Privacy Policy
Effective: 2026-04-05
Privacy Policy
Effective Date: April 5, 2026
This Privacy Policy describes how System R AI LLC ("System R AI," "we," "us," or "our") collects, uses, stores, and protects your information when you use the System R platform, including our web application, desktop application, command-line interface, APIs, and related services (collectively, the "Service"). This policy applies to all users of the Service, regardless of how they access it.
By using the Service, you consent to the data practices described in this policy. If you do not agree with any part of this policy, you must not use the Service.
1. Information We Collect
We collect the following categories of information:
Account Information: When you create an account, we collect your name, email address, and password (hashed, never stored in plaintext). If you register using a third-party authentication provider (such as Google or GitHub), we receive your name, email address, and profile identifier from that provider.
Workspace Data: The Service allows you to create workspaces containing broker connections, trading strategies, portfolio configurations, chat conversations, notes, and other user-generated content. We store this data to provide the Service and make it available to you across sessions and devices.
Usage Data: We collect information about how you use the Service, including features accessed, commands executed, AI model invocations, tools used, timestamps of activity, session duration, and interaction patterns. This data is used to operate the billing system, improve the Service, and diagnose technical issues.
Technical Data: When you access the Service, we automatically collect technical information including your IP address, browser type and version, operating system, device type, screen resolution, time zone, and referring URL. For the desktop application and CLI, we collect the application version, operating system version, and error reports.
Billing Data: We collect billing-related information including your payment method details (processed and stored securely by Stripe, our payment processor), transaction history, credit balance, usage records, and cryptocurrency wallet addresses used for payments. We do not store full credit card numbers on our servers.
What We Do NOT Collect:
- We do not collect your broker account passwords. Broker connections use API keys with permissions you control.
- We do not collect your Social Security number, government ID, or tax identification numbers.
- We do not collect biometric data.
- We do not collect information from your contacts, camera, microphone (except when you explicitly use voice features), or other device sensors.
- We do not read, scan, or access files on your device outside of the Service.
- We do not collect data from third-party social media accounts unless you explicitly connect them.
2. How We Use Your Data
We use the information we collect for the following purposes:
Providing the Service: Your account information, workspace data, and technical data are used to operate the System R platform, authenticate your sessions, deliver features, execute your requests, and maintain your workspaces and configurations across sessions.
Billing and Payments: Your usage data and billing data are used to calculate charges, process payments, maintain your credit balance, generate invoices, and prevent fraud. Usage records are maintained for billing accuracy and dispute resolution.
Essential Notifications: We use your email address to send account-related communications, including account verification, password resets, billing alerts (low balance warnings, payment confirmations), security notifications (login from new device, suspected unauthorized access), and important service announcements (scheduled maintenance, Terms of Service changes).
Anonymized Analytics: We aggregate and anonymize usage data to understand how the Service is used, identify areas for improvement, monitor system performance, and plan capacity. Anonymized data cannot be traced back to individual users.
We do NOT sell your personal data. We have never sold user data, and we have no plans to do so. We do not share your data with third parties for their marketing or advertising purposes. We do not monetize your data in any way other than providing the Service you have signed up for.
We do NOT use your data for targeted advertising. We do not serve ads in the Service, and we do not share your data with advertising networks, data brokers, or ad technology companies.
3. AI Model Data Usage
The Service uses artificial intelligence models from Anthropic (Claude, accessed via AWS Bedrock) and OpenAI (GPT, accessed via Azure OpenAI) to power natural language interaction, market analysis, and other features.
Your data is NOT used to train AI models. When the Service sends your prompts, workspace context, or trading data to AI providers for processing, those transmissions are governed by enterprise service agreements with AWS and Microsoft Azure. Under these agreements:
- Your prompts and data are processed to generate responses and are not retained by the AI provider beyond the immediate processing window.
- Your data is not used to train, fine-tune, or improve the AI provider's foundation models.
- Your data is not accessible to other customers of the AI provider.
- Your data is not used by the AI provider for any purpose other than generating the response to your specific request.
Per-workspace isolation ensures that data from one workspace is not mixed with or accessible from another workspace when interacting with AI models. Each AI conversation maintains its own context boundary aligned with the workspace it belongs to.
We may use anonymized, aggregated patterns (such as which features are most commonly used or which types of queries are most frequent) to improve how the Service interacts with AI models. This anonymized data contains no personally identifiable information, trading data, or portfolio details.
