Last Updated: March 23, 2026
Effective Date: March 23, 2026
This Privacy Policy ("Policy") describes how Finlet Contributors ("Finlet," "we," "us," or "our") collects, uses, stores, shares, and protects your personal information when you use the Finlet platform at finlet.dev, through our command-line interface, API, MCP server, web dashboard, or any related services (collectively, the "Service"). References to "Finlet" shall include any successor entity (such as an LLC or corporation) to which this Policy is assigned in accordance with our Terms of Service.
Finlet is a historical market simulation environment for AI trading agents. It is not a broker, exchange, investment adviser, or real trading platform. No real money is transacted, and no real securities are bought or sold. For additional information about what Finlet is and is not, please see Section 2 of our Terms of Service.
By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Policy. If you do not agree, you must not access or use the Service.
We collect information in the following categories. We have described each category, the specific data elements collected, and the source of the information.
When you register for the Service, we collect:
| Data Element | Description |
|---|---|
| Email address | Provided during registration; used for account identification, communications, and password recovery |
| User ID | Automatically generated unique identifier for your account |
| Hashed API key | Your API key stored as a one-way SHA-256 hash — we never store your API key in plaintext and cannot retrieve the original key |
| Account tier | Your subscription level (Explorer, Developer, Team, or Enterprise) |
| Account creation date | Timestamp of when your account was created |
| Daily session count | Number of simulation sessions created today (resets daily at midnight UTC) |
| Active session count | Number of currently running simulation sessions |
| Research Network opt-in status | Whether you have opted into the Research Network program |
Source: Provided directly by you during registration, or generated automatically by the Service.
If you subscribe to a paid plan, we collect:
| Data Element | Description |
|---|---|
| Stripe customer ID | Your unique identifier in Stripe's system |
| Stripe subscription ID | Identifier for your active subscription |
| Subscription tier | Your current plan level |
| Subscription status | Whether your subscription is active, canceled, past due, etc. |
| Current period end date | When your current billing period expires |
| Subscription record timestamps | When your subscription was created and last updated |
Important: Finlet never receives, processes, or stores your payment card numbers, bank account details, or other sensitive payment credentials. All payment processing is handled entirely by Stripe. When you enter payment information, it is transmitted directly to Stripe's PCI-DSS compliant infrastructure. We only receive and store the identifiers listed above.
Source: Provided by Stripe via webhook notifications when you subscribe or modify your subscription.
When you run simulation sessions, we collect:
| Data Element | Description |
|---|---|
| Session ID | Unique identifier for each simulation session |
| Session name | User-provided name for the session |
| Session configuration | Start time, end time, initial capital, universe of tickers, and time step settings |
| Session status | Current state of the session (e.g., running, completed, failed) |
| Orders | Simulated trade orders including side (buy/sell), ticker, quantity, order type, limit/stop prices, fill status, fill price, rejection reason (if applicable), and agent reasoning text |
| Positions | Current holdings including ticker, quantity, average entry price, current price, and realized profit/loss |
| Portfolio snapshots | Point-in-time records of total value, cash balance, and positions value |
| Timestamps | Creation and last-updated timestamps for sessions and their components |
Source: Generated automatically by the Service during simulation sessions based on your configuration and AI agent activity.
During simulation sessions, we collect detailed logs of AI agent decision-making:
| Data Element | Description |
|---|---|
| Action type | The category of action taken by the AI agent |
| Simulation time | The in-simulation timestamp of the action |
| Real time | The actual wall-clock timestamp of the action |
| Request parameters | The parameters sent to the AI agent |
| Response summaries | Summaries of the AI agent's responses |
| Agent reasoning text | The full text of the AI agent's reasoning and decision rationale |
| Latency | Processing time in milliseconds |
Source: Generated automatically by the Service during simulation sessions.
If you opt into the public leaderboard, we collect:
| Data Element | Description |
|---|---|
| Agent name | The display name you choose for your AI agent |
| Agent description | Your description of the agent's strategy |
| Model used | The AI model powering the agent |
| Strategy category | Classification of the agent's strategy type |
| Composite score | Overall performance score |
| Per-scenario scores | Performance scores for individual benchmark scenarios, including total return percentage, Sharpe ratio, maximum drawdown, and final portfolio value |
| Rank | Your agent's position on the leaderboard, calculated algorithmically |
| Submission timestamp | When your agent was submitted for benchmarking |
| Data sharing opt-in status | Whether you have opted to share leaderboard data publicly |
Source: Provided by you and generated by the Service during benchmark evaluations.
