Privacy Policy

Last updated: March 23, 2026

Effective date: March 23, 2026

1. Information We Collect

1.1 Information You Provide

• Account information: Email address provided during signup or checkout. We do not collect passwords — authentication is via API key.
• Payment information: Payment processing is handled entirely by Stripe. We do not store, process, or have access to credit card numbers, bank account details, or other payment credentials on our servers. We receive only: Stripe customer ID, subscription status, and transaction metadata.
• Communications: If you contact us via email or Discord, we retain the content of those communications for support purposes.
• Newsletter: If you subscribe to our email list, we store your email address for the purpose of sending edge reports and product updates.

1.2 Information Collected Automatically

• API usage data: Request counts, rate limit usage, and timestamps per API key for service monitoring and rate enforcement. We do not log request parameters, response bodies, or the specific games or signals you query.
• Server logs: IP addresses, user agents, and request paths are recorded in web server access logs for security and debugging. These logs are retained for 14 days and then deleted.
• Session cookies: A session cookie is used for dashboard login persistence. This is a strictly necessary functional cookie, not a tracking cookie.

1.3 Information We Do NOT Collect

• We do not use Google Analytics, Facebook Pixel, or any third-party tracking scripts
• We do not use advertising cookies or cross-site tracking
• We do not collect your name, phone number, physical address, or government ID
• We do not collect information about your trading accounts, positions, or balances on any platform

2. How We Use Your Information

We use the information we collect for the following purposes:

Purpose	Data Used	Legal Basis
Provide the Service	Email, API key	Contract performance
Process payments	Email, Stripe ID	Contract performance
Enforce rate limits	API key hash, request count	Legitimate interest
Send account communications	Email	Contract performance
Send marketing emails	Email (newsletter only)	Consent (opt-in)
Security & fraud prevention	IP, user agent, logs	Legitimate interest
Improve the Service	Aggregate usage metrics	Legitimate interest

3. Data Sharing & Third Parties

We do not sell, rent, trade, or share your personal information with third parties for marketing purposes. We share data only in these circumstances:

• Stripe (payment processing): We share your email with Stripe to process payments and manage subscriptions. Stripe's privacy policy governs their handling of your data.
• Email service provider (transactional email): We use a third-party SMTP provider to send account emails. They process your email address solely for delivery purposes.
• Law enforcement: We may disclose information if required by law, subpoena, court order, or government request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.
• Business transfer: If ZenHodl is acquired or merged, your information may be transferred as part of the transaction. We will notify you via email before your information becomes subject to a different privacy policy.

We do not use any third-party analytics, advertising, or tracking services.

4. Data Retention

Data Type	Retention Period
Account data (email, API key hash)	Duration of account + 30 days after deletion
Rate limit logs	5 minutes (rolling window, auto-deleted)
Web server access logs	14 days
Newsletter subscriptions	Until you unsubscribe
Stripe transaction records	Per Stripe's retention policy (typically 7 years for tax compliance)
Support communications	1 year

5. Cookies & Tracking Technologies

Cookies used:

Cookie	Purpose	Type	Duration
session	Dashboard login persistence	Strictly necessary	30 days

We use no advertising cookies, tracking pixels, social media widgets, or third-party analytics. API access via API key does not use cookies.

Do Not Track: Our Service does not respond to "Do Not Track" (DNT) browser signals because we do not track users across third-party websites in the first place.

6. Data Security

We implement the following security measures to protect your data:

• API keys are stored as irreversible cryptographic hashes (SHA-256). We cannot retrieve your original API key.
• All connections are encrypted in transit via TLS (HTTPS)
• Database backups are performed daily and stored securely
• Access to production systems is restricted to authorized personnel
• Session cookies use secure, HttpOnly, and SameSite attributes

While we implement commercially reasonable security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

7.1 All Users

• Access: Request a copy of the personal data we hold about you
• Deletion: Request deletion of your account and associated data
• Correction: Request correction of inaccurate data
• Opt-out: Unsubscribe from marketing emails at any time

7.2 California Residents (CCPA/CPRA)

Under the California Consumer Privacy Act (as amended by CPRA), California residents have additional rights:

• Right to Know: You may request disclosure of the categories and specific pieces of personal information we collect
• Right to Delete: You may request deletion of your personal information, subject to certain exceptions
• Right to Opt-Out of Sale: We do not sell your personal information. No opt-out is necessary.
• Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

To exercise your CCPA rights, email admin@zenhodl.net with subject "CCPA Request." We will verify your identity and respond within 45 days.

7.3 European Economic Area Residents (GDPR)

If you are located in the EEA, you have additional rights under the General Data Protection Regulation:

• Data Portability: Receive your data in a structured, machine-readable format
• Restriction: Request restriction of processing in certain circumstances
• Objection: Object to processing based on legitimate interest
• Withdraw Consent: Withdraw consent at any time where processing is based on consent
• Lodge Complaint: File a complaint with your local data protection authority

Our legal bases for processing are detailed in Section 2 above. Data is processed in the United States. By using the Service, EEA users consent to the transfer of data to the US.

8. Children's Privacy

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected data from a person under 18, we will promptly delete it. If you believe a child has provided us with personal information, please contact us at admin@zenhodl.net.

9. International Data Transfers

The Service is operated from the United States. If you access the Service from outside the US, your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using the Service, you consent to this transfer. We rely on consent as the legal mechanism for cross-border data transfers.

10. Data Breach Notification

In the event of a data breach that compromises your personal information, we will: (a) notify affected users via email within 72 hours of discovering the breach; (b) notify relevant regulatory authorities as required by applicable law; and (c) take immediate steps to contain and remediate the breach.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by: (a) updating the "Last updated" date; (b) emailing active subscribers at least 14 days before material changes take effect; or (c) posting a notice on the Service. Your continued use after the effective date constitutes acceptance.

12. Contact

For privacy-related questions, data requests, or to exercise your rights:

• Email: admin@zenhodl.net
• General support: admin@zenhodl.net
• Discord: discord.gg/zenhodl

We aim to respond to all data requests within 30 days (45 days for CCPA requests).