Privacy Policy

Last updated: May 6, 2026

1. Information You Provide

• Account info: name, email, password (stored as a bcrypt hash), and the timestamp of your 18+ age attestation.
• Profile: username, bio, avatar choice or theme, profile-visibility preference, and notification settings.
• Kalshi API credentials: if you connect a Kalshi account, we store your API key and private key encrypted at rest with AES-256. Only the server can decrypt them, and only to make API calls you’ve authorized.
• Tournament & prediction data: tournaments you create or join, predictions you place (real-money via Kalshi or virtual), portfolio history, and close-position activity.
• AI agent configurations: agent budgets, risk settings, schedules, generated suggestions, and execution logs.
• Tournament chat: messages and emoji reactions you post in tournament chat.
• Contact form & feedback widget: anything you send through the Contact page or the in-app feedback button. The feedback widget also captures the page URL, viewport size, user-agent string, your PostHog session ID, and any UTM source so we can reproduce the issue.

2. Information We Collect Automatically

• Usage analytics: page views, feature interactions, and performance metrics via PostHog. We reverse-proxy PostHog through our /ingest path so analytics traffic stays on our domain.
• Error tracking: uncaught client and server exceptions, including stack traces, are forwarded to PostHog so we can debug crashes. Stack traces may incidentally include the URL or input that triggered the error.
• Device & log data: IP address, browser/OS, timestamps, and server-side request logs, used for security, debugging, and rate limiting.
• Cookies: see Section 7.

3. How We Use Your Information

• To operate, maintain, and improve the Service.
• To authenticate you, personalize your dashboard, and sync Kalshi market and portfolio data on your behalf.
• To compute leaderboard rank, Prediction Quotient (PQ), achievements, and seasonal standings from competition-eligible predictions.
• To send transactional email (password resets, tournament invites, agent suggestion alerts, settlement notices, signup approvals, agent completion summaries).
• To send occasional product updates. You can opt out of non-essential email at any time.
• To detect abuse, fraud, manipulation, multiple accounts, and security threats.
• To respond to support requests you send us.

We do not sell your personal data. We do not use your content, predictions, or agent activity to train AI models. The third-party LLM providers we use (AWS Bedrock with Anthropic Claude and Amazon Nova models) operate under contractual commitments not to retain or train on the data we send.

4. Information You Make Public

PrediktPro has a public competitive layer. By default the following are visible to anyone with the URL, including search engines:

• Your username, avatar, bio, tier, and Prediction Quotient.
• Your leaderboard rank, win rate, P&L, and streak stats.
• Your unlocked achievements and badges.
• Your recent predictions in public, virtual-currency tournaments only. Private tournaments, real-money tournaments, and practice predictions are never shown publicly.
• Auto-generated Open Graph share images for your profile, which include your username, avatar, tier, and headline stats.

You can hide your public profile and leaderboard entries at any time by toggling “Show on public leaderboard and profile” off in Settings. We can’t guarantee how quickly cached copies disappear from third-party search indexes.

5. Information Visible to Other Users

Inside a tournament, other participants can see your username, avatar, predictions in that tournament, portfolio value, and any chat messages or reactions you post. Tournament creators can see participant lists and pending invites. Predictions you place outside tournaments (Direct Real, Direct Practice) are private to you.

6. Service Providers (Sub-processors)

We share data only with vendors needed to run PrediktPro:

• Vercel: web application hosting and edge network.
• AWS (RDS, Lambda, EventBridge, S3): PostgreSQL database, scheduled compute jobs (market sync, leaderboard recompute, AI agent execution), and asset storage.
• AWS Bedrock: hosted LLM inference (Anthropic Claude and Amazon Nova models) for AI agent suggestions, system-agent “takes,” and news summarization.
• Resend: transactional and notification email delivery.
• PostHog: product analytics and error tracking. US cloud destination, accessed via our reverse-proxy path.
• Kalshi: market data and, with your consent, order placement and portfolio sync.
• Perplexity AI & Brave Search: news retrieval feeding AI agent context. We send the topic or event title; we don’t pass your identity.
• cron-job.org: scheduled HTTP triggers for lighter background jobs (bet status sync, news fetch). It receives only an authenticated URL ping.

Each vendor processes data only to provide services back to us, under their own privacy and security commitments.

7. Cookies & Similar Technologies

• session_id: HttpOnly, Secure, SameSite=Lax. Identifies your logged-in session for up to 7 days.
• Theme cookie: remembers your light/dark preference.
• PostHog analytics cookie: a randomized identifier so we can measure feature usage and session continuity. No third-party advertising cookies are set.

We do not use cookies for advertising or cross-site tracking. Most browsers let you block or clear cookies; doing so may sign you out and reset preferences.

8. Data Retention

We keep account data for as long as your account is active. When you delete your account, we delete or anonymize your personal information within 30 days, with the following exceptions:

• Trade and Kalshi-order audit logs may be retained longer for compliance, dispute resolution, and tax-related lookback.
• Aggregated, de-identified statistics (e.g., total tournaments run) may be retained indefinitely.
• Database backups roll off on their normal schedule (typically up to 35 days).
• Records we’re required to retain by law, to enforce our agreements, or to defend against legal claims.

9. Security

We use HTTPS everywhere with HSTS preload, encrypted database connections, AES-256 encrypted storage for Kalshi API keys, bcrypt-hashed passwords, HttpOnly+Secure session cookies, HMAC-signed tokens for one-click admin email actions, role-based access controls, and a strict Permissions-Policy header that disables camera, microphone, and geolocation. No system is 100% secure, but we take safeguarding your data seriously and follow industry best practices.

10. Your Rights

Depending on where you live (e.g., California, EU/UK), you may have the right to access, correct, delete, or export your personal data, and to object to certain processing. You can:

• Edit your profile and notification preferences directly in Settings.
• Hide your public profile and leaderboard entries at any time in Settings.
• Delete your account from Settings or by emailing admin@prediktpro.com from your account address.
• Request a data export by emailing the same address. We respond within 30 days.

We do not sell personal information, so there is no “Do Not Sell” opt-out to honor.

11. Children

PrediktPro is not intended for anyone under 18, and we do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we’ll delete it.

12. International Users

PrediktPro is operated from the United States. If you access the Service from outside the US, you understand that your information will be transferred to, stored, and processed in the US under US law.

13. Do Not Track

Browser “Do Not Track” signals do not have an industry-standard meaning, so we currently treat all sessions the same way. We don’t engage in cross-site tracking either way.

14. Changes to This Policy

We’ll update this page whenever our practices change, and revise the “last updated” date above. For material changes, we’ll notify you in-app or by email.

15. Contact

Questions about privacy? Email admin@prediktpro.com or use the Contact page.