Privacy Policy

Grail Sail is an algorithmic trading tool operated as an individual business by Pavel Kebets. Pavel Kebets is the data controller for any personal data collected through the Service.

We take your privacy seriously. This policy explains what data we collect, how we use it, and your rights over it.

For privacy questions, contact us at kebetsp@gmail.com.

Account data — email address and hashed password, collected when you create an account.

Strategy data — the trading rules, indicator settings, and configurations you create and save.

Backtest and signal results — output data from running your strategies, stored so you can review past results.

Billing data — your subscription status and payment method are managed by Stripe. We store only a Stripe customer ID and your subscription status — we never see or store your full card details.

Usage data — anonymised product analytics (pages visited, features used) via PostHog to help us improve the product. No personally identifiable information is included.

We use your data to:

• Operate and improve the Service
• Process your subscription and manage billing
• Send transactional emails (account confirmation, password reset)
• Comply with legal obligations

We do not sell your data to third parties. We do not use your strategy configurations for any purpose other than running the computations you request.

We process your data on the following legal bases: account and strategy data on the basis of contractual necessity (to provide the Service you signed up for); billing data on the basis of contractual necessity and legal obligation; usage analytics on the basis of our legitimate interest in understanding how the product is used and improving it.

We use the following trusted third-party providers to operate the Service:

• Supabase — database and authentication (EU data centre, Ireland)
• Railway — backend hosting
• Vercel — frontend hosting
• Stripe — payment processing
• Resend — transactional email delivery
• PostHog — anonymised product analytics

Each of these providers has their own privacy policy and security practices. Your data is transferred to and stored by these providers in accordance with GDPR and applicable data protection law.

We retain your account data for as long as your account is active. If you delete your account, we delete your personal data and associated strategies within 30 days. Aggregated, anonymised analytics data may be retained indefinitely.

Stripe may retain billing records for the period required by law (typically 7 years).

If you are based in the UK or EU, you have the right to:

• Access — request a copy of your personal data
• Rectification — correct inaccurate data
• Erasure — delete your account and associated data via your Account page, or by emailing us
• Portability — request your data in a structured, machine-readable format
• Object — object to processing of your data in certain circumstances
• Complain — lodge a complaint with a supervisory authority. In the UK this is the Information Commissioner's Office (ico.org.uk); in Spain and the EU, your national data protection authority

To exercise these rights, contact kebetsp@gmail.com. We will respond within 30 days.

We use only essential cookies necessary to keep you logged in (session tokens managed by Supabase). We do not use tracking or advertising cookies.

We use industry-standard security practices including encrypted connections (HTTPS), hashed passwords, and row-level security on our database. No system is completely secure — if you discover a security issue, please report it to kebetsp@gmail.com.

We may update this policy from time to time. Material changes will be communicated by email. The "Last updated" date at the top of this page reflects the most recent revision.