Privacy Policy
Status: Human-voice rewrite, pending counsel review. Document version: 2026.05.01 Last updated: 2026-05-01 Effective date: 2026-05-01 Data controller: Ikaay Capital Pte Ltd, a private company limited by shares incorporated in Singapore Data Protection Officer: dpo@ikaaycapital.com
What this means in plain English: We collect what we need to run your account and bill you, plus a small amount of usage data to keep the Service safe and improve it. We do not sell your data and we do not run advertising trackers. You can ask for a copy of your data, fix it, or delete it.
This Privacy Policy explains what personal data Ikaay Capital collects, why, how we use it, who we share it with, how long we keep it, and what rights you have over it. It covers your use of the Service.
If you only read one section, read section 7 (your rights). If you live in the EEA, the United Kingdom, California, Singapore, or India, the country-specific add-ons in section 11 apply to you.
1. Data we collect
1.1. From you, when you sign up or use the Service
- (a) Account data. Email address, password (hashed; we never see it), display name (optional), country of residence, time zone, language preference.
- (b) Subscription and billing data. Plan tier, billing interval, payment method type and last 4 digits of the card (held by Stripe; we never see the full number), billing address, tax-relevant identifier where required (for example, GST registration in Singapore, GSTIN in India, VAT in the UK/EU), and invoice history.
- (c) Trading-context data you choose to give us. Watchlists, custom symbol lists, alert thresholds, paper-trading positions, accepted-trade flags. We do not require you to tell us what your real broker positions are. If you do tell us, we hold it as trading-context data.
- (d) Communications. Support tickets, contact-form submissions, email replies, in-product feedback.
- (e) Identity-verification data, if we ask for it. When we are required to verify your identity, we may collect government-issued ID and a selfie or address proof. We do not currently apply this to all users; if it applies to you, we will tell you why.
1.2. About your use of the Service
- (a) Usage data. Pages viewed, scans run, signals viewed, alerts triggered, API calls made, features used, errors encountered.
- (b) Device and connection data. IP address, browser type and version, operating system, device type, language, referrer URL, time of access. We use this to detect abuse, prevent fraud, debug, and apply geographic rules.
- (c) Cookies and similar. See
cookie_policy.mdfor the categories and your choices.
1.3. From third parties
- (a) Stripe sends us payment events (succeeded, failed, disputed, refunded). We do not receive your full card number or CVV.
- (b) Email and messaging providers (for example, Postmark for transactional email, Telegram for the bot) confirm delivery, bounce, and unsubscribe.
- (c) Identity-verification providers, where used.
- (d) Fraud and risk providers, where used.
We do not buy contact lists. We do not enrich your profile from third-party data brokers.
2. Why we use it (lawful bases under GDPR / UK GDPR)
- (a) To perform the contract with you. Account, subscription, billing, signal delivery, alerts, and support are all needed to provide the service you bought.
- (b) Legitimate interests. Detecting abuse and fraud, securing infrastructure, debugging, improving the Service, defending and pursuing legal claims. We do not use legitimate interests to send marketing email.
- (c) Consent. Marketing email goes only to subscribers who opted in. You can withdraw consent at any time. Optional analytics cookies require opt-in.
- (d) Legal obligation. Tax records, anti-money-laundering checks, and responses to lawful regulator requests fall here.
3. Who we share it with
We share personal data only with:
- (a) Service providers acting on our instructions: hosting (AWS), payments (Stripe), email and messaging (Postmark, Telegram), error and uptime monitoring, customer-support tooling. Each is bound by a data-processing agreement.
- (b) Group companies of Ikaay Capital, where applicable, on the same restrictions.
- (c) Regulators, courts, or law enforcement where the law requires us to disclose.
- (d) A successor entity if Ikaay Capital is sold, merged, or reorganised. We will tell you if your data is going to be transferred and you may close your account first.
We do not sell personal data and we do not share personal data for cross-context behavioural advertising as those terms are defined under California's CCPA / CPRA. We do not rent contact lists.
4. International transfers
- (a) Ikaay Capital is incorporated in Singapore and runs infrastructure in the United States. Any data you give us is processed in Singapore and the United States.
- (b) For users in the EEA and the United Kingdom, we rely on the European Commission's Standard Contractual Clauses (and the UK addendum) for transfers from the EEA / UK to Singapore and the United States. The current SCCs are Module 1 (controller-to-controller) or Module 2 (controller-to-processor), as applicable, and are available on request from dpo@ikaaycapital.com.
