Privacy Policy

1. Who We Are

XAUVANT (“we”, “us”, “our”) operates the website at xauvant.com and provides the XAUVANT trading software. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our website or software.

By using our website or software, you agree to the collection and use of information as described in this policy.

2. Information We Collect

2.1 Information you provide directly

Data	When collected	Purpose
Email address	Account registration, purchase, trial request	Authentication, license delivery, support
Payment information	Purchase checkout	Processed directly by Stripe — we receive only a transaction confirmation and customer ID, never card details

2.2 Information collected automatically

Data	When collected	Purpose
Machine identifier	Software activation	Enforcing the 2-machine license limit
API usage count	Each AI analysis call	Rate limiting (300 calls/day per user)
Subscription status and plan	Purchase and periodic re-validation	Controlling Software access
IP address	Website visits and API calls	Standard server logs, abuse prevention
Session tokens	Login	Maintaining your authenticated session

2.3 Trade context data (AI analysis)

When the Software runs the Agent Desk, specialist agents evaluate setups locally on your machine (risk, location, structure, macro, memory). When the Desk Chief is invoked, anonymised market context and agent briefs are sent to the Anthropic Claude API — including signal scores, session type, market regime, volatility data, COT positioning, and similar-trade summaries. This data does not include your email address, identity, account details, or any personal information. It is used solely for generating the trade analysis response.

3. How We Use Your Information

We use the information we collect to:

Authenticate your account and verify your subscription status
Deliver your license and enable Software access
Send transactional emails (purchase confirmation, dashboard login links, authentication emails)
Enforce the 2-machine license limit via machine binding
Apply API rate limits to prevent abuse
Respond to support enquiries
Detect and prevent fraud or unauthorised use
Comply with legal obligations

We do not use your information for advertising, do not build behavioural profiles, and do not sell or rent your personal information to any third party.

4. Third-Party Services

We use a small number of trusted third-party services to operate XAUVANT. Each has its own privacy policy and data handling practices.

Service	Purpose	Data shared
Stripe	Payment processing	Email address, payment card details (handled entirely by Stripe — we never see card data)
Supabase	Authentication and database	Email address, user ID, subscription status, machine bindings, usage counts. Hosted on AWS ap-southeast-2 (Sydney, Australia)
Resend	Transactional email delivery	Email address, email content (purchase confirmation, dashboard link, magic link)
Anthropic	AI trade analysis	Anonymised market context only — no personal data. Subject to Anthropic’s Privacy Policy
Netlify	Website hosting and serverless functions	Standard web server logs (IP address, request paths). Subject to Netlify’s Privacy Policy

We select service providers who maintain appropriate security standards and operate under data processing agreements where required by law.

5. Data Storage and Security

We implement appropriate technical and organisational measures to protect your personal information:

Encryption in transit: All data transmitted between your device, the Software, and our servers is encrypted via HTTPS/TLS
No password storage: We use passwordless authentication (magic link / OTP). No passwords are ever stored
Payment data isolation: Credit card and payment details are handled entirely by Stripe and never pass through or are stored on our systems
Database security: Row-level security is enforced on all Supabase database tables — users can only access their own data
Local cache: The Software stores an encrypted session cache on your device at %APPDATA%\XAUVANT\auth.json. This file contains your session tokens and subscription status but not your password

No security system is impenetrable. While we take reasonable precautions, we cannot guarantee the absolute security of your information. In the event of a data breach that affects your rights or freedoms, we will notify you as required by applicable law.

6. Data Retention

Data type	Retention period
Account and subscription records	Retained while your account is active, and for 2 years after your last purchase or contact with us
Payment and transaction records	Retained for 7 years as required by financial and tax regulations
Machine binding records	Deleted when the associated license expires or is revoked
API usage logs	Rolling 30-day window; older records are deleted automatically
Server access logs	Up to 90 days

You may request early deletion of your account data at any time (see Section 8). Note that deletion of your account will invalidate your license and any remaining subscription time.

7. Cookies and Tracking

Our website uses minimal, functional cookies only:

Authentication session cookies: Set by Supabase to maintain your logged-in state on the dashboard. These are strictly necessary for the service to function and expire when you log out or your session ends
No advertising cookies
No third-party tracking pixels
No analytics platforms (Google Analytics or similar)

Because we use only strictly necessary cookies, we do not display a cookie consent banner. If we introduce optional cookies in the future, we will obtain your consent first.

8. Your Rights

Depending on your location, you may have the following rights regarding your personal information:

Access: Request a copy of the personal data we hold about you
Correction: Request correction of inaccurate or incomplete data
Deletion: Request deletion of your personal data (“right to be forgotten”). Note: deletion will invalidate your license
Portability: Request your data in a structured, machine-readable format
Restriction: Request that we limit processing of your data in certain circumstances
Objection: Object to processing of your data for specific purposes
Withdraw consent: Where processing is based on consent, withdraw it at any time

To exercise any of these rights, email us at support@xauvant.com. We will respond within 30 days. We may need to verify your identity before fulfilling a request.

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the right to lodge a complaint with your local data protection authority.

9. International Transfers

XAUVANT operates globally. Your data may be processed in countries outside your own, including Australia (Supabase), the United States (Stripe, Resend, Anthropic, Netlify), and other locations where our service providers operate. Where data is transferred outside your jurisdiction, we take steps to ensure it receives an appropriate level of protection in accordance with applicable data protection laws.

10. Children

XAUVANT is not intended for, and does not knowingly collect personal information from, anyone under the age of 18. Trading financial instruments is restricted to adults in most jurisdictions. If we become aware that we have collected data from a person under 18, we will delete it promptly. If you believe a child has provided us with personal information, please contact us at support@xauvant.com.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page. For material changes that affect how we use your personal information, we will notify you by email before the changes take effect. Your continued use of the website or Software after any update constitutes acceptance of the revised policy.

12. Contact

For any questions, requests, or concerns about this Privacy Policy or your personal data, please contact us:

Email: support@xauvant.com
Website: xauvant.com

We aim to respond to all privacy-related enquiries within 5 business days.

Contents