Cloudflare, Inc. · USA / global network
Used primarily for market/archive data; user personal data should not be intentionally stored there unless necessary.
- Privacy
Fly.io
Price relay worker hosting for real-time market and asset price updates
Fly.io · Global infrastructure, currently configured for London region
Payments
Payment processors and related independent financial-services providers for checkout and billing.
- Privacy
Stripe
Subscriptions, top-ups, support payments, checkout, customer portal, refunds, and chargeback handling
Stripe Payments Europe, Ltd. / Stripe group companies · EU / USA / international
Communications and Support
Processors and external platforms used for support, alerts, feedback, community links, and configured email delivery.
- Privacy
Formspree
Contact and feedback form delivery
Formspree, Inc. · USA
- Privacy
Resend
Transactional email delivery (legal updates, account notifications, season-event service notices, configured-alert dispatch)
Resend, Inc. · USA
Used as the primary outbound ESP for service notices via send.polysimulator.com. Per-recipient deliveries; the message content is the same for every recipient on a given campaign.
- Privacy
Telegram Bot API
User-enabled Telegram alert delivery and account linking
Telegram Messenger Inc. / Telegram group companies · International
- Privacy
Purelymail SMTP
Monitoring email and email delivery where configured
Purelymail · USA
- Privacy
Discord
Community links and optional community interaction
Discord Inc. · USA
Community data is processed by Discord when users click links, join, or interact there.
Analytics, Logs, and Diagnostics
Processors and telemetry tools used for product analytics, reliability, security, and diagnostics.
- Privacy
First-Party Analytics
Pageview, funnel, product usage, reliability, and abuse-prevention analytics
PolySimulator · Germany / USA infrastructure
Includes local/session storage identifiers such as ps_vid / ps_sid, request metadata, and optional account identifiers after analytics consent.
- Privacy
Google Analytics 4 (GA4)
Web Analytics and Audience Measurement
Google Ireland Limited · Ireland
- Privacy
Google Tag Manager
Tag Management and Analytics Integration
Google Ireland Limited · Ireland
- Privacy
PostHog
Product Analytics and Session Recording
PostHog, Inc. · USA
- Privacy
Microsoft Clarity
Session Recordings and Heatmaps
Microsoft Corporation · USA
- Privacy
Plausible Analytics
Privacy-Friendly Web Analytics
Plausible Insights OÜ · Estonia (EU)
- Privacy
Axiom
Log management, errors, performance diagnostics, and web vitals monitoring
Axiom, Inc. · USA
- Privacy
Grafana, Loki, Alloy, and Prometheus
Operational monitoring, metrics, logs, launch dashboards, alerting, and incident diagnostics
Self-hosted Grafana Labs stack / Grafana Labs components · Germany / USA infrastructure
Used for operational telemetry and logs; access is limited to operators.
- Privacy
CounterAPI
Lightweight public interest counters where enabled
CounterAPI · External service
Used only on pages/components where the preview-interest counter is enabled.
Market, Price, News, and Context Data
External data providers. We generally read public data server-side and avoid sending account data to these providers.
- Privacy
Polymarket API
Market Data and Pricing Information (Read-Only)
Polymarket · USA
We only read public market data. No user data is sent to Polymarket.
- Privacy
Binance Market Data
Real-time crypto reference prices for simulation and charts
Binance group companies · International
Used by the Fly.io price relay for public asset prices.
- Privacy
Polygon.io
Optional stock/index reference prices for simulation and charts
Polygon.io, Inc. · USA
Used only where stock/index price relay features are configured.
- Privacy
Chainlink Data Feeds / Polygon RPC
Reference-price and settlement-price reads for crypto-related simulations
Chainlink ecosystem and configured Polygon RPC provider such as Alchemy · International
Used server-side for public blockchain/reference data reads; end-user personal data is not intentionally sent.
- Privacy
CoinGecko API and CDN
Crypto reference price fallback and public crypto icon assets
CoinGecko · International
Used as a tertiary fallback when real-time crypto price sources are stale and for public token imagery.
- Privacy
Google News
News search and article discovery for market context
Google Ireland Limited / Google LLC · EU / USA
- Privacy
Open-Meteo
Weather forecasts and geocoding for weather market context
Open-Meteo · EU
- Privacy
USGS Earthquake API
Public earthquake data for weather/geophysical market context
United States Geological Survey · USA
AI and Content Tools
AI providers for planned or feature-gated summaries, explanations, support tooling, and trading analytics.
Planned / Not Yet Live Providers
- Privacy
OpenAI API
Planned AI-assisted content generation, market summaries, trading analytics, explanations, and support tooling
OpenAI Ireland Ltd. / OpenAI group companies · EU / USA / international
Planned / not yet live. Prompts and outputs may be processed under OpenAI API terms and a data processing addendum; we intend to minimize personal data in prompts.
Fonts, Media, and UI Assets
External asset providers for fonts, avatars, flags, logos, and interface media.
