Last updated: March 2026
Privacy Policy
X-Optional Research ("Company," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, store, and share information when you use the X-Optional platform. We designed our system to collect only what is necessary to provide the service and nothing more.
1. Information We Collect
When you create an account and use X-Optional, we collect the following categories of information:
Account Information
- Email address — Used for account authentication, verification emails, trade alerts, and digest delivery.
- Display name — Shown on your profile and leaderboard. You choose this during registration.
- Password (hashed) — We never store your password in plaintext. Passwords are hashed with Argon2id, a memory-hard algorithm designed to resist GPU-based attacks. Legacy bcrypt hashes are automatically upgraded to Argon2id on next login.
- Authentication provider — If you sign in via Google or GitHub OAuth, we store the provider name and your provider-issued user ID. We do not store your OAuth access tokens.
Research Activity
- Saved trade ideas — Ticker, strategy, signal scores, and model outputs you choose to save.
- Predictions — Trade outcomes you record for portfolio tracking and XP scoring.
- Watchlist — Tickers you add to your watchlist for monitoring.
- Quiz results and XP events — Your learning progress and gamification activity.
Usage Data
- API request logs — Endpoint, timestamp, and user ID for rate limiting and abuse prevention. We do not log request bodies.
- Subscription tier and billing status — Managed by Stripe. We store your tier (Essentials/Ultra) and trial status locally; Stripe handles all payment details.
2. Information We Do NOT Collect
X-Optional is a research tool, not a financial services provider. We deliberately avoid collecting sensitive personal and financial data:
- Social Security numbers (SSN) or government-issued identification numbers
- Date of birth
- Brokerage account credentials — Our broker integration uses pass-through URL deep-links. We never ask for, receive, or store your brokerage login, password, API keys, or account numbers.
- Financial account numbers — No bank accounts, credit card numbers (Stripe handles payment processing entirely on their infrastructure), or investment account numbers.
- Physical address
- Phone number
3. How We Store Your Data
All user data is stored in a dedicated PostgreSQL 16 database running on isolated infrastructure managed by X-Optional Research. This is not a shared multi-tenant cloud database — it is a single-purpose database instance serving only the X-Optional platform.
Database connections are encrypted. The application uses connection pooling (pool_size=5, max_overflow=15) with automatic connection recycling every 30 minutes. Database backups are encrypted and stored in Google Cloud Storage with automatic nightly backup at 3 AM UTC.
Authentication tokens are stored in process-local memory with automatic expiration (access tokens: 15 minutes, refresh token families: 7 days). Tokens are never written to disk or persisted in the database.
4. Data Retention and Deletion Rights
In accordance with GDPR Article 17 (Right to Erasure), you have the right to request complete deletion of your account and all associated data. When you delete your account:
- Your user record, including email, display name, and password hash, is permanently deleted.
- All saved trade ideas, predictions, watchlist items, and XP events are permanently deleted.
- Your Stripe subscription is cancelled and the customer record is unlinked.
- Any affiliate relationships and commission records associated with your account are removed.
Account deletion is available through your account settings or by emailing info@xoptional.com. Deletion requests are processed within 30 days.
5. Data Portability
In accordance with GDPR Article 20 (Right to Data Portability), you have the right to receive your personal data in a structured, commonly used, machine-readable format. You can export your data at any time via the /api/user/export-data endpoint, which returns a JSON file containing your profile information, saved trade ideas, predictions, watchlist, and XP history. No waiting period — the export is generated on demand.
6. Third-Party Services
We integrate with a limited number of third-party services, each for a specific operational purpose. We do not sell, rent, or share your personal data with any third party for marketing or advertising purposes.
Stripe
Payment processing and subscription management. Stripe receives your email and payment method details directly — card numbers never touch our servers. Subject to Stripe's Privacy Policy.
Resend
Transactional email delivery (verification emails, trade alerts, digest emails). Resend receives your email address for delivery purposes only.
Alpaca Markets
Primary market data provider for stock and options pricing via OPRA feed. Alpaca does not receive any user data — all API calls are server-to-server using our API credentials.
Alpha Vantage
Supplementary fundamental data and company overviews. Server-to-server only — no user data is transmitted.
Google (Gemini API)
AI synthesis layer for generating trade idea narratives and deep-dive analyses. We send market data and signal scores to the Gemini API — no user personal information (email, name, or account details) is included in AI prompts.
7. Cookies
X-Optional uses a single functional cookie:
auth_indicator
A lightweight cookie that indicates whether you are logged in. It is used by the frontend middleware to protect authenticated routes (dashboard, portfolio, settings). It does not contain your access token, personal data, or any tracking information. It is set on login and cleared on logout.
We do not use tracking cookies, analytics cookies, advertising cookies, or any third-party cookie-based tracking. We do not use Google Analytics, Facebook Pixel, or similar services. We do not fingerprint browsers or devices.
8. Data Residency
All X-Optional infrastructure — application servers, database, and backups — is hosted on US-based infrastructure. Your data does not leave the United States for storage or processing purposes. Third-party API calls (Stripe, Resend, Alpaca, Gemini) are made to US-region endpoints. If you are accessing the platform from outside the United States, you acknowledge that your data will be transferred to and processed in the United States.
9. Security Measures
We implement the following security measures to protect your data:
- Password hashing — Argon2id with automatic upgrade from legacy bcrypt hashes.
- Short-lived access tokens — JWT tokens expire after 15 minutes and are stored in memory only.
- Refresh token rotation — Family-based rotation with theft detection. Token reuse invalidates the entire family.
- Rate limiting — Sliding-window rate limits prevent brute force and abuse.
- Security headers — All responses include Content-Security-Policy, X-Frame-Options, and other standard security headers.
- Input validation — All user inputs are validated and parameterized to prevent injection attacks.
10. Children's Privacy
X-Optional is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If you believe we have inadvertently collected data from a minor, please contact us at info@xoptional.com and we will promptly delete it.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email to the address associated with your account. The "Last updated" date at the top of this page reflects the most recent revision. Your continued use of the platform after changes are posted constitutes acceptance of the updated policy.
12. Contact
For questions about this Privacy Policy, to exercise your data rights, or to report a privacy concern, contact us at:
X-Optional Research
Email: info@xoptional.com
Data export: GET /api/user/export-data
Account deletion: Settings page or email request
© 2026 X-Optional Research. All Rights Reserved.