AstraEye Labs — Privacy Policy Draft
Attorney review required before public launch. This draft reflects the intended launch posture: AI research SaaS only, informational outputs only, read-only account connections, and no custody.
Effective date: Draft — July 2026
1. Who We Are
AstraEye Labs ("AstraEye", "we", "us") operates an AI-powered research and analytics platform for crypto assets and U.S. equities. This Privacy Policy explains what information we collect, how we use it, who we share it with, and the choices you have. It should be read together with our Terms of Service.
AstraEye Labs is not a broker-dealer, investment adviser, commodity trading advisor, exchange, custodian, bank, tax adviser, legal adviser, or money transmitter. AstraEye Labs does not manage money, custody assets, route orders, execute trades for public users, or hold your funds or assets.
2. Information We Collect
- Account data. Email address, authentication data, multi-factor authentication settings, session and device information used to sign you in and keep your account secure.
- Billing data. Subscription tier, plan and usage state, and payment identifiers. Card payments are processed by our payment provider (Stripe); full card numbers are entered directly with the processor and do not transit our servers.
- Portfolio and account data. Holdings, balances, symbols, quantities, cost basis, and account labels that you enter manually, import by file, or bring in through an account connection you authorize.
- Research and usage data. Research projects, selected templates, analysis types, AI-generated findings, informational research artifacts ("beacons"), feedback, SAGE questions and answers, and usage/metering data.
- Support data. Messages you send to support and our responses.
- Technical data. Logs, error reports, and diagnostic information used to operate, secure, and troubleshoot the platform.
We do not intentionally collect government IDs, Social Security numbers, or full payment card numbers.
3. How We Use Information
We use information to:
- Provide, operate, and secure the platform and your account.
- Generate AI-assisted research, analytics, dashboards, and SAGE answers.
- Process subscriptions, credits, usage limits, and billing.
- Communicate with you (transactional notifications, security alerts, support).
- Monitor, debug, prevent abuse, and improve the service.
- Comply with legal obligations.
We do not sell your personal information.
4. AI Processing
To generate research, summaries, or answers, bounded context may be sent to our AI model providers (currently Anthropic and OpenAI). Depending on the feature, this context may include asset symbols, market data, your portfolio positions and approximate values, prior research artifacts, research-signal statistics, and the questions you ask SAGE.
We design prompts so they should not include passwords, raw session tokens, API secret keys, withdrawal credentials, full payment card data, or sensitive administrative secrets.
5. Market and Reference Data
We fetch market, reference, and on-chain data from third-party data providers and cache it in shared snapshots that power research. These providers receive only outbound reference queries (such as ticker symbols, CIK identifiers, asset identifiers, macroeconomic series IDs, and on-chain queries) — no personal or portfolio data is sent to them.
6. Account Connections (Brokerage, Exchange, and Data Linking)
You may connect accounts so AstraEye Labs can read your portfolio for research:
- Stock brokerages are connected through a read-only data-linking provider (Plaid) that returns holdings and related account data only.
- Crypto exchanges are connected using API keys you create on the exchange. We request read-only access, which is all that is required to sync your portfolio. We do not request or require withdrawal, transfer, or trade permissions.
Any order-placement or execution capability is a separate, optional feature that remains disabled in production unless and until it has been legally approved and separately consented to by you. If a key you create happens to carry broader permissions, AstraEye Labs still never requests or uses withdrawal or transfer permissions and cannot move your funds or assets off your accounts. We do not custody your funds or assets.
Any API keys, credentials, or access tokens you provide are stored encrypted at rest, are never exposed to your browser or to AI prompts, and are used only to read your portfolio and to operate the features you explicitly enable.
7. Service Providers / Sub-Processors
We share information with service providers that host and operate the platform, strictly to provide the service. These may include, without limitation:
- Amazon Web Services (AWS) — cloud hosting, storage, databases, and transactional email (SES).
- Stripe — payment processing and subscriptions.
- Anthropic and OpenAI — AI model inference (and OpenAI for spoken-audio replies).
- Plaid and connected brokerages / exchanges — account linking and read-only portfolio data (only when you connect them).
- Sentry — error monitoring.
- Market/reference data providers (e.g., Polygon.io/Massive, Financial Modeling Prep, FRED, SEC EDGAR, CoinGecko, Bitquery) — which receive only reference queries, not personal data.
A current list of providers and the categories of data involved is maintained in our internal sub-processor documentation and will be published as required.
We may also disclose information to comply with law, enforce our Terms, or protect the rights, safety, and security of our users and the platform, and in connection with a business transfer (merger, acquisition, or sale of assets).
8. Data Storage, Security, and Location
Data is stored with our cloud infrastructure provider (AWS, U.S. region). Sensitive secrets — including any stored account credentials — are encrypted at rest, and data is transmitted over encrypted connections. No online service can guarantee perfect security; you acknowledge the inherent risks of transmitting and storing data online.
9. Data Retention
We retain information for as long as your account is active and as needed to provide the service, comply with legal obligations, resolve disputes, and enforce our agreements. Certain research artifacts and logs may be retained on a defined schedule. We delete or de-identify information when it is no longer needed for these purposes.
10. Your Choices and Rights
Depending on your jurisdiction, you may have rights to access, correct, export, or delete your personal information, and to object to or restrict certain processing. You can manage much of your data in the product (for example, account settings, notification preferences, and disconnecting account connections). To make a request, contact us using the details below. We will respond consistent with applicable law.
11. Cookies and Sessions
We use strictly necessary cookies and similar technologies to keep you signed in, remember preferences, and secure the platform (including protection against cross-site request forgery). We do not use third-party advertising cookies.
12. Children
AstraEye Labs is not directed to children and is intended for users who are 18 or older. We do not knowingly collect personal information from children.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated as required by law, and the "Effective date" above will be updated.
14. Contact
Questions or privacy requests may be sent to: