Privacy Policy

Last Updated: January 21, 2026

This Privacy Policy describes how Undertow collects, uses, and protects your personal information when you use our platform.

1. Information We Collect

Account Information

When you create an account, we collect:

• Email address
• Password (encrypted)
• Username/handle
• Phone number (if you use SMS authentication, optional)

OAuth Authentication

If you sign in with third-party providers (Google, GitHub, Spotify, Apple, Discord, Twitter/X), we receive:

• Profile information (name, email, profile picture)
• OAuth provider user ID
• Information you authorize the provider to share

Usage Information

We automatically collect:

• Trading activity (markets traded, positions, timestamps)
• Content submissions and market participation
• Platform interactions and feature usage
• Device information and browser type
• IP address and general location data

Cookies and Tracking

We use cookies to:

• Maintain your login session
• Remember your preferences
• Analyze platform usage
• Improve user experience

2. How We Use Your Information

We use your information to:

• Provide and maintain the Undertow platform
• Process your trades and market participation
• Authenticate your account and maintain security
• Send transactional emails (account confirmations, invites, notifications)
• Calculate leaderboards and user rankings
• Improve and optimize platform features
• Prevent fraud, abuse, and unauthorized access
• Comply with legal obligations
• Communicate platform updates and changes

3. Information Sharing and Disclosure

We do not sell your personal information. We may share information in the following circumstances:

Public Information

The following information is visible to other users:

• Your username/handle
• Your leaderboard ranking
• Your trading activity on public markets (market positions and trades may be visible)
• Content you submit to the platform

Service Providers

We share information with trusted third parties who help us operate the platform:

• Hosting providers (for database and application hosting)
• Authentication services (NextAuth.js, OAuth providers)
• SMS providers (Twilio, for phone authentication)
• Email service providers (for transactional emails)
• Platform APIs (YouTube, Spotify, Last.fm for metric fetching)

Legal Requirements

We may disclose information if:

• Required by law or legal process
• Necessary to protect our rights, property, or safety
• To prevent fraud or security incidents
• In connection with a business transfer

4. Data Security

We implement security measures to protect your information:

• Passwords are encrypted using bcrypt hashing
• HTTPS encryption for data transmission
• Secure session management with httpOnly cookies
• Regular security audits and updates
• Database access controls and authentication
• Rate limiting to prevent abuse

However, no method of transmission over the Internet is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

5. Data Retention

We retain your information for as long as your account is active or as needed to provide services. Retention periods:

• Account data: Retained while account is active
• Trading history: Retained for platform integrity and auditing
• Logs and security data: Retained for 90 days
• Deleted account data: Personal identifiers are permanently removed or irreversibly hashed after 30 days; only aggregated, anonymized usage and trading metrics may be retained for analytics and platform integrity and cannot be linked back to you

When we refer to data being anonymized, we mean that it has been processed so that you are no longer identifiable from it, and we do not attempt to re-identify you from such anonymized or aggregated data.

6. Your Rights and Choices

You have the right to:

• Access your personal information
• Correct inaccurate information
• Request deletion of your account and data
• Export your data (trading history, positions)
• Opt out of non-essential communications
• Disable cookies (may affect functionality)

To exercise these rights, contact us via email or through the support options available on the platform. For data export requests, we will provide your data in JSON format within 30 days, including your account information, trading history, positions, and market activity.

7. Children's Privacy

Undertow is not intended for users under 18 years of age. We do not knowingly collect information from children. If we discover we have collected information from a child under 18, we will delete it promptly.

8. Third-Party Links and Services

Undertow integrates with third-party platforms (YouTube, Spotify, TikTok, etc.). These services have their own privacy policies. We are not responsible for their privacy practices.

Third-party services we integrate:

• YouTube (metric fetching)
• Spotify (OAuth, metric fetching)
• Last.fm (metric fetching)
• Google (OAuth)
• GitHub (OAuth)
• Apple (OAuth)
• Discord (OAuth)
• Twitter/X (OAuth)
• Twilio (SMS authentication)

9. International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place for international data transfers.

10. California Privacy Rights (CCPA)

California residents have additional rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information is collected
• Right to delete personal information
• Right to opt out of the sale of personal information (we do not sell your data)
• Right to non-discrimination for exercising CCPA rights

11. European Privacy Rights (GDPR)

European Union residents have rights under the General Data Protection Regulation (GDPR):

• Right of access to your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing

12. SMS and Phone Authentication Privacy

If you use phone authentication:

• Phone numbers are stored securely in our database
• Verification codes are temporary and expire after 10 minutes
• SMS messages are sent via Twilio (see their privacy policy)
• We use rate limiting to prevent SMS spam
• Phone numbers are partially masked in logs for privacy

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Changes will be posted on this page with an updated "Last Updated" date. Continued use of the platform after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy or how we handle your data, please contact us via email or through the support options available on the platform.