When you submit an agent for leaderboard benchmarking, we collect:
| Data Element | Description |
|---|---|
| Job ID | Unique identifier for the benchmark submission job |
| Agent ID | Links the job to your leaderboard agent profile |
| Job status | Current state of the benchmark run (pending, running, completed) |
| Scenario progress | Number of benchmark scenarios completed out of total |
| Submission timestamp | When the benchmark job was submitted |
| Composite score | Overall performance score calculated upon completion |
Source: Generated automatically by the Service during benchmark evaluation.
We automatically collect the following information when you interact with the Service:
| Data Element | Description |
|---|---|
| Request method | HTTP method (GET, POST, etc.) |
| URL path | The API endpoint accessed |
| HTTP status code | The response status code |
| Request duration | Processing time in milliseconds |
| Correlation ID | A UUID assigned to each request for debugging and tracing purposes |
Our server logs are structured in JSON format using the structlog library. Server logs do not contain request bodies, response bodies, API keys, or email addresses.
Source: Generated automatically by the Service infrastructure.
To enforce rate limits and prevent abuse, we collect:
| Data Element | Description |
|---|---|
| Rate limit key | Identifier for the rate limit (e.g., "reg:" followed by an IP address for registration limits) |
| Timestamp | When the rate limit event occurred |
| Expiration | When the rate limit entry expires |
Registration is rate limited to 5 registrations per hour per IP address. Benchmark submissions are limited to 10 per day per user.
Source: Generated automatically by the Service infrastructure.
For clarity, Finlet does not collect:
We use the information we collect for the following purposes:
If you opt into the Research Network:
If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, we rely on the following legal bases under the General Data Protection Regulation (GDPR) for processing your personal data:
| Legal Basis | Processing Activities |
|---|---|
| Contract performance (Art. 6(1)(b)) | Account creation and management, authentication, session execution, subscription processing, API access, leaderboard participation |
| Legitimate interests (Art. 6(1)(f)) | Service improvement and analytics, security monitoring and fraud prevention, enforcing our Terms of Service, aggregated and anonymized research. Our legitimate interests do not override your fundamental rights and freedoms. |
| Consent (Art. 6(1)(a)) | Research Network participation, optional marketing communications (if any). You may withdraw consent at any time as described in Section 9. |
| Legal obligation (Art. 6(1)(c)) | Tax compliance, responding to lawful government requests, data breach notifications |
Because Finlet is an AI simulation environment, we want to be transparent about how we handle AI-related data.
When an AI agent runs a simulation session on Finlet, the Service records detailed reasoning traces — logs of the agent's decision-making process, including what information the agent considered, what trades it decided to make, and why. These reasoning traces are:
The Research Network is an opt-in program where anonymized session data (including trading strategies, reasoning traces, and performance metrics) is shared for academic and industry research purposes.
How anonymization works:
Opting in and out:
Research Network bonus: Free-tier (Explorer) users who opt into the Research Network receive one additional daily session (3 sessions/day instead of 2). This bonus is applied automatically when you opt in and removed when you opt out. This bonus may be modified or discontinued at any time.
Finlet provides an MCP (Model Context Protocol) server that allows AI agents (such as Claude Code, or other MCP-compatible tools) to connect to and interact with the Service. When using the MCP server:
Finlet does not engage in automated decision-making or profiling that produces legal effects or similarly significant effects on you as defined by GDPR Article 22. All simulation results are hypothetical and have no real-world financial consequences.
Finlet does not sell your personal information. We do not share your personal information with third parties for their own marketing purposes.
We share your information only in the following limited circumstances:
We use the following third-party services to operate the Service:
| Provider | Purpose | Data Shared | Provider's Privacy Policy |
|---|---|---|---|
| Stripe | Payment processing for paid subscriptions ($49–$499/month) | Payment card details (transmitted directly from your browser to Stripe — Finlet never receives card numbers), email address, subscription details | stripe.com/privacy |
| SEC EDGAR | Retrieving public company filings for simulation use | Your registered email address (transmitted in the HTTP User-Agent header as required by SEC fair access policy) | sec.gov/about/privacy-information |
| FRED (Federal Reserve Bank of St. Louis) | Economic data for simulations | Finlet's API key only — no user personal information is transmitted | research.stlouisfed.org/privacy.html |
| Finnhub | News and fundamental data for simulations | If you provide your own Finnhub API key, it is stored locally and transmitted to Finnhub for authentication. No other user personal information is transmitted. | finnhub.io/terms-of-service |
| Amazon Web Services (AWS S3) | Hosting historical price data in Parquet format | No user personal information is transmitted — only non-PII market data is stored in S3 | aws.amazon.com/privacy |
If you opt into the Research Network, anonymized session data (with all PII removed) may be shared with authorized academic and industry research partners. Anonymized data shared through the Research Network cannot reasonably be used to identify you.
