Privacy Policy

Last updated: April 2026

Last internal review: April 2026. These documents are maintained by PaperTrade Academy and describe how the platform currently operates. We publish updates here when policies change and encourage you to check back before making material decisions.

1. Data Controller and Scope

PaperTrade Academy (a California-based project, pending formal entity formation) is the data controller for personal data described in this Privacy Policy.

Controller contact: support@papertradeacademy.com
Mailing address: PaperTrade Academy Privacy Team, 2261 Market Street #103622, San Francisco, CA 94114, United States.

This Policy explains how we collect, use, disclose, retain, and safeguard personal data when you use PaperTrade Academy (“Service”).

2. Information We Collect

We collect information you provide directly when creating an account and using the Service:

Account information: display name, email address, and university affiliation (optional).
Waitlist information: email address submitted on the waitlist form before account creation (invite-only periods).
Activity data: simulated trades, lesson progress, quiz attempts, streaks, and achievements earned within the platform.
Billing information: subscription status and payment history (payment card details are handled by Stripe and are never stored on our servers).
Usage data: pages visited, features used, and interaction events collected for product analytics (see §9).
Technical data: IP address, browser type, operating system, and device identifiers collected automatically.

3. How We Use Your Information

We use collected information to:

Operate the platform and deliver core features (trading, lessons, leaderboards).
Personalize your learning experience and track progress.
Process subscription payments and manage billing.
Send transactional notifications (e.g., payment receipts, streak reminders).
Send waitlist invitations, launch updates, and related onboarding communications.
Improve the Service through analytics and aggregated usage insights.
Detect and prevent fraud, abuse, and violations of our Terms of Service.
Comply with legal obligations.

Data minimization and sensitive data

We limit collection to information that is relevant and reasonably necessary for the purposes above. We do not knowingly request or process special category/sensitive personal data for core Service operations.

We do not sell your personal information to third parties.

4. Legal Bases for Processing (EEA/UK)

If GDPR or UK GDPR applies, we process personal data on one or more of the following legal bases:

Account and profile data: contract performance (account creation, sign-in, and core platform access).
Simulated trading, lessons, and progress: contract performance and legitimate interests (product integrity and educational insights).
Billing and payment records: contract performance and legal obligation (tax/accounting compliance).
Security and fraud-prevention signals: legitimate interests (platform security, abuse prevention, and incident response).
Analytics and product telemetry: legitimate interests, or consent where required by local law.
Waitlist and launch communications: consent and/or legitimate interests depending on message type and jurisdiction.
Optional promotional emails: consent where required; you can opt out at any time.

5. Processors and Data Sharing

We disclose personal data only as needed to operate the Service and comply with legal obligations.

Service providers (processors)

Clerk: authentication, session management, and invitation delivery.
Stripe: subscription billing and payment processing.
Resend: transactional and service-related email delivery.
Hosting and infrastructure providers: application hosting, logging, and managed database operations.

Other disclosures

Legal and regulatory requests: when required by law, legal process, or enforceable government request.
Business transfers: in connection with merger, acquisition, financing, reorganization, or asset sale.
Safety and rights protection: to protect users, enforce Terms, and investigate fraud or abuse.

6. Authentication — Clerk

Authentication is handled by Clerk. Your credentials (password, OAuth tokens) are managed entirely within Clerk's secure infrastructure. We store only a reference identifier (Clerk User ID) to link your Clerk identity to your PaperTrade Academy profile. We never store or have access to your password.

During invite-only launches, we also use Clerk to send invitation tickets to waitlist contacts. This processing is limited to invitation delivery and access control.

7. Payments — Stripe

Payment processing is handled by Stripe. When you subscribe to a paid plan, your payment card details are collected and stored by Stripe directly. We receive only subscription status, billing period, and a Stripe customer identifier. Stripe's privacy policy governs how they handle your payment data.

8. Market Data Providers

Simulated market prices are sourced from third-party market data providers. Our current primary provider is Yahoo Finance (via the yahoo-finance2 library), with Finnhub configured as an optional fallback. These connections are server-side only: we send ticker symbols and request metadata upstream, but we do not transmit your account identifiers, email address, or other personal information to these providers. Market data is used exclusively to power the simulated trading environment.

9. Analytics

We use an in-house analytics system to understand how users interact with the Service. Usage data (page views, feature interactions, and performance metrics) is stored in our own database and is not shared with third-party analytics providers. Only opaque user identifiers are recorded in analytics events. Error monitoring is handled via structured server logs; no error data is sent to third-party error-monitoring services.

10. Cookies, Local Storage, and Consent

We use essential cookies and browser storage for session management and authentication (provided by Clerk).

Essential cookies/storage: required for authentication, security, and core functionality.
Referral cookie: we may set pt_referrer_id for referral attribution with a 30-day lifetime.
Additional cookies and similar technologies: if we add non-essential analytics, personalization, or advertising cookies, we will request consent where required before enabling them.

