1. Introduction

This Privacy Policy explains how PolyWallet ("we", "us", "our") collects, uses, and protects your information when you use our portfolio tracking service at polywallet.app.

By using PolyWallet, you consent to the data practices described in this policy.

2. Information We Collect

Account information: When you register, we collect your email address, display name, and password (stored as an Argon2 hash — we never store your plaintext password). If you sign up with Google or Discord, we receive your name, email, and avatar from those providers.

Profile information: You may optionally provide a username, timezone, X (Twitter) username, and Twitch username.

Wallet data: You provide Polymarket wallet addresses to track. We fetch publicly available trading data, positions, and balances from Polymarket APIs and public blockchain data for those addresses.

Usage data: We collect IP addresses, user agent strings, and login timestamps for security and rate limiting purposes.

Payment data: Payments are processed by Stripe. We do not store your credit card information. We store your Stripe customer ID and subscription details.

3. How We Use Your Information

• Provide the Service: Display wallet tracking data, positions, PnL analytics, and trade history
• Authentication: Verify your identity and maintain your session
• Security: Detect suspicious logins, enforce rate limits, and maintain audit logs
• Billing: Process subscriptions and manage your plan
• Communication: Send account-related emails (verification, password reset, email changes)
• Improvement: Monitor errors and improve Service reliability

4. Third-Party Services

We share data with the following third parties, only as necessary to provide the Service:

• Stripe — Payment processing. Subject to Stripe's Privacy Policy
• Google — OAuth authentication (if you choose to sign in with Google)
• Discord — OAuth authentication (if you choose to sign in with Discord)
• Resend — Transactional email delivery (verification, password reset)
• Sentry — Error monitoring and crash reporting (anonymized)
• Cloudflare — CDN, DDoS protection, and DNS
• Polymarket — We fetch publicly available market and trading data from Polymarket APIs

We do not sell your personal information to third parties.

5. Cookies and Sessions

We use server-side sessions (stored in Redis) to keep you logged in. A session cookie is set in your browser to identify your session. This cookie is:

• HttpOnly (not accessible to JavaScript)
• Secure (only sent over HTTPS)
• SameSite=Lax (protects against CSRF)
• Expires after 30 days of inactivity

We also set a CSRF token cookie for form protection. We do not use tracking cookies or third-party analytics.

6. Data Retention

• Account data: Retained while your account is active. Deleted upon account deletion (soft-deleted, then permanently removed after 30 days)
• Trade data: Wallet trading data is retained as long as the wallet is tracked. Removing a wallet does not delete shared trade data that other users may also track
• Audit logs: Retained for 90 days for security purposes
• Session data: Automatically expired and cleaned up after 30 days

7. Data Security

We take reasonable measures to protect your data:

• Passwords are hashed with Argon2 (industry-standard, memory-hard algorithm)
• All connections use HTTPS via Cloudflare
• Two-factor authentication (TOTP) is available for additional account security
• Recovery codes are hashed before storage
• Database credentials are stored in environment variables, not in code
• Security headers (CSP, X-Frame-Options, etc.) are enforced on all responses

8. Your Rights

You have the right to:

• Access: View all data associated with your account in the settings page
• Correction: Update your profile information at any time
• Deletion: Delete your account and associated data
• Export: Export your trade data (premium feature)
• Revoke sessions: End all active sessions from the settings page

To exercise any of these rights or for data-related requests, contact us at [email protected].

9. Children

PolyWallet is not intended for use by individuals under the age of 18. We do not knowingly collect data from minors.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice on the Service. The "Last updated" date at the top reflects the most recent revision.

11. Contact

For privacy-related questions or concerns, contact us at [email protected].