How we handle your data, money, and trust.
Star Algorithm is in invite-only alpha. This page is the long-form answer to the questions any serious operator asks before pointing real capital at a platform: where the data lives, how the gate is held, and what the platform is — and is not — accountable for.
What we store, what we don't, and where it lives.
Where your data lives
Trading data is stored in Supabase Postgres with row-level security enforced per user. The user-scoped tables are: trading_paper_trades, trading_paper_portfolio_history, trading_live_trades, trading_price_alerts, and trading_events. Every row carries user_id and is reachable only by the authenticated owner — there is no shared-tenant query path.
What we collect
- Your account email (the only required PII).
- Broker connection metadata — adapter name, account id, last sync timestamp. Not broker credentials.
- The trades and strategy decisions you generate while using the platform.
What we don't collect
- Any PII beyond your email.
- Third-party analytics on the dashboard.
- Session replay, mouse-movement, or behavioural tracking.
- Marketing or advertising pixels.
Cookies
The dashboard sets exactly two cookies: the Supabase auth session cookie, and a tb_theme preference cookie for the light / dark / system theme toggle. No others. No third-party cookies are loaded.
How the gate is held.
Authentication
Email + password and Google OAuth, both routed through Supabase Auth. Sessions are JWTs issued by Supabase and verified on every FastAPI request via the require_user dependency.
Row-Level Security
Every user-scoped table enforces auth.uid() = user_id for both read and write through Postgres RLS policies. A leaked anon key cannot read another user's rows because the database itself enforces ownership — not just the application layer.
In transit
All API calls are TLS. JWT tokens are signed HS256 with a secret that is rotated per environment (sim / paper / live each carry their own).
At rest
Database is Supabase-managed; their security model applies (SOC 2 Type II, AES-256 at rest, encrypted backups).
Broker credentials
Never stored. Broker API keys live in operator- provided environment variables on the host running the platform. The platform reads them at runtime to place orders on your behalf — it does not persist them, sync them to the database, or transmit them off-host.
Sim, paper, and live — what each mode actually does.
Sim mode
Synthetic capital against historical or live market data. No real orders are placed. No broker side-effects. Sim is for development, backtesting, and forward-testing strategy behaviour.
Paper mode
Live market data with simulated capital. No real orders. No broker side-effects. Paper is for confirming a strategy survives realistic market conditions without risking funds.
Live mode
Real orders against real money. Booting the API in live mode requires LIVE_TRADING_CONFIRMED=I_UNDERSTAND in the environment, plus a per-broker *_LIVE flag for each adapter you intend to use. Both gates are checked at process start — the platform refuses to boot in live mode without explicit operator confirmation.
Past performance
Past performance does not guarantee future results. Backtest, paper, and live results are descriptive — never predictive. The platform is a tool; trading decisions are yours.
Custody
Star Algorithm does not custody funds. All execution flows through your own broker credentials at your own broker of record. We never touch your capital — we only emit orders against the API you authorize on your environment.
What happens when something breaks.
Disclosure timeline
If we discover a security issue, we patch first and disclose second. Affected accounts receive an email within seven days of remediation, with a description of the issue, the fix, and any user-side action required.
Status page
TODO operator: the operator will wire a status-page URL here once one exists. Until then, platform availability is best reached via the contact below.
Contact
Security reports, disclosure requests, and any time-sensitive issue: isaiahdupree33@gmail.com.
This statement reflects the platform as of build alpha. Last reviewed May 16, 2026.