- (c) For users in Singapore, transfers are made on the basis of section 26 of the Personal Data Protection Act 2012 with comparable protection. For users in India, transfers are made consistently with the Digital Personal Data Protection Act 2023.
5. How long we keep it
We keep personal data only as long as we need it for the purposes in this policy, and as the law requires:
- (a) Account data: for as long as you have an account, and for up to 24 months after you close it (to support investigations, defend claims, and meet tax record-keeping rules).
- (b) Billing and tax records: at least 5 years from the end of the financial year, or longer where the law requires.
- (c) Usage and device logs: rolling 13 months.
- (d) Support tickets: 24 months after closure.
- (e) Marketing consent records: as long as the consent is current, plus 24 months after withdrawal (to evidence the withdrawal).
- (f) Backups: rolling 35 days. Backups are not searchable; deletion requests are honoured on the live system immediately and on the backups in due course as backups age out.
We may keep anonymised or aggregated data indefinitely. Anonymised data does not identify you and is no longer personal data.
6. Security
- (a) Passwords are hashed using a current best-practice scheme (bcrypt or Argon2id with a per-user salt). We never store passwords in clear.
- (b) All data in transit is encrypted (TLS 1.2+).
- (c) Sensitive data at rest is encrypted in the database.
- (d) Access to production systems is limited to a small number of named engineers, gated by short-lived credentials, and logged.
- (e) We run regular vulnerability scans and review security at least once a year.
- (f) Breach notification. If we discover a breach of personal data that is likely to put your rights and freedoms at risk, we will tell you and the relevant supervisory authority without undue delay (and within 72 hours where GDPR / UK GDPR or comparable regimes apply). Where the risk is high we will tell you directly.
We do not promise security cannot be breached. We promise to design for it not to be, to monitor, to respond, and to tell you when something matters.
7. Your rights
You have the following rights over your personal data, subject to your country's law:
- (a) Access. Get a copy of the personal data we hold about you.
- (b) Correction. Fix data that is wrong or incomplete.
- (c) Deletion. Delete your data, subject to the retention rules above.
- (d) Portability. Get a machine-readable copy of data you gave us.
- (e) Restriction. Limit processing in specific situations.
- (f) Objection. Object to processing based on legitimate interests, including direct marketing.
- (g) Withdraw consent. Where processing is based on consent, you can withdraw at any time without retroactive effect.
- (h) Complaint. Lodge a complaint with your country's supervisory authority. We list the relevant ones in section 11.
- (i) Automated decision-making. Not be subject to a decision based solely on automated processing that produces legal or similarly significant effects on you. We do not use that kind of processing.
To exercise any right, email dpo@ikaaycapital.com from the email on your account, or use the Account → Privacy page where the request can be raised in product. We will reply within 30 days (Singapore PDPA), 30 days (UK / EEA GDPR — extendable to 60 days for complex cases), 45 days (California CCPA — extendable to 90 days), or the period your country's law specifies, whichever is shortest.
We will not charge you a fee for the first request in any 12-month period. Excessive or manifestly unfounded requests may be charged a reasonable fee or refused, with reasons.
8. Children
The Service is not for anyone under 18 (or the age of majority where you live, whichever is older). We do not knowingly collect personal data from children. If you are a parent or guardian and you believe your child has given us data, email dpo@ikaaycapital.com and we will delete it.
9. Marketing
- (a) Transactional email. We send transactional emails — sign-up confirmation, billing receipts, alerts, security notices — without separate marketing consent because you need them to use the Service.
- (b) Marketing email. We send product updates, research notes, and offers only to subscribers who opt in. Every marketing email has an unsubscribe link.
- (c) Telegram and webhook. Channel deliveries are configured by you. Stop them in Account → Notifications.
10. Cookies and similar tracking
- (a) Strictly necessary cookies. Sign-in session, CSRF protection, load-balancing. These run without consent because the Service does not work without them.
- (b) Functional. Theme, language, last-used market view. Run on consent.
- (c) Analytics. Usage analytics for product improvement. Run on consent. We use a privacy-preserving analytics tool (we do not currently use Google Analytics).
- (d) Advertising / marketing. Off by default. We do not currently run any.
The cookie banner gives you the choice. Manage your preferences any time at Account → Privacy → Cookies. See cookie_policy.md.