- Privacy
Google Fonts (Inter)
Typography and Font Rendering
Google Ireland Limited · Ireland
The app currently loads font files from fonts.gstatic.com.
- Privacy
ESPN CDN
Sports team logos and related visual assets
ESPN Internet Ventures / The Walt Disney Company · USA
- Privacy
DiceBear
Fallback avatar generation
DiceBear / related maintainers · International
- Privacy
FlagCDN
Country flag assets where displayed
FlagCDN / external CDN provider · International
7. Waitlists and Beta-Access Programs
When you join a waitlist or beta-access program, we process your email address, IP address, timestamp, selected program, invitation status, and program-related follow-up status.
The purpose is to manage the relevant waitlist or beta program, including launch notification, access invitation, onboarding instructions, reminders related to the selected program, and feedback follow-up directly related to that program. This is not general marketing consent.
You can withdraw consent at any time through polysimulator.com/waitlist/unsubscribe or by emailing [email protected].
8. International Transfers
Some providers are located outside the EEA or use international infrastructure, including Supabase, Cloudflare, Stripe, Google, GitHub, Discord, PostHog, Microsoft, Axiom, Fly.io, Resend, OpenAI, and certain data or asset providers. Where required, we rely on adequacy decisions, the EU-US Data Privacy Framework, Standard Contractual Clauses, data-processing agreements, and additional technical/organizational safeguards. Provider roles and locations are listed above.
9. Retention Details
| Data Categories | Period |
|---|---|
| Account profile and authentication records | Account lifetime, then normally a 14-day self-service deletion grace period before deletion or anonymization unless retention is required. |
| Simulated trading history, leaderboards, seasons, and wallet records | Account lifetime; integrity, dispute, and abuse records may be retained up to 3 years. |
| Billing, invoices, tax, refund, and chargeback records | Generally 10 years under German statutory retention duties. |
| API keys and API usage/security logs | Keys while active; logs normally up to 90 days, longer for incidents or legal needs. |
| Waitlist and beta-program data | Until withdrawal or normally up to 6 months after the relevant program launch/end. |
| Marketing preferences, unsubscribe, and suppression records | Until withdrawal/objection; suppression records as long as needed to honor opt-outs. |
| Consent records, cookies, ps_vid/ps_sid, and analytics identifiers | First-party reach-measurement identifiers (ps_vid / ps_sid) rotate at least every 13 months. Other consent records: up to 24 months unless you change preferences earlier. |
| First-party page-view events (path, country, derived device family) | Maximum 13 months. A daily server-side task automatically deletes older rows. Aggregated counts may be retained longer because they are already anonymous. |
| Server, security, and error logs | Normally 30 days; longer for incidents, abuse, disputes, or legal obligations. |
| Support, feedback, and legal correspondence | Usually up to 3 years after final response. |
10. Automated Logic
We use automated logic for simulated orders, leaderboard rankings, season rules, API rate limits, API beta access, entitlement and plan checks, abuse detection, and security controls. This logic does not produce legal effects or similarly significant effects outside the simulated Service environment. We do not use fully automated profiling for decisions about real-money products.
11. Your GDPR Rights
Subject to GDPR conditions, you have rights of access, rectification, erasure, restriction, portability, objection, withdrawal of consent, and complaint to a supervisory authority.
In particular, you may object to direct marketing at any time. After objection, we will no longer process your data for direct marketing. You can do this from your profile settings or from unsubscribe links in emails.
How to exercise your rights: email [email protected] from the address on your account or use the account deletion control in your profile settings. We respond within one month of receipt under Art. 12(3) GDPR; for particularly complex requests we may extend by two further months and inform you. Self-service deletion requests normally use a 14-day grace period before final anonymization. For erasure requests (Art. 17 GDPR) we anonymise your account and delete or anonymise personal data. We retain certain records where legally required (for example, invoices for 10 years under § 257 HGB / § 147 AO) or necessary for the establishment, exercise, or defence of legal claims (Art. 17(3)(b) and (e) GDPR). Our reply itemises what was erased and what was retained, with the legal basis for retention.
12. Security
- TLS/SSL encryption in transit.
- OAuth-based authentication and access controls.
- Cloudflare protection, monitoring, logging, and abuse detection.
- Restricted operator access to production systems and logs.
Data breach notification: We notify the competent supervisory authority of a personal-data breach without undue delay and, where feasible, within 72 hours of becoming aware of it, in accordance with Art. 33 GDPR, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the breach is likely to result in a high risk to your rights and freedoms, we additionally notify you directly in accordance with Art. 34 GDPR.
13. Supervisory Authority
Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18, 91522 Ansbach, Germany
www.lda.bayern.de
14. Children
The Service is not intended for children under 16. If you believe a child has provided personal data to us, please contact us.
15. Changes to This Policy
We may update this Privacy Policy when the Service, providers, purposes, or legal requirements change. For material changes, we will provide appropriate notice and update the version date.