← Back

Privacy Policy

PA Tracker — last updated 2026-04-21

What we collect

  • Account credentials — email, password (hashed by Firebase Auth), optional Google sign-in identifier, optional Apple sign-in identifier.
  • Profile information — first name, last name, optional Discord handle (you provide these in Settings).
  • Broker credentials you connect (Rithmic / Tradovate) — stored AES-256-GCM encrypted at rest.
  • Trading data we pull from your broker on your behalf — balances, PnL, payouts, positions, account metadata.
  • Classification metadata you provide — firm name, phase, algo company, algo name.
  • Payout proof screenshots — when you upload a payout screenshot in the mobile app, it is stored in Firebase Storage and linked to your account.
  • Device identifiers — push notification token (only when you enable notifications), device model/OS version (sent by the Expo Updates client when checking for over-the-air app updates).
  • Communication preferences — marketing opt-in, notification settings.
  • Basic operational logs — timestamps of your sign-ins, API calls (for security + debugging).

What we don’t collect

  • We don’t fingerprint your device or track you across the web.
  • We don’t run ad-tech or data-broker integrations.
  • We don’t read or modify trades; we only read balance state.

What becomes public

Nothing — unless you opt into the public scoreboard. If you opt in, your handle, display name, firm, algo metadata, verified PnL, and outcomes (wins, losses, blown accounts) are published. This is all-or-nothing by design: the scoreboard’s integrity depends on disclosure being complete rather than cherry-picked. You can revoke public status any time from Settings.

Where your data lives

  • Authentication + live data: Firebase (Google Cloud, US regions).
  • Broker connection engine: Vultr Dedicated, Chicago.
  • Encrypted daily backups: Backblaze B2, 30-day retention.

Deletion + archival

When you delete your account from Profile, your Firebase Auth record is permanently removed, your public handle is released, and your private data is moved to an archival path with your identity preserved for potential restore if you return. Blown-account events you contributed to the scoreboard are anonymized: your uid is stripped, but the firm + algo + outcome aggregate stays to preserve the industry-wide transparency signal. If you want your archived data purged outright, emailsecurity@pa-tracker.com.

Third parties that can see your data

  • Firebase (Google) — authentication + database + file storage hosting.
  • Apple (Sign in with Apple) — used only if you choose Apple as your sign-in method. Apple passes your hashed identifier to us; your name and email are optional and may be relayed via @privaterelay.appleid.com.
  • Cloudflare — network layer + DDoS protection.
  • Expo / EAS Updates — the mobile app’s update client contacts Expo’s servers to check for over-the-air app updates. Your device model and OS version are sent as part of this check.
  • Your broker (Rithmic / Tradovate) — we use your credentials to request your data from them on your behalf.
  • Netlify — static site hosting for the web app.
  • We do not share your data with advertisers, data brokers, or analytics vendors.

Security

Broker credentials are encrypted at rest with AES-256-GCM using a per-deployment key. Authentication uses Firebase Auth (industry-standard hashed password + optional Google or Apple SSO). Connections to our engine are gated by signed Firebase tokens. The VPS running the engine requires key-based SSH only, daily backups are encrypted and stored off-host with 30-day ransomware recovery retention. Full incident-response playbook and security.txt are published at /.well-known/security.txt.

Marketing opt-in

You can opt into product updates at signup or from Settings. We use these to announce features, outages, and beta-to-public transitions. You can opt out at any time. We do not share your email with third parties.

Your rights

You can view all data we hold about you via Settings → Export My Data. You can delete your account at any time from Profile. For GDPR/CCPA-style data requests that go beyond these self-serve options, emailsecurity@pa-tracker.com.

Relationship to Oracle Algorithms

PA Tracker is built by the team behind Oracle Algorithms. Your PA Tracker data is stored in an isolated Firebase project and not automatically shared with Oracle. A cross-system import exists if you later sign up for Oracle and explicitly consent to transferring your PA Tracker data over.

← Back to PA Tracker