Privacy Policy

Webasy LLC is a Texas limited liability company that operates the Phihelm platform. For privacy questions, reach us at [email protected].

We collect the following categories of information:

• Account information. Email address, username, and bcrypt-hashed password when you create an account.
• Subscription information.Active plan, billing cadence, and the Stripe customer/subscription identifiers that link your account to Stripe’s records.
• Brokerage connection tokens. When you connect a Schwab, Alpaca, or Topstep account, we store the access and refresh tokens the broker issues so the Service can read positions and route orders on your behalf. Tokens are encrypted at rest.
• Trading and market data. Trades you open through the Service, harmonic patterns the engine produces, and aggregated market data we receive from Schwab and Databento.
• Usage information. IP address, browser type, pages visited, and device identifiers, collected through standard server logs and limited first-party analytics.
• Communications. Messages you send to [email protected] or otherwise to us.

We use information to:

• Operate the Service, authenticate you, and route orders to your brokers;
• Process payments and manage your subscription;
• Detect, investigate, and prevent fraud, abuse, or security incidents;
• Communicate with you about the Service (transactional email);
• Improve the Service through internal analytics on aggregated usage;
• Comply with legal obligations and enforce our Terms of Service.

We do not sell your personal information. We share information only with the following recipients, and only as needed:

• Service providers that operate parts of our infrastructure — including our cloud hosting provider, our payments processor (Stripe), and our error and uptime monitoring vendors. Each is bound by confidentiality and data-processing terms.
• Brokerages and market-data providers when you authorize a connection. We send only what is needed to execute the requested action (e.g., order parameters to your broker; symbol subscriptions to Databento).
• Authorities when required by law, subpoena, or court order, and only the minimum information legally required.
• An acquirer, in the event of a merger, acquisition, or sale of assets — subject to the same protections in this Policy.

When you connect a brokerage, we initiate the broker’s OAuth or API-key flow. The broker authenticates you directly — we never see your broker password. We receive only the access and refresh tokens the broker issues. Tokens are encrypted at rest with AES-256-GCM keys derived per-user and are used only to read your positions, write orders you initiate from the Service, and receive fill events.

Per-user data architecture.Market data tied to your account (your positions, your fills, your account balances, your watchlist activity) is processed through your own broker session. The Service’s backend computes analytical signals — patterns, scores, alerts, regime tags — from licensed market-data inputs and broadcasts those derivative outputs to you over an authenticated WebSocket. Raw underlying licensed inputs (raw quotes, raw level-2 book data, raw chain quotes) are not redistributed outside the boundaries permitted by the relevant data-vendor agreements.

You can revoke our access at any time from your broker’s account settings, and you can disconnect a broker from your Phihelm account on the broker-management screen.

Payments are processed by Stripe, Inc. We do not receive your full payment-card number, CVC, or full billing details. Stripe shares with us a customer identifier, the last four digits of the card, the card brand, and high-level event data (subscription created, invoice paid, payment failed) so we can manage your subscription. Stripe’s privacy practices are described at stripe.com/privacy.

The Service uses strictly-necessary cookies for authentication and session state. We do not use third-party advertising or cross-site tracking cookies. See our Cookie Policy for details.

We retain information for as long as needed to operate the Service:

• Account and subscription records: retained while your account is active and for up to seven (7) years after closure for tax and accounting purposes.
• Trade and pattern records: retained for up to ninety (90) days after account closure, then deleted or anonymized.
• Authentication and security logs: retained for up to eighteen (18) months for security-investigation purposes.
• Personal identifiers (email, name, address): erased on verified request as described below, subject to our legal retention obligations.

We use industry-standard safeguards: TLS in transit, encryption at rest for broker tokens, bcrypt-hashed passwords, JWT-based session management with revocation, role-based access control, and routine security review. No system is perfectly secure; we will notify affected users without undue delay if we determine a breach has materially affected them, and as required by applicable law.

Depending on where you live, you may have the right to:

• Access the personal information we hold about you;
• Correct inaccurate information;
• Delete your information (“right to be forgotten”);
• Object to or restrict certain processing;
• Export your information in a portable format;
• Opt out of the sale of personal information (we do not sell it);
• Lodge a complaint with your local data-protection authority.

To exercise any of these rights, email [email protected]. We may need to verify your identity before fulfilling the request and may retain certain information where required by law.

The Service is not directed to children under 18 and we do not knowingly collect information from anyone under 18. If you believe a child has provided us information, contact us at [email protected] and we will delete it.

The Service is operated from the United States. If you access the Service from outside the U.S., your information will be transferred to and processed in the U.S., where data-protection law may differ from your jurisdiction. By using the Service you acknowledge this transfer.

We may update this Privacy Policy from time to time. The current version is always available at this URL with the “Last updated” date. Material changes will be announced via email and/or an in-app notice.