Privacy Policy
Last updated: May 2026
Introduction & Scope
This Privacy Policy describes how Kysenpool Technologies, Inc. ("we," "us," or "our") collects, uses, discloses, and safeguards personal information in connection with Meet Zoro, our agentic AI trading orchestration service (the "Service"). It applies to all users who create an account, access our web application at zoro.kysenpool.io, connect exchange API keys, or otherwise interact with us. By using the Service you acknowledge that you have read and understood this policy. If you do not agree with our practices, please discontinue use and contact us to close your account.
Information We Collect — Account & Identity
When you register, we collect your email address, display name, and the geographic region you select during onboarding. Authentication is managed by Clerk, which may also collect a hashed password or federated identity token (e.g., Google or GitHub OAuth) on our behalf. We do not collect government-issued identification documents unless a jurisdiction-specific KYC flow is triggered, as described in Section 30. You may optionally provide a phone number for multi-factor authentication; this number is stored by Clerk and is not used for marketing without your explicit consent.
Information We Collect — Financial & Trading
To execute trades on your behalf, we store encrypted API key credentials for the exchanges you connect — additional exchange integrations are added on the post-pilot roadmap and will be disclosed here when added. We do not hold, custody, or transfer your digital assets at any time; all assets remain in your exchange accounts and we operate exclusively through trade-only API keys that have no withdrawal permissions. We also record the trading instructions you issue to Meet Zoro, the orders placed on connected exchanges, execution confirmations, fill prices, fees, and the resulting portfolio states required for audit purposes. Subscription and billing information, including your Stripe customer ID, plan, and payment method last-four digits, is stored by Stripe and referenced by us only via tokenized identifiers.
Information We Collect — Technical & Device
Our infrastructure automatically collects standard technical data when you access the Service, including your IP address, browser type and version, operating system, referring URLs, pages visited, session duration, and timestamped activity logs. On the Vercel edge layer we capture request metadata for performance monitoring and abuse prevention. Our long-running orchestrator on Fly.io records task execution logs, latency metrics, error traces, and resource utilisation necessary to maintain service reliability. This technical data is retained for 30 days in hot storage and may be retained in aggregated, anonymised form for longer periods for capacity planning.
Information We Collect — Communications
When you contact our support team, respond to surveys, participate in user-research interviews, or communicate with Meet Zoro via the chat interface, we collect and store the content of those communications. Conversation history with the Meet Zoro AI assistant — including prompts, strategy requests, and AI-generated responses — is retained for 18 months on a rolling basis to provide continuity and to improve model quality under the terms of our data-processing agreement with Anthropic. Inbound support emails and tickets are stored for three years from resolution. We may record customer calls with advance notice and consent where required by law.
How We Collect Information
We collect information directly from you when you register, configure settings, connect exchange accounts, or contact us. We collect information automatically via cookies, server logs, and analytics SDKs embedded in our web application. We receive information from third-party providers including Clerk (identity events), Stripe (payment lifecycle webhooks), and connected exchanges (order confirmations and position snapshots fetched by our orchestrator). We may also receive information from identity-verification partners if KYC is required. We do not purchase personal information from data brokers.
Use of Your Information — Service Delivery
We use your account and credential information to authenticate your sessions and to route AI-generated trading instructions to the correct exchange endpoints using your API keys. Your trading history and portfolio snapshots are processed to generate performance analytics, strategy backtests, and the contextual memory that Meet Zoro uses to personalise its recommendations. Billing data is used to enforce plan entitlements, process subscription renewals, and issue refunds. Technical logs are used to diagnose and resolve incidents affecting your account.
Use of Your Information — Safety & Fraud Prevention
We analyse usage patterns, IP reputation signals, and behavioural signals to detect account takeover attempts, credential stuffing, and automated abuse of our API. Unusual trading velocity or anomalous API-key usage patterns may trigger automated risk controls or human review. We maintain an audit log of all privileged actions — including API key additions and revocations, plan changes, and strategy activations — for seven years to support forensic investigations. We share anonymised fraud signals with third-party risk vendors under strict confidentiality agreements.
Use of Your Information — Legal & Compliance
We retain and process personal and trading data as required to comply with applicable financial regulations, tax reporting obligations, anti-money-laundering (AML) requirements, and court orders or regulatory demands. Our seven-year audit log retention schedule reflects obligations we anticipate under evolving digital-asset regulatory frameworks in the United States, European Union, and United Kingdom. We may be required to disclose information to regulators such as the SEC, CFTC, FCA, or equivalent authorities without prior notice to you where legally prohibited from giving such notice.