4. Broker Data
When you connect a brokerage or exchange account to the Service, you provide API keys or credentials that allow the Service to interact with your broker's API on your behalf. We treat broker connection data with the highest level of sensitivity.
Encryption: Your broker API keys are encrypted using AES-128-CBC (Fernet) encryption before being stored. Keys are encrypted per-agent using a deterministic key derivation process. Broker credentials are never stored in plaintext at any point in the system, whether in databases, logs, caches, or backups.
Temporary Cache: During active use, decrypted broker credentials may be held in memory temporarily to facilitate API calls to your broker. These in-memory credentials are cleared when your session ends or the service restarts. They are never written to disk in decrypted form.
No Sharing: Your broker API keys and credentials are never shared with any third party. They are used exclusively to communicate with the specific broker or exchange you have connected. We do not aggregate, analyze, or monetize the data retrieved from your broker accounts.
Your Responsibility: You are responsible for configuring appropriate permissions and restrictions on the API keys you provide. We recommend using the minimum permissions necessary for the features you intend to use, and restricting API keys by IP address where your broker supports it. You should regularly rotate your broker API keys and revoke any keys you no longer use.
Portfolio Data: Trading data retrieved from your broker (positions, orders, balances, transaction history) is cached temporarily to provide the Service's analysis and monitoring features. This data is stored within your workspace and is subject to the same encryption and access controls as all other workspace data.
5. Data Storage and Security
All Service data is stored on infrastructure hosted by Amazon Web Services (AWS) in the US-East-1 (N. Virginia) region. We use the following security measures to protect your data:
Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher. This applies to web, desktop, CLI, and API access. Connections using older, insecure protocols are rejected.
Encryption at Rest: All data stored in our databases and file systems is encrypted at rest using AWS-managed encryption keys. This includes account data, workspace data, chat history, and all other stored information.
Database Security: Our primary database (Supabase/PostgreSQL) enforces Row-Level Security (RLS) on all public tables. RLS policies ensure that database queries can only access rows belonging to the authenticated user, providing an additional layer of data isolation at the database level.
Access Controls: Access to production systems and databases is restricted to authorized personnel only, using multi-factor authentication and role-based access controls. We follow the principle of least privilege, granting only the minimum access necessary for each role.
Monitoring: We monitor our infrastructure for security events, unauthorized access attempts, and anomalous behavior. Security logs are retained for analysis and incident response.
Incident Response: In the event of a data breach or security incident, we will notify affected users by email within 72 hours of confirming the breach, in accordance with applicable law. Notification will include the nature of the incident, the data affected, and the steps we are taking in response.
No system is perfectly secure. While we implement industry-standard security measures, we cannot guarantee absolute security of your data. You are responsible for maintaining the security of your account credentials and your devices.
6. Data Retention
Active Accounts: We retain your account data, workspace data, and usage history for as long as your account is active and as needed to provide the Service.
Account Deletion: If you close your account or request deletion, we retain your data for 30 days following the deletion request. During this period, you may contact us to recover your account and data. After 30 days, your data is permanently and irreversibly deleted from our active systems and databases.
Chat History: Your chat conversations with AI models are stored within your workspaces. You can delete individual conversations or entire chat histories at any time through the Service. Deleted chat data is removed from our active systems promptly.
Billing Records: We retain billing and transaction records for a minimum of 7 years after the transaction date, as required by applicable tax and financial record-keeping laws. These records include transaction amounts, dates, payment methods (masked), and usage summaries. Billing records are retained even after account deletion.
Backups: Our backup systems may retain copies of your data for a limited period (up to 30 days) after deletion from active systems. Backups are encrypted and access-restricted. Data in backups is overwritten as backup cycles complete.
Anonymized Data: Anonymized, aggregated data that cannot be used to identify you may be retained indefinitely for analytics, research, and service improvement purposes.
7. Your Rights
You have the following rights regarding your personal data:
Right to Access: You may request a copy of the personal data we hold about you. We will provide this data in a commonly used, machine-readable format (such as JSON or CSV) within 30 days of your verified request.
Right to Deletion: You may request that we delete your personal data. Upon receiving a verified deletion request, we will delete your data from active systems within 30 days, subject to the retention requirements described in Section 6 (billing records and legal obligations).
Right to Correction: You may update or correct your account information at any time through the Service settings. If you need to correct data that is not editable through the Service, contact us at ashim@systemr.ai.
