Privacy Policy

1. Introduction

PropStax ("we," "us," "our," or the "Company") respects your privacy and is committed to protecting your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our prop-firm balance and analytics platform at https://app.propstax.com and https://propstax.com (the "Service").

By using the Service, you consent to the data practices described in this Privacy Policy. If you do not agree with this policy, please do not use our Service.

2. Information We Collect

2.1 Information You Provide

Account Information:

• Email address
• Password (stored in encrypted form by AWS Cognito)
• Display name

Prop-Firm Tracking Data:

• Account identifiers from your broker / prop firm
• Account specifications (size, drawdown limits, profit targets, account type)
• Daily balance, equity, and drawdown snapshots
• Trade aggregates (counts, win/loss totals, daily P&L)
• Costs paid (evaluation fees, monthly subscriptions, resets)
• Payouts received from prop firms
• User-applied tags and notes on accounts

Payment Information:

• Billing address (held by Stripe; we do not see card numbers)
• Payment method details processed and stored by Stripe

Communications:

• Support requests and correspondence
• Feedback and survey responses

2.2 Information Collected Automatically

Technical Data:

• IP address (captured when you authorize a broker connection, as part of the consent audit trail)
• Browser type, version, and user-agent string
• Device type and operating system
• Pages visited and features used
• Date and time of access

Cookies and Local Storage:

• Authentication tokens (managed by AWS Cognito / Amplify)
• Preference values such as theme + UI layout

2.3 Information from Third Parties

Broker / Data-Feed Connections:

When you connect a brokerage or prop-firm account, we receive:

• Account identifiers, balances, and risk parameters
• Day-level aggregates of trades + P&L
• Historical balance / drawdown snapshots

This data is provided through broker APIs (including Tradovate, Rithmic, and DxFeed-fronted firms such as MyFundedFutures, The Trading Pit, Taurus Arena, and others) based on the permissions you grant. We access this data in read-only mode: we do not place trades, transfer funds, or have any trading authority over your accounts.

3. How We Use Your Information

We use the information we collect to:

Provide and Improve the Service:

• Create and manage your PropStax account
• Import, store, and display your prop-firm account data
• Calculate balance, drawdown, liquidation buffer, and ROI statistics across your portfolio
• Track payouts received vs. costs paid per prop firm
• Enable user-applied tags + notes for personal organization

Communicate with You:

• Send service-related notifications (account confirmation, payment events, sync issues)
• Respond to support requests
• Notify you of material changes to our policies

Security and Compliance:

• Detect and prevent fraud or unauthorized access
• Comply with legal obligations
• Enforce our Terms of Service

Analytics and Improvements:

• Understand how users interact with the Service
• Identify and fix technical issues
• Develop new features and improvements

4. Data Sharing and Disclosure

4.1 We Do Not Sell Your Data

4.2 Service Providers

We share information with trusted third-party service providers who help operate the Service:

These providers are bound by contractual obligations to protect your data and use it only for the purposes we specify.

4.3 Legal Requirements

We may disclose your information if required by law or in response to valid requests by public authorities, such as:

• Court orders or subpoenas
• Government agency requests
• To protect our rights, safety, or property

4.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change.

4.5 Aggregated Data

We may share aggregated, anonymized data that cannot reasonably be used to identify you for research or product analytics.

5. Data Storage and Security

5.1 Where We Store Your Data

Your data is stored on secure servers provided by Amazon Web Services (AWS) located in the United States (region us-east-1).

5.2 Security Measures

• Encryption in transit: all data transmitted to and from the Service is encrypted using TLS 1.2 or higher.
• Encryption at rest: DynamoDB tables and S3 buckets storing Service data use AWS-managed encryption (AES-256).
• Broker credentials: OAuth refresh tokens (Tradovate) are encrypted with AWS KMS before storage. Username/password credentials (Rithmic, DxFeed) are sent through the broker API for the duration of one sync and are not persisted on our servers.
• Access controls: production AWS access is restricted to the operator account and logged via CloudTrail.
• Authentication: passwords are hashed and salted by AWS Cognito and cannot be decrypted.