Use of Your Information — Analytics & Improvement
Aggregate and de-identified usage data — such as which exchange integrations are most popular, common strategy patterns, and feature engagement rates — is used to prioritise product development and improve the quality of Meet Zoro's AI models. Where we share conversation data with Anthropic for model improvement, it is governed by a data-processing agreement that prohibits Anthropic from training general-purpose models on your individually identifiable trading instructions without your separate consent. You may opt out of AI model improvement use by submitting a request to privacy@hypertrader.io.
Use of Your Information — Marketing Communications
With your consent, we may send you product announcements, feature highlights, market commentary, and promotional offers by email. You can withdraw consent and unsubscribe at any time using the link in any marketing email or by updating your notification preferences in the dashboard. Transactional communications — such as order confirmations, billing receipts, security alerts, and service outage notices — are not subject to marketing opt-out and will continue as necessary to operate your account. We do not sell your email address or personal information to third-party marketers.
Sharing with Service Providers
We engage the following categories of third-party processors that may access personal data to perform functions on our behalf: cloud infrastructure (AWS for Postgres, KMS, and object storage; Fly.io for the orchestrator runtime; Vercel for the web application edge); authentication (Clerk); payment processing (Stripe); large-language-model inference (Anthropic); application monitoring and error tracking (such as Sentry or Datadog); and email delivery. All processors are bound by data-processing agreements that restrict their use of personal data to the purposes we specify and require appropriate security measures. A current list of sub-processors is available upon request at privacy@hypertrader.io.
Sharing with Exchanges & Brokerages
When you connect an exchange account, your API credentials are transmitted to that exchange's API endpoints solely to execute the instructions you or Meet Zoro initiates. The connected exchange operates under its own terms of service and privacy policy, and we are not responsible for its data practices. We recommend reviewing the exchange's privacy policy before connecting your account. As additional exchange integrations are added in future post-pilot releases, the same posture applies and each new integration will be disclosed here. We transmit only the minimum data required to authenticate and place orders; we do not share your identity information with exchanges unless you explicitly authorise it or unless required by the exchange's own KYC procedures.
Sharing for Legal Reasons
We may disclose your personal information if we believe in good faith that disclosure is necessary to comply with a legal obligation, respond to a valid subpoena, court order, or regulatory demand, protect the rights or safety of Meet Zoro, our users, or the public, or to detect and prevent fraud. Where permitted by law, we will attempt to notify you before disclosing your information and will seek to narrow the scope of any disclosure to what is strictly required. We publish an annual transparency report summarising the number and nature of legal demands received, to the extent permitted by law.
Sharing in Business Transfers
If we are involved in a merger, acquisition, asset sale, financing, reorganisation, or insolvency proceeding, your personal information may be transferred as part of that transaction. We will notify you via email and a prominent notice on our website at least 30 days before your information is transferred and becomes subject to a different privacy policy, and we will provide you with an opportunity to delete your account and data before the transfer takes effect where technically feasible. Any successor entity will be required to honour this policy's commitments or obtain your fresh consent.
Third-Party Links & Services
The Service may contain links to external websites, exchange documentation portals, or third-party analytics dashboards that we do not control. This Privacy Policy does not apply to those third-party sites, and we are not responsible for their content or privacy practices. We encourage you to review the privacy policies of any third-party service you access through our platform. Our integrations with connected exchanges are governed by the respective exchange's terms; if an exchange's API behaviour changes in a way that affects how data is processed, we will update this policy accordingly.
Cookies & Tracking Technologies
We use strictly necessary cookies to maintain your authenticated session and to protect against cross-site request forgery. With your consent, we use functional cookies to remember your dashboard preferences and performance cookies (such as those set by Vercel Analytics) to measure page load times and feature engagement. We do not use third-party advertising cookies or cross-site tracking pixels. You can manage cookie preferences through our cookie consent banner or your browser settings; disabling necessary cookies will prevent you from logging in. We honour Global Privacy Control (GPC) signals where technically feasible.