Right to Data Portability: You may export your workspace data, chat history, and configuration through the Service's export features or by requesting a data export from us.
Right to Opt Out of Non-Essential Communications: You may opt out of non-essential email communications (such as product updates and feature announcements) at any time using the unsubscribe link in those emails or by updating your notification preferences in the Service. You cannot opt out of essential account and security notifications.
To exercise any of these rights, contact us at ashim@systemr.ai with your request. We may need to verify your identity before processing your request. We will respond to all verified requests within 30 days.
If you are a resident of California, the European Economic Area, the United Kingdom, or another jurisdiction with specific data protection laws, you may have additional rights. Contact us for information specific to your jurisdiction.
8. Cookies and Tracking
The Service uses cookies and similar technologies in a limited and transparent manner.
Essential Cookies: We use session cookies that are strictly necessary for the Service to function. These cookies maintain your authentication state, remember your active workspace, and ensure the security of your session. These cookies are required and cannot be disabled without losing access to the Service.
No Third-Party Advertising Cookies: We do not use third-party advertising cookies, tracking pixels, or retargeting technologies. We do not serve ads in the Service, and we do not allow third-party ad networks to place cookies or trackers through our platform.
No Retargeting: We do not track your browsing activity across other websites. We do not use retargeting or remarketing technologies to show you ads on other platforms based on your use of the Service.
Analytics: We may use anonymized, first-party analytics to understand Service usage patterns. This data is collected and processed by our own systems, not by third-party analytics services. It does not include personally identifiable information.
Local Storage: The desktop application and CLI may store configuration data, authentication tokens, and cached data on your local device. This data remains on your device and is not transmitted to our servers except as necessary to operate the Service.
9. Third-Party Services
The Service relies on the following third-party service providers to operate. Each provider receives only the minimum data necessary to perform its function:
Amazon Web Services (AWS): Cloud infrastructure hosting, database services (via Supabase on AWS), AI model access (Anthropic Claude via AWS Bedrock), caching (ElastiCache), and content delivery. AWS processes data in the US-East-1 region under our enterprise agreement.
Stripe: Payment processing for credit and debit card transactions. Stripe receives your payment card details, billing address, and transaction amounts. Stripe's handling of your payment data is governed by Stripe's Privacy Policy and PCI DSS compliance. We do not store full card numbers on our servers.
Anthropic (via AWS Bedrock): AI model provider for Claude. Prompts and context data are sent to Anthropic's models through AWS Bedrock's enterprise API. Under our agreement, this data is not used for model training and is not retained beyond the processing window.
OpenAI (via Microsoft Azure): AI model provider for GPT models and voice services. Prompts, context data, and voice audio (when using voice features) are sent to OpenAI's models through Azure's enterprise API. Under our agreement, this data is not used for model training and is not retained beyond the processing window.
We may add or change third-party service providers as the Service evolves. We will update this policy to reflect material changes in our third-party provider relationships. We require all third-party providers to maintain appropriate security measures and to process your data only as instructed by us.
10. Children
The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children under 18. If you are under 18, you must not create an account, use the Service, or provide any personal information to us.
If we become aware that we have collected personal information from a child under 18, we will take immediate steps to delete that information from our systems and terminate the associated account. If you believe that a child under 18 has provided personal information to us, please contact us immediately at ashim@systemr.ai.
The age restriction of 18 applies regardless of the age of majority in your jurisdiction. Trading financial instruments involves significant risk and complexity that is not appropriate for minors.
11. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or the features of the Service. When we make material changes to this policy, we will:
- Post the updated policy on our website with a revised effective date
- Notify you by email at the address associated with your account at least 15 days before the changes take effect
- Provide a summary of the material changes in the notification
Your continued use of the Service after the effective date of a revised Privacy Policy constitutes your acceptance of the updated policy. If you do not agree with the changes, you must stop using the Service before the updated policy takes effect and may request deletion of your data as described in Section 7.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data. The date of the most recent revision is always indicated at the top of this policy.
Previous versions of this Privacy Policy are available upon request by contacting ashim@systemr.ai.
Contact
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, you may contact us at:
System R AI LLC 7901 4TH ST N, STE 28529 ST PETERSBURG, FL 33702
Email: ashim@systemr.ai
For data access, deletion, or portability requests, please include your registered email address and a clear description of your request. We will respond within 30 days.
This Privacy Policy was last updated on April 5, 2026.