Privacy Policy
This Privacy Policy describes how SigmaAxion collects, uses, and protects personal information in connection with the SigmaAxion platform. The platform is an internal operator surface; we do not target consumer users.
1. What we collect
- Account data: email, display name, role, hashed password, MFA secret (encrypted), backup codes (hashed).
- Session data: JWT identifiers, last-login timestamps, IP address, user agent.
- Operator actions: every state-changing request you initiate is logged to an append-only audit log including timestamp, route, response status, and a description of the action.
- Broker credentials: API keys you register are stored encrypted at rest with a Fernet master key that never leaves server memory unencrypted.
- Diagnostic telemetry: server logs, error traces, and latency metrics, which may incidentally contain request-scoped identifiers.
2. How we use it
We use the information to authenticate you, enforce role-based access control, operate and protect the Service, process trading activity you initiate, and meet legal, audit, and recordkeeping obligations.
3. Sharing
We do not sell personal data. We share data only with: (a) service providers that host infrastructure (Railway, our database, Redis, and object storage), (b) trading venues and market-data providers when you route activity to them, and (c) authorities when compelled by valid legal process.
4. Retention
Account and audit data are retained for at least seven years after your access is terminated, to support post-trade review and regulatory inquiries. Session records are retained for twelve months. Diagnostic logs are retained for up to ninety days.
5. Security
- Passwords are hashed with bcrypt.
- Multi-factor authentication (TOTP) is required for privileged roles.
- API keys and TOTP secrets are encrypted at rest with a Fernet master key.
- All traffic is served over HTTPS with HSTS and a strict CSP.
- Administrative actions are rate-limited and logged.
No system is perfectly secure. If you suspect a compromise, contact security@sigmaaxion.com immediately.
6. Your rights
Depending on your jurisdiction, you may have the right to access, correct, or delete personal data we hold about you, subject to legitimate business and legal retention needs. Requests may be directed to privacy@sigmaaxion.com.
7. International transfers
Infrastructure may be located outside your jurisdiction. Where required, we rely on standard contractual clauses or equivalent safeguards for cross-border transfers.
8. Changes
We may update this policy. Material changes will be communicated through the Service.
9. Contact
privacy@sigmaaxion.com