API Key Security & Encryption
Your exchange API keys are the most sensitive data we hold, and the boundary at which they are processed is itself a control. Upon submission, each key is encrypted client-side and stored at rest using AWS Key Management Service (KMS) with a customer-managed envelope-encryption hierarchy (per-row data key, master key in KMS); keys are never stored in plaintext at any layer of our system. Decryption is restricted to the orchestrator process on Fly.io at the moment of order execution; the webapp tier has no ability to retrieve decrypted key material. At link time we validate the key's permission scope and reject any key that carries withdrawal or transfer scope; a recurring per-order re-verification of that scope is on our roadmap and the audit log will record the rollout when it ships. Decrypted material is never logged, never cached beyond the immediate transaction, and never exposed to any human operator without a break-glass audit trail. We recommend using exchange-generated API keys scoped to trade-only permissions with IP allowlisting set to our published egress IP ranges. If a key revocation is requested or detected as compromised, the encrypted material is overwritten and deleted within 24 hours.
Data Retention Schedules
We retain different categories of data for different periods based on operational need and legal obligation: audit logs (all order events, privileged account actions) are retained for seven years from the date of the event; encrypted API keys are deleted within 24 hours of revocation or account closure; conversation history with Meet Zoro is retained for 18 months on a rolling basis; technical and operational telemetry is retained in hot storage for 30 days and then permanently deleted; billing records including Stripe transaction IDs are retained for seven years for tax and accounting purposes; support communications are retained for three years from ticket resolution; account registration data is retained for the life of the account plus 90 days following permanent deletion. You may request early deletion subject to legal hold obligations.
Security Measures
We implement a defence-in-depth security programme that includes: encryption in transit via TLS 1.2 or higher for all data flows; encryption at rest for all persistent data stores using AES-256; AWS KMS for key management with hardware security module (HSM) backing; least-privilege IAM roles for infrastructure components; multi-factor authentication enforced for all internal administrator accounts; automated dependency scanning and static analysis in our CI/CD pipeline; and periodic third-party penetration testing. Despite these measures, no system is completely immune to security incidents, and we cannot guarantee absolute security of your information.
Data Breach Notification
In the event of a personal data breach that is likely to result in risk to your rights and freedoms, we will notify affected users without undue delay and within the timeframes required by applicable law — within 72 hours of becoming aware for EU/UK GDPR-covered data, and in accordance with applicable US state breach-notification laws for other users. Notification will be provided by email to the address on your account and, where a breach is sufficiently widespread, via a prominent notice on our website. Notices will describe the nature of the breach, the categories of data affected, the likely consequences, and the steps we have taken or propose to take to address the breach.
Cross-Border Data Transfers
Meet Zoro is operated from the United States. If you access the Service from the European Economic Area, United Kingdom, or other jurisdictions with data-transfer restrictions, your personal information will be transferred to and processed in the United States and other countries where our service providers operate. We rely on the following transfer mechanisms: Standard Contractual Clauses (SCCs) approved by the European Commission for transfers from the EEA; the UK International Data Transfer Agreement (IDTA) or UK Addendum to SCCs for transfers from the United Kingdom; and, where applicable, adequacy decisions. By using the Service you acknowledge these cross-border transfers. You may request a copy of the applicable transfer safeguards by contacting privacy@hypertrader.io.
Your Privacy Rights — General
Regardless of your location, you have the right to access a copy of the personal information we hold about you, to correct inaccurate data, to request deletion of your data subject to legal hold obligations, and to lodge a complaint with your local data protection authority. You may also request that we restrict processing of your data while a dispute is resolved. To exercise any of these rights, submit a written request to privacy@hypertrader.io from the email address associated with your account. We will verify your identity before processing the request and respond within 30 days, or within any shorter period required by applicable law.
Your Privacy Rights — EU/EEA/UK (GDPR)
If you are located in the European Economic Area or United Kingdom, you have the following additional rights under the General Data Protection Regulation (GDPR) or UK GDPR: the right to data portability (to receive your data in a structured, commonly used, machine-readable format); the right to object to processing based on legitimate interests; the right to withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal; and the right to lodge a complaint with a supervisory authority — for UK users this is the Information Commissioner's Office (ICO); for EEA users, your national data protection authority. Our lawful bases for processing are: contract performance (service delivery), legitimate interests (security and fraud prevention, analytics), legal obligation (audit log retention, AML compliance), and consent (marketing emails, AI model improvement). A full record of processing activities (Article 30 record) is available upon request.