5.3 Security Limitations

While we strive to protect your data, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

6. Data Retention

We retain your personal information for as long as:

• Your account is active
• Necessary to provide the Service
• Required by law or for legitimate business purposes

6.1 Account Deletion

You can delete your account at any time from Settings → Profile → Delete Account. On deletion:

• Your tracking data (accounts, snapshots, costs, payouts, tags) is removed from our primary stores immediately.
• Your Cognito identity is deleted.
• Backups and audit logs may retain copies for up to 90 days before automatic expiration.
• Data required for legal or financial-compliance retention (e.g. invoice records) may persist for the period required by law.

6.2 Raw Broker-Response Storage (Opt-Out Available)

When you authorize a broker sync, we may store the raw API responses from the broker for up to 30 days. We use these for: (a) debugging sync issues when you report them; (b) restoring your data if our canonical pipeline misderives a value; (c) backfilling new fields when we extend the schema.

You can opt out at any time from Settings → Data & Privacy. When opted out, no raw responses are persisted — only the canonical / derived account data is stored. Opting out doesn't delete data already stored under prior consent; that data ages out on the normal 30-day schedule.

7. Your Rights and Choices

7.1 Account Settings

You can access and update your account at any time through Settings, including profile, preferences, connected brokers, billing, and data & privacy.

7.2 Data Access and Portability

You may request:

• A copy of the personal data we hold about you
• Export of your account data in a machine-readable format

7.3 Data Correction

You may correct inaccurate personal information directly in Settings, or contact us at feedback@beta.propstax.com.

7.4 Data Deletion

You may delete your account and associated data through Settings → Profile → Delete Account, or by contacting us.

7.5 Communication Preferences

Service-related communications (security alerts, billing notifications, sync errors) cannot be opted out of while your account is active. Promotional communications, if any, will include an unsubscribe link.

7.6 Cookie Preferences

Most browsers allow you to control cookies through their settings. Disabling authentication cookies will sign you out of the Service.

8. International Data Transfers

If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States, where our servers are located. By using the Service, you consent to this transfer.

9. Rights for Specific Jurisdictions

9.1 European Economic Area (EEA) / UK Residents

If you are located in the EEA or UK, you have additional rights under the GDPR / UK GDPR:

• Right to access: request information about the data we process
• Right to rectification: request correction of inaccurate data
• Right to erasure: request deletion ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing based on legitimate interests
• Right to withdraw consent at any time

Legal bases we rely on: contract performance, legitimate interests (security + product improvement), consent (raw-response storage + marketing), and legal obligations.

To exercise these rights, contact feedback@beta.propstax.com.

9.2 California Residents

Under the CCPA / CPRA you have rights to:

• Know the categories and specific pieces of personal information collected
• Delete personal information
• Opt out of sale or sharing (we do not sell or share for cross-context behavioral advertising)
• Non-discrimination for exercising your rights

10. Children's Privacy

The Service is not intended for users under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected information from a person under 18, we will delete it promptly.

11. Third-Party Links

The Service may contain links to third-party websites or services, including connected brokers, our billing pages (hosted at billing.propstax.com and powered by Stripe), and prop-firm portals. We are not responsible for the privacy practices of those third parties. We encourage you to review their privacy policies.

12. Cookies and Tracking Technologies

12.1 Cookies We Use

• Essential: authentication, security, site functionality. Required.
• Preferences: theme, layout, and UI choices. Persistent.

12.2 Third-Party Analytics

We currently do not deploy third-party analytics (Google Analytics, Mixpanel, etc.) on the Service. If that changes, we will update this policy and disclose the providers above.

12.3 Do Not Track

Our Service does not currently respond to "Do Not Track" browser signals.

13. Changes to This Policy

We may update this Privacy Policy. Material changes will be communicated by:

• Posting the updated policy on this page
• Updating the "Last Updated" date above
• Sending an email notification for material changes (when we have your verified email)

Continued use of the Service after a change is posted constitutes acceptance of the revised policy.

14. Contact Us

Questions, concerns, or requests:

PropStax
Email: feedback@beta.propstax.com
Website: https://propstax.com

15. Summary of Key Points