$
SGA Spreads

Privacy Policy

Effective: April 26, 2026  ·  Version 2026-04-26-v4

1. Who We Are

SGAOptions Trader is operated by Visionkraft Consulting (“we,” “us,” “our”). This Privacy Policy describes what information we collect when you use the Service, how we use it, and the choices you have. Reach us via the Contact us page.

2. Information We Collect

We collect the following categories of information:

  • Account information. When you sign in via SGA Central Auth (auth.sgatrader.com), we receive your email address, display name, role, and subscription tier.
  • Broker connection data. When you connect a brokerage account via OAuth, we receive an access token, a refresh token, the broker account identifier, the OAuth scopes granted, and whether the account is paper or live. Tokens are encrypted at rest using pgcrypto symmetric encryption with a key that is not exposed to the browser.
  • Brokerage activity (read-only). While your connection is active, we read your account balances, positions, and order history from the broker to render dashboards and to compute mirrored-trade sizing. We do not store full transaction history beyond what is required for audit and reconciliation.
  • Mirrored-trade audit log. Every order the Service places in your account is logged with timestamp, symbol, side, quantity, fill price, and the lead trade it mirrored. Logs are retained as described in Section 7.
  • Operational metadata. Authentication events, copy-enable toggles, terms-of-service acceptances, IP address, and user agent at the time of acceptance.

3. How We Use Information

We use the information described above to:

  • Authenticate your sessions and enforce role-based and tier-based access.
  • Place mirrored trades in your brokerage account at your direction.
  • Display your accounts and positions to you on the dashboard.
  • Maintain audit logs for compliance and operational troubleshooting.
  • Detect and respond to security incidents, abuse, and unauthorized access.

We do not use your information to train machine-learning models, to build advertising profiles, or for any purpose unrelated to operating the Service.

4. How We Share Information

We do not sell your personal information. We do not share your information with third parties for marketing. We share information only as follows:

  • Brokers (Alpaca, Tradier).When the Service places an order, that order is sent to your broker. The broker sees your account identifier, the order details, and our application's OAuth credentials.
  • Infrastructure providers. We use DigitalOcean to host the Service and PostgreSQL to store data. These providers do not access user data in the ordinary course.
  • Legal & safety. We may disclose information if required by law, subpoena, court order, or to protect the rights, property, or safety of users or others.

5. Encryption & Security

OAuth tokens are encrypted at rest in our PostgreSQL database usingpgp_sym_encrypt with a key stored only in server-side environment files. Database connections between droplets travel over a private VPC and are restricted by firewall to specific source IPs. We use HTTPS for all client connections. Access to production servers is restricted to the operator.

No system is perfectly secure. If we become aware of a security incident affecting your data, we will notify you in a reasonable timeframe consistent with applicable law.

6. Your Choices

  • Disconnect a broker. Use the Connections page to disconnect an Alpaca or Tradier account. Disconnection revokes the OAuth token at the broker and stops further mirroring.
  • Delete your account. Use our Contact us page to request deletion. We will delete connection data, encrypted tokens, and session data within 30 days, retaining only what is required for audit, legal, or tax purposes.
  • Request a copy of your data. Reach us via the same Contact us page.

7. Retention

We retain account, connection, and trade-audit data while your account is active and for up to seven (7) years thereafter to comply with financial-records retention practices. Encrypted OAuth tokens for disconnected broker accounts are wiped within 30 days of disconnection. Authentication audit logs are retained for one (1) year.

8. Children

The Service is not directed to children under 18. We do not knowingly collect personal information from children. If you believe a child has provided us information, contact us and we will delete it.

9. Cookies

We use first-party session cookies only (NextAuth session, OAuth state). No tracking, analytics, or advertising cookies. See /cookies for details.

10. State Privacy Rights

Depending on where you reside, you may have additional rights including the right to know, the right to delete, the right to correct, and the right to opt out of the sale of personal information. To exercise these rights, contact us at the email address above.

11. International Users

The Service is hosted in the United States. By using it from outside the U.S., you consent to the transfer of your information to the U.S. We do not currently target users in jurisdictions that require additional protections such as the EU/UK GDPR; if you reside in such a jurisdiction, please do not use the Service until we have addressed those requirements.

12. Changes to This Policy

We may update this Policy. The current version is shown by its effective date at the top. Material changes will be communicated to active users.