Your Privacy Rights — California (CCPA/CPRA)
If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA): the right to know what personal information we collect, use, disclose, or sell; the right to delete personal information we have collected; the right to correct inaccurate personal information; the right to opt out of the sale or sharing of personal information; the right to limit use of sensitive personal information; and the right to non-discrimination for exercising your CCPA rights. We do not sell personal information as defined by the CCPA. To submit a verified consumer request, email privacy@hypertrader.io or use the designated request form available in your account settings. We will respond within 45 days, extendable by an additional 45 days with notice.
Do Not Sell or Share My Personal Information
We do not sell your personal information to third parties for monetary consideration. We also do not share personal information with third parties for cross-context behavioural advertising purposes. Certain analytics tools we use may qualify as "sharing" under the CPRA's broad definition; you may opt out of such sharing by enabling Global Privacy Control in your browser or by submitting a request to privacy@hypertrader.io. Opting out of sharing does not affect our ability to provide the core trading orchestration service. If you are an authorised agent submitting a request on behalf of a California consumer, please include written authorisation signed by the consumer.
Sensitive Personal Information
Under the CPRA, certain categories of data are classified as "sensitive personal information" and receive heightened protection, including precise geolocation, financial account credentials, and information collected for AML/KYC purposes. We use sensitive personal information only to provide the services you request and to comply with legal obligations; we do not use it to infer characteristics about you for advertising or profiling purposes beyond what is necessary for fraud prevention. You may request that we limit the use of your sensitive personal information to these permitted purposes by contacting privacy@hypertrader.io. Exchange API keys, which function as financial account credentials, fall within this category and are subject to our enhanced encryption controls described in Section 18.
Automated Decision-Making & Profiling
Meet Zoro uses AI and automated systems to generate trading recommendations and execute orders based on the strategies you configure. These automated decisions can have financial consequences. You retain full control: all strategy activations, parameter changes, and exchange connections require your explicit action, and you may pause or disable automated trading at any time from your dashboard. We do not make automated decisions about your eligibility for the Service in a manner that produces legal or similarly significant effects without human review. EU/UK users have the right under GDPR Article 22 to request human review of any automated decision that significantly affects them; contact privacy@hypertrader.io to exercise this right.
Children's Privacy
The Service is intended solely for users who are 18 years of age or older, or the age of majority in their jurisdiction if higher. We do not knowingly collect personal information from anyone under the age of 18. If we become aware that we have inadvertently collected information from a minor, we will delete it promptly. If you believe a minor has provided us with personal information, please contact privacy@hypertrader.io and we will take immediate steps to investigate and remediate.
Identity Verification (KYC/AML)
Depending on your jurisdiction or the regulatory requirements of our licensing arrangements, we may be required to verify your identity before activating certain features or volume thresholds. If KYC verification is required, you will be prompted to provide government-issued identification documents and a selfie through an integrated identity-verification provider. We retain KYC records for the period required by applicable AML regulations, which is typically five to seven years from the end of our relationship. KYC data is processed under the lawful basis of legal obligation and is not used for any purpose other than regulatory compliance and fraud prevention. We will notify you clearly before initiating any KYC flow.
Regulatory & Law Enforcement Disclosure
As a service operating in the digital-asset space, we may be subject to oversight by financial regulators including but not limited to the SEC, CFTC, FinCEN, FCA (UK), and equivalent authorities in other jurisdictions where our users are located. We maintain records and controls designed to respond to regulatory examinations, audits, and information requests. Law enforcement agencies may seek access to user data through legally valid process such as subpoenas, court orders, or national security letters. We scrutinise all such requests for legal validity, seek to narrow their scope, and notify affected users where legally permissible. We will not provide backdoor or bulk access to user data outside of lawful process.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will notify you at least 30 days in advance by email and by posting a prominent notice in the dashboard. The "Last updated" date at the top of this page reflects when the most recent version took effect. Your continued use of the Service after the effective date of any changes constitutes acceptance of the updated policy. If you do not agree with the changes, you may close your account before they take effect.
Contact Us & Data Protection Officer
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our privacy team at privacy@hypertrader.io. For users in the EU/EEA and UK who wish to contact our Data Protection Officer directly, you may write to dpo@hypertrader.io. We aim to acknowledge all privacy inquiries within five business days and to resolve them within 30 days. If you are not satisfied with our response, you have the right to escalate to the relevant supervisory authority in your jurisdiction. Our registered correspondence address for privacy matters is: Kysenpool Technologies, Inc., Attention: Privacy Team, [Address on file].