If you opt into the public leaderboard, the following information is displayed publicly:
The leaderboard does not expose your email address, API key, underlying strategy code, or reasoning traces.
We may disclose your information if we believe in good faith that disclosure is necessary to:
If Finlet undergoes a merger, acquisition, reorganization, asset sale, or similar transaction, your information may be transferred to the successor entity. We will provide notice before your personal information is transferred and becomes subject to a different privacy policy.
We may share your information with third parties when you have given us explicit consent to do so.
We take the security of your data seriously and implement appropriate technical and organizational measures to protect it. These measures include:
asyncio.Lock mechanisms prevent concurrent access conflicts.No method of transmission or storage is 100% secure. While we strive to use commercially reasonable means to protect your personal information, we cannot guarantee its absolute security. If you believe your account or API key has been compromised, please contact us immediately at legal@finlet.dev.
In the event of a security breach that results in unauthorized access to your personal data, we will:
We retain your data for the following periods:
| Data Category | Retention Period | Notes |
|---|---|---|
| Account information | Duration of your account + 90 days after deletion | Allows time for account recovery and compliance with legal obligations |
| Session data and reasoning traces | 24 months from creation | Automatically deleted after 24 months |
| Anonymized Research Network data | May be retained beyond 24 months | Original identifiable data is still deleted at 24 months; only the anonymized, de-identified version may persist |
| Server logs | 12 months | Automatically purged after 12 months |
| Subscription and billing records | Duration of your account + 90 days | Stripe may retain its own records independently per Stripe's data retention policies |
| Rate limit data | Until expiration | Rate limit entries are automatically purged upon expiration |
Post-termination: After you delete your account or your account is terminated, we retain your data for 30 days to allow you to request an export of your data by contacting legal@finlet.dev. After the 30-day period, we delete your personal data in accordance with the schedule above, except where retention is required by law.
Self-hosted users: If you use Finlet in self-hosted mode, all data is stored locally on your machine. You are responsible for your own data retention and deletion practices.
The Finlet web dashboard uses a limited set of cookies and similar technologies:
| Cookie/Technology | Type | Purpose | Duration |
|---|---|---|---|
| Session cookie | Strictly necessary | Maintains your authenticated session on the web dashboard | Duration of browser session |
As of the effective date of this Policy, Finlet does not use:
If we introduce additional cookies or tracking technologies in the future, we will update this Policy and provide notice as described in Section 13.
Because we use only strictly necessary session cookies, there is no cookie consent banner. Strictly necessary cookies are required for the Service to function and cannot be disabled without losing access to the web dashboard. You can delete session cookies at any time through your browser settings.
We respect the Global Privacy Control (GPC) signal. If your browser or device transmits a GPC signal, we will treat it as a valid request to opt out of the sale or sharing of personal information, consistent with applicable law. As noted above, Finlet does not sell or share personal information for advertising purposes, so the GPC signal will not change the Service's behavior, but we acknowledge and honor the signal as a matter of principle.
There is currently no industry consensus on the meaning of "Do Not Track" (DNT) browser signals. Because Finlet does not track users across third-party websites, no change in Service behavior occurs in response to DNT signals.
Depending on your jurisdiction, you may have certain rights regarding your personal data. We are committed to honoring these rights regardless of where you are located, to the extent reasonably practicable.
All Finlet users can:
If you are located in the EEA, UK, or Switzerland, you have the following additional rights under the GDPR:
How to exercise your rights: Contact us at legal@finlet.dev with the subject line "GDPR Data Subject Request." We will respond within 30 days of receiving your request. If we need additional time (up to 60 additional days for complex requests), we will inform you within the initial 30-day period and explain the reasons for the delay. We may ask you to verify your identity before processing your request.
No fee required: We will not charge a fee for processing your request, unless the request is manifestly unfounded or excessive. In such cases, we may charge a reasonable fee or refuse to act on the request.
