WheelRunner

Legal

Privacy Policy

Effective date: May 1, 2026 · ZONTIK LLC · Wyoming, United States

ZONTIK LLC ("ZONTIK", "we", "us", "our") operates WheelRunner. This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and your rights regarding your data. By using WheelRunner you agree to the practices described here.

1. Data We Collect

1.1 Account Data

  • Email address (used for login and communications)
  • Password hash (stored by Supabase Auth — we never see your plaintext password)
  • Account creation date and last login timestamp
  • Legal name and acceptance timestamp (collected at onboarding for your User-Directed Trading Agreement)

1.2 Brokerage Connection Data

  • Alpaca brokerage credentials (API key + secret today; OAuth access tokens once our Alpaca OAuth integration is approved) — encrypted with AES-256-GCM at rest using server-only keys, and never transmitted to your browser
  • Brokerage account mode (paper or live), Alpaca account identifier, and connection status
  • We never store your Alpaca account password or login credentials

1.3 Trading and Configuration Data

  • Strategy preset selection and custom rule configurations
  • Watchlist tickers and portfolio size
  • Order history, position records, and fill data synced from Alpaca
  • Trade journal entries including AI-generated rationale drafts, user notes, and emotion flags
  • IV cache data (shared, anonymised, not linked to your account)

1.4 AI Interaction Data

  • AI Mentor chat messages and conversation history stored in our database
  • AI reasoning logs attached to automated decisions
  • Chat messages are sent to Anthropic's Claude API for processing — see Anthropic's privacy policy at anthropic.com/privacy

1.5 Usage and Technical Data

  • Browser type, operating system, and device type (for compatibility)
  • IP address (logged at consent acceptance and on sign-in for security)
  • Pages visited, feature usage, and session duration (via analytics — see Section 4)
  • Error logs and performance data (via Sentry)

2. How We Use Your Data

Providing the Service

Authenticating your session, connecting to Alpaca, executing trades per your rules, displaying your positions and analytics.

Legal compliance

Storing your signed User-Directed Trading Agreement and associated timestamp and IP for compliance with applicable regulations.

Billing

Processing subscription payments via Stripe. We share only what Stripe needs (email, plan) — no financial data is stored on our servers.

Product improvement

Aggregated, anonymised usage analytics to improve features. We never sell individual usage data.

Security

Fraud detection, session validation, and audit logging of brokerage actions.

Communications

Transactional emails (trade fills, billing receipts, security alerts). Marketing emails only with explicit opt-in.

3. Data Sharing and Third Parties

We do not sell your personal data. We share data only with the following sub-processors, each bound by their own privacy policies and data processing agreements:

ProviderPurposeData shared
SupabaseDatabase & AuthAll structured user data
Alpaca MarketsBrokerage APIEncrypted brokerage credentials, order requests, account/position data
StripePaymentsEmail, subscription plan
Anthropic (Claude)AI Mentor ChatChat messages, position context
VercelHostingHTTP requests, IP addresses
PosthogAnalyticsAnonymised usage events
SentryError monitoringError traces (no financial data)
ResendTransactional emailEmail address

We may also disclose data if required by law, regulation, or valid legal process. We will notify you of such requests where permitted.

4. Analytics and Cookies

We use Posthog for product analytics. Posthog is configured in a privacy-preserving mode: no cross-site tracking, no advertising cookies, and IP addresses are anonymised before storage. A session cookie is used for authentication. No third-party advertising cookies are set.

You may opt out of analytics tracking by emailing us at info@zontik.co. This does not affect your ability to use the Platform.

5. Data Security

  • Brokerage credentials (API key + secret, or OAuth tokens once Alpaca approves our OAuth integration) are encrypted with AES-256-GCM authenticated encryption before storage. A per-row initialisation vector and authentication tag prevent ciphertext substitution attacks. Decryption keys are held only in server memory and never leave our infrastructure.
  • All data in transit is encrypted with TLS 1.3
  • Database access is protected by Supabase Row Level Security — each user can only access their own data
  • Authentication uses JWT tokens with short expiry windows and automatic refresh
  • Passwords are hashed using bcrypt via Supabase Auth — we never store or see plaintext passwords
  • Access to production infrastructure is restricted to authorised personnel with MFA enforced

6. Data Retention

Account dataRetained while your account is active. Deleted 90 days after account closure on request.
Trade journal & ordersRetained indefinitely while active (required for tax reporting). Exported and deleted within 90 days of account closure on request.
Legal consent recordsRetained for 7 years for compliance purposes, even after account closure.
AI chat historyRetained for 12 months, then automatically deleted.
Error logsRetained for 30 days.
Billing recordsRetained for 7 years per accounting requirements.

7. Your Rights

Depending on your jurisdiction, you may have the following rights:

  • Access — request a copy of the personal data we hold about you
  • Correction — request correction of inaccurate data
  • Deletion — request deletion of your account and personal data (subject to legal retention requirements)
  • Portability — request your trade journal and position data exported as CSV or JSON
  • Objection — object to processing for analytics purposes
  • Restriction — request restriction of processing in certain circumstances
  • Withdraw consent — revoke Alpaca brokerage access at any time from the Platform Settings or directly from your Alpaca dashboard

To exercise any of these rights, email info@zontik.co. We will respond within 30 days.

8. GDPR and CCPA

EU/UK Users (GDPR): If you are located in the European Economic Area or United Kingdom, you have the rights described in Section 7 under the General Data Protection Regulation. Our legal basis for processing is: (a) contract performance for providing the Service; (b) legitimate interest for security and fraud prevention; (c) legal obligation for compliance records; and (d) consent for analytics. You have the right to lodge a complaint with your local supervisory authority.

California Users (CCPA): California residents have the right to know what personal information is collected, to delete personal information, and to opt out of the sale of personal information. We do not sell personal information. To exercise your rights, contact info@zontik.co.

9. Children's Privacy

WheelRunner is not directed at children under 18. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us personal data, contact us immediately at info@zontik.co and we will delete it promptly.

10. International Transfers

WheelRunner is operated from the United States. If you access the Platform from outside the US, your data will be transferred to and processed in the United States. For EU/UK users, such transfers are covered by Supabase's and Vercel's Standard Contractual Clauses under GDPR. By using the Platform, you consent to this transfer.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email at least 14 days before they take effect. The effective date at the top of this page will be updated. Continued use of the Platform constitutes acceptance of the updated policy.

12. Contact

For any privacy questions or to exercise your rights:

ZONTIK LLC — Privacy

Email: info@zontik.co

Registered Office: 1309 Coffeen Ave, Ste 1200, Sheridan, WY 82801, United States

State of Incorporation: Wyoming, United States