You can configure browser controls for cookies, though disabling essential cookies may impact platform functionality.

We recognize Global Privacy Control (GPC) and similar opt-out preference signals as a request to disable non-essential tracking and sharing where required by applicable law. We also honor browser “Do Not Track” requests for non-essential analytics.

11. Data Retention

We retain personal data only for as long as needed for the purposes described in this Policy, including legal, tax, accounting, and security requirements. Typical retention periods include:

Account and profile data: for the life of the account plus up to 30 days after a deletion request to complete deletion/anonymization workflows.
Waitlist data: up to 12 months from collection unless removed earlier at your request.
Analytics events: up to 24 months, then deleted, anonymized, or kept only in aggregate form.
Billing and transaction records: up to 7 years, or longer where legally required.
Security logs and incident records: as long as necessary to detect, investigate, and remediate abuse or incidents.

12. Your Rights

Depending on your jurisdiction, you may have rights regarding your personal data:

Access: request a copy of personal data we hold about you.
Correction: request correction of inaccurate or incomplete data.
Deletion: request deletion of personal data (right to erasure).
Portability: request an export in a machine-readable format.
Objection: object to processing for specific purposes.
Restriction: request restriction of processing in defined circumstances.
Withdraw consent: withdraw consent for consent-based processing at any time.

To exercise rights, contact support@papertradeacademy.com. We respond within applicable legal timeframes.

13. Automated Decision-Making

We do not use solely automated decision-making that produces legal effects or similarly significant effects on individuals. We may use automated systems for fraud detection, anti-abuse enforcement, personalization, and leaderboard integrity checks, with human oversight for significant account actions.

14. Children's Privacy (COPPA)

The Service is not directed to children. Our Terms of Service require users to be at least 18 years of age. We do not knowingly collect personal information from children under 13 as defined by COPPA.

If you believe a child has provided personal data to us, contact support@papertradeacademy.com. Upon verification, we will delete the data within legally required timeframes.

15. Security and Breach Response

We implement industry-standard security measures including HTTPS/TLS encryption, authentication via Clerk, server-side only access to API keys and secrets, and rate limiting on sensitive endpoints. No method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

If we become aware of a personal data breach, we will investigate and take reasonable containment and remediation steps. Where required by law, we will notify affected users and regulators within legally required timelines.

16. California Residents (CCPA / CPRA)

If you are a California resident, the CCPA as amended by the CPRA grants specific rights regarding personal information.

Categories collected

As described in §2, we collect identifiers, network activity, commercial information, and limited inferences for purposes described in §3.

Sale or sharing

We do not sell personal information and do not share personal information for cross-context behavioral advertising as those terms are defined by Cal. Civ. Code §§1798.140(ad) and 1798.140(ah). If this changes, we will provide required notice and opt-out tools.

We treat valid Global Privacy Control (GPC) signals as an opt-out request where required by California law.

California rights

Right to opt out of sale or sharing of personal information.
Right to know categories and specific pieces of information.
Right to delete personal information, subject to exceptions.
Right to correct inaccurate personal information.
Right to limit use and disclosure of sensitive personal information, where applicable.
Right to non-discrimination for exercising privacy rights.
Authorized agents may submit requests with written authorization.

For a full description of California rights and request options, visit our California Data Rights notice.

To exercise California rights, contact support@papertradeacademy.com with subject line “California Privacy Request.”

17. EEA, UK, and International Users (GDPR / UK GDPR)

The Service is operated from the United States. If you access it from the EEA, UK, or Switzerland, your personal data may be transferred to and processed in countries that may not provide an equivalent level of protection under local law.

International transfer safeguards

We implement transfer safeguards for restricted transfers, including the European Commission Standard Contractual Clauses (SCCs), the UK IDTA or UK Addendum, and contractual data protection commitments with processors. Supplementary safeguards include encryption in transit, access controls, and data minimization.

You may request a copy of applicable transfer safeguards (or information about where they are available) by contacting support@papertradeacademy.com.

Supervisory authority rights

EEA and UK residents may lodge a complaint with their local supervisory authority if they believe their data was processed unlawfully.

18. EU and UK Representative

We have appointed representatives for privacy inquiries in the EU and UK:

EU representative: DataRep, The Cube, Monahan Road, Cork T12 H1XY, Ireland. Email: datarequest@datarep.com
UK representative: DataRep, 107-111 Fleet Street, London EC4A 2AB, United Kingdom. Email: datarequest@datarep.com

Please include “PaperTrade Academy” in your request subject line.

19. Changes to This Policy and Processing Purposes

We may update this Privacy Policy from time to time. We will notify you of significant changes by updating the “Last updated” date and, where appropriate, by email or in-app notice.

If we materially change the purposes for which we process personal data, we will provide additional notice and obtain consent where required by law.

20. Contact

For privacy-related inquiries or to exercise your rights, contact support@papertradeacademy.com.