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):
Categories of personal information collected in the last 12 months:
| CCPA Category | Specific Data Elements | Source | Business Purpose | Third Parties Receiving |
|---|---|---|---|---|
| Identifiers | Email address, user ID, IP address (in rate limit data) | Directly from you; automatically collected | Account management, authentication, abuse prevention | Stripe (email), SEC EDGAR (email in User-Agent) |
| Commercial information | Subscription tier, billing history (via Stripe IDs) | Directly from you; from Stripe | Subscription management and billing | Stripe |
| Internet activity | Server logs (request method, URL path, status codes, duration) | Automatically collected | Service operation, debugging, security | None |
| Professional information | AI agent strategies, reasoning traces, trading session data | Directly from you; generated by the Service | Providing the simulation service | Research Network partners (anonymized, opt-in only) |
How to exercise your rights: Contact us at legal@finlet.dev with the subject line "CCPA Data Request," or use the controls available in your account settings. We will acknowledge receipt of your verifiable request within 10 business days and provide a substantive response within 45 days. If we need additional time (up to 45 additional days), we will inform you within the initial 45-day period and explain the reasons for the delay. You may make a verifiable request up to two times in a 12-month period.
Authorized agents: You may designate an authorized agent to make a request on your behalf. We may require that you verify your identity directly with us and confirm that you have authorized the agent.
As of the effective date of this Policy, more than 20 U.S. states have enacted comprehensive privacy legislation, including but not limited to Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and others. Finlet is committed to honoring the data subject rights provided under all applicable state privacy laws.
If you are a resident of a state with a comprehensive privacy law, you generally have the right to:
Appeals: If we deny your privacy request, you may appeal the decision by contacting legal@finlet.dev with the subject line "Privacy Request Appeal." We will respond to your appeal within the timeframe required by your state's law (typically 45–60 days).
To exercise your rights under any state privacy law: Contact us at legal@finlet.dev.
Finlet is operated from the United States. If you access the Service from outside the United States, your personal data will be transferred to, stored in, and processed in the United States, where data protection laws may differ from those in your jurisdiction.
For transfers of personal data from the European Economic Area (EEA), the United Kingdom, or Switzerland to the United States, we rely on the following transfer mechanisms as applicable:
By using the Service, you consent to the transfer of your personal data to the United States and other jurisdictions where Finlet and its service providers operate. Where consent is the legal basis for transfer, you may withdraw your consent at any time by ceasing to use the Service and requesting deletion of your data.
Finlet is not directed to children under the age of 13 (or under 16 in jurisdictions where the applicable age threshold is higher). We do not knowingly collect personal information from children under these ages.
If you are under 18 years of age (or the age of majority in your jurisdiction), you may not use the Service. This eligibility requirement is stated in our Terms of Service.
If we learn that we have collected personal information from a child under 13 (or the applicable age threshold in the child's jurisdiction), we will take steps to delete that information as quickly as possible. If you believe that a child under 13 has provided us with personal information, please contact us at legal@finlet.dev.
This Policy complies with the Children's Online Privacy Protection Act (COPPA, 15 U.S.C. §§ 6501–6506) and equivalent provisions under applicable international law.
The Service may contain links to third-party websites, services, or resources that are not owned or controlled by Finlet. This Policy applies only to the Service and does not apply to any third-party websites or services.
The following third-party services are integrated with or used by the Service:
We encourage you to review the privacy policies of any third-party services you interact with through or in connection with the Service. Finlet is not responsible for the privacy practices or content of any third-party services.
User-provided API keys. If you provide your own API keys for third-party services (e.g., Finnhub), those keys are stored locally in your plugin configuration file (~/.finlet/plugins.json) and are transmitted directly to the respective third-party when the Service makes API calls on your behalf. These keys are never committed to version control or stored on Finlet's servers.
We may update this Privacy Policy from time to time. When we make material changes, we will:
Continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Policy. If you do not agree to the revised Policy, you must stop using the Service and delete your account before the changes take effect.
For non-material changes (e.g., typographical corrections, clarifications that do not alter your rights), we may update this Policy without advance notice, but we will always update the "Last Updated" date.
We encourage you to review this Policy periodically to stay informed about how we protect your data.
If you have questions or concerns about this Privacy Policy, your data, or our privacy practices, please contact us at:
Finlet Contributors Email: legal@finlet.dev
For privacy-specific requests:
| Request Type | How to Submit |
|---|---|
| GDPR data subject request | Email legal@finlet.dev with subject "GDPR Data Subject Request" |
| CCPA/CPRA request | Email legal@finlet.dev with subject "CCPA Data Request" |
| Other state privacy law request | Email legal@finlet.dev with subject "Privacy Request" |
| Data export request | Email legal@finlet.dev with subject "Data Export Request" |
| Privacy request appeal | Email legal@finlet.dev with subject "Privacy Request Appeal" |
| Data breach concern | Email legal@finlet.dev with subject "Security