Privacy Policy

Effective 2026-04-26

This Privacy Policy explains what data Kite Agent Hub ("KAH") collects, how it is used, and the controls you have over it. By using KAH you agree to this policy along with our Terms of Service.

1. Account Data

When you register we store your email, a Bcrypt-hashed password, the date and time you accepted the Terms (accepted_terms_at), and any optional profile fields you provide. Passwords are never stored in plaintext.

2. Workspaces & Trade Data

Each workspace owns its own agents, trades, and broker credentials. We store:

• Agent metadata (name, type, status) and a generated API token used to authenticate agent calls.
• Trade records (symbol, side, action, quantity, fill price, status, realized P&L, timestamps, and any platform order IDs).
• Optional Kite chain attestation hashes for settled trades.

3. Wallets & On-Chain Data

Trading agents may be assigned a wallet address. Wallet addresses are public chain identifiers; transactions broadcast through them are visible on the underlying blockchain. Private keys are encrypted at rest and never exposed through the API.

4. Broker Credentials & API Tokens

Broker API keys (Alpaca, Kalshi, Polymarket, OANDA, etc.) are encrypted at rest using AES-256-GCM with keys derived from server-side secrets. They are decrypted in memory only at the moment a trade is dispatched. Agent API tokens are scoped to a single agent and can be rotated or revoked from the dashboard.

5. Kite Collective Intelligence (KCI)

KCI is workspace opt-in and disabled by default. When a workspace opts in, KAH stores anonymized, bucketed trade outcome features in a shared learning table:

• HMAC-SHA256 source hashes (org and trade) keyed off a dedicated server-side salt — one-way, not reversible to your account.
• Agent type, platform, market class, side, action, terminal status, outcome bucket (profit / loss / flat / cancelled / failed).
• Bucketed notional and hold-time windows.
• The week the trade was observed.

KCI never stores raw user IDs, agent IDs, organization IDs, exact trade IDs, raw chat content, broker credentials, API tokens, raw strategy text, or free-form trade reasons. Disabling KCI for a workspace immediately stops future contribution and purges that workspace's prior anonymized contributions via the org hash. KCI is decision-support context, not financial advice, and does not guarantee profit.

6. Cookies & Sessions

We use a single signed session cookie to keep you logged in. We do not use third-party advertising cookies. Theme preference (light / dark) is stored in localStorage on your device.

7. Email

We use email only to verify accounts, deliver login instructions, and send security or platform notifications. We do not sell or rent your email address.

8. Third Parties

Trades are routed to third-party broker APIs (Alpaca, Kalshi, Polymarket, OANDA) and on-chain venues at your direction. Their privacy practices govern any data they receive. We do not share your account data with third parties for marketing.

9. Your Controls

• Disconnect a broker at any time from the API Keys settings page.
• Rotate or delete an agent (and revoke its token) from the Agents settings page.
• Toggle KCI on or off per workspace at any time.
• Request account deletion via the support channel; we will remove your account data and purge any KCI contributions tied to your workspace.

10. Changes

We may update this Privacy Policy. The "Effective" date above tracks the most recent change. Continued use of KAH after an update constitutes acceptance.