11. Country-specific add-ons
11.1. European Economic Area and the United Kingdom
- Data controller: Ikaay Capital Pte Ltd. We do not currently appoint an EU representative because we do not target the EEA (no EU-domiciled marketing); when we do, we will publish a representative under Article 27 GDPR.
- Lawful bases: see section 2.
- Supervisory authority: the data-protection authority in your country of residence; for the UK that is the Information Commissioner's Office (https://ico.org.uk/).
- International transfers: SCCs as above.
11.2. California (and other US state laws — Virginia, Colorado, Connecticut, Texas, with comparable rights)
- You have the rights to know, delete, correct, and limit, plus the right not to be discriminated against for exercising them.
- We do not sell personal information and we do not share personal information for cross-context behavioural advertising in the meaning of the CCPA / CPRA.
- "Sensitive personal information" we hold is limited to your account password (hashed), payment method (held by Stripe), and any identity-verification documents (if requested). We do not use sensitive personal information for inferring traits.
- To exercise rights: dpo@ikaaycapital.com. We may verify your identity.
- We do not have actual knowledge of selling personal information of consumers under 16.
11.3. Singapore (PDPA)
- Purposes: to perform the contract with you and meet legal obligations.
- Consent: by signing up you consent to the collection, use, and disclosure for the purposes in this policy. You can withdraw at the cost of being unable to use parts of the Service that depend on the data.
- Data Protection Officer: dpo@ikaaycapital.com.
- Access and correction: to exercise, contact the DPO. We may charge a reasonable fee for access requests as permitted by section 28(3) of the PDPA, with the fee disclosed in advance.
- Complaints: to the Personal Data Protection Commission of Singapore (https://www.pdpc.gov.sg/).
11.4. India (DPDP Act 2023)
- Notice: this policy is the notice required under section 5 of the DPDP Act 2023. It describes the personal data we process, the purposes, the manner of exercising your rights, and the manner of making a complaint to the Data Protection Board of India.
- Consent: for processing that requires consent, we ask for it at sign-up. You can withdraw at any time from Account → Privacy.
- Languages: the consent and notice are available in English. Translations into the languages listed in the Eighth Schedule will follow on a rolling basis. If you need this notice in a specific listed language, email dpo@ikaaycapital.com.
- Children. We do not knowingly process personal data of a child as defined in the DPDP Act.
- Complaints: to the Data Protection Board of India.
- Grievance officer: dpo@ikaaycapital.com.
11.5. Switzerland (FADP)
- The FADP applies in parallel to GDPR for users in Switzerland. We rely on the same SCCs with the Swiss-FADP addendum where appropriate. Supervisory authority: the Federal Data Protection and Information Commissioner.
12. Changes to this policy
We may update this policy. Material changes — including any change that broadens what we collect, who we share with, or how long we keep it — require notice by email at least 30 days before they take effect. Other changes are effective on posting with a new "Last updated" date.
13. Contact
- Data Protection Officer: dpo@ikaaycapital.com
- Postal: Ikaay Capital Pte Ltd, [registered address — published on website footer]
- Security disclosures: security@ikaaycapital.com
Change log
| Version | Date | Change |
|---|---|---|
| 2026.05.01 | 2026-05-01 | Human-voice rewrite. Plain-English intro, contractions, "we / you" voice, headings reworded (e.g. "Retention" → "How long we keep it"). Substance unchanged. Pending counsel review. |
| 2026.04.28 | 2026-04-28 | Initial draft, multi-jurisdiction (GDPR / UK / CCPA / PDPA / DPDP / FADP). |
Pattern provenance
- Section 1 data taxonomy: hybrid of TradingView and Seeking Alpha privacy schemas.
- Section 2 lawful bases under GDPR: standard four-pillar template.
- Section 3 "we do not sell" wording: CCPA-CPRA-compliant explicit denial; modelled on Composer / Glassnode privacy.
- Section 5 retention windows: a moderate posture; tax minimums (5 years SG / IND), 13-month rolling logs, 24-month account-after-close window.
- Section 7 rights catalogue: GDPR + UK GDPR + CCPA + DPDP all overlap on the listed rights; this section covers all four with a single list.
- Section 11.4 DPDP language compliance: post-2025 notice-language requirement is the weakest point — needs translation pipeline before serving Indian retail in volume.
- Cookie taxonomy modelled on Plus500 / TradingView; analytics-on-consent is the EU-strictest interpretation.