Trust & disclosures

How we handle your data, money, and trust.

Star Algorithm is in invite-only alpha. This page is the long-form answer to the questions any serious operator asks before pointing real capital at a platform: where the data lives, how the gate is held, and what the platform is — and is not — accountable for.

Data & privacy

What we store, what we don't, and where it lives.

Where your data lives

Trading data is stored in Supabase Postgres with row-level security enforced per user. The user-scoped tables are: trading_paper_trades, trading_paper_portfolio_history, trading_live_trades, trading_price_alerts, and trading_events. Every row carries user_id and is reachable only by the authenticated owner — there is no shared-tenant query path.

What we collect

  • Your account email (the only required PII).
  • Broker connection metadata — adapter name, account id, last sync timestamp. Not broker credentials.
  • The trades and strategy decisions you generate while using the platform.

What we don't collect

  • Any PII beyond your email.
  • Third-party analytics on the dashboard.
  • Session replay, mouse-movement, or behavioural tracking.
  • Marketing or advertising pixels.

Cookies

The dashboard sets exactly two cookies: the Supabase auth session cookie, and a tb_theme preference cookie for the light / dark / system theme toggle. No others. No third-party cookies are loaded.

Security posture

How the gate is held.

Authentication

Email + password and Google OAuth, both routed through Supabase Auth. Sessions are JWTs issued by Supabase and verified on every FastAPI request via the require_user dependency.

Row-Level Security

Every user-scoped table enforces auth.uid() = user_id for both read and write through Postgres RLS policies. A leaked anon key cannot read another user's rows because the database itself enforces ownership — not just the application layer.

In transit

All API calls are TLS. JWT tokens are signed HS256 with a secret that is rotated per environment (sim / paper / live each carry their own).

At rest

Database is Supabase-managed; their security model applies (SOC 2 Type II, AES-256 at rest, encrypted backups).

Broker credentials

Never stored. Broker API keys live in operator- provided environment variables on the host running the platform. The platform reads them at runtime to place orders on your behalf — it does not persist them, sync them to the database, or transmit them off-host.

Trading disclaimers

Sim, paper, and live — what each mode actually does.

Sim mode

Synthetic capital against historical or live market data. No real orders are placed. No broker side-effects. Sim is for development, backtesting, and forward-testing strategy behaviour.

Paper mode

Live market data with simulated capital. No real orders. No broker side-effects. Paper is for confirming a strategy survives realistic market conditions without risking funds.

Live mode

Real orders against real money. Booting the API in live mode requires LIVE_TRADING_CONFIRMED=I_UNDERSTAND in the environment, plus a per-broker *_LIVE flag for each adapter you intend to use. Both gates are checked at process start — the platform refuses to boot in live mode without explicit operator confirmation.

Past performance

Past performance does not guarantee future results. Backtest, paper, and live results are descriptive — never predictive. The platform is a tool; trading decisions are yours.

Custody

Star Algorithm does not custody funds. All execution flows through your own broker credentials at your own broker of record. We never touch your capital — we only emit orders against the API you authorize on your environment.

Incident comms

What happens when something breaks.

Disclosure timeline

If we discover a security issue, we patch first and disclose second. Affected accounts receive an email within seven days of remediation, with a description of the issue, the fix, and any user-side action required.

Status page

TODO operator: the operator will wire a status-page URL here once one exists. Until then, platform availability is best reached via the contact below.

Contact

Security reports, disclosure requests, and any time-sensitive issue: isaiahdupree33@gmail.com.

Build info

This statement reflects the platform as of build alpha. Last reviewed May 16, 2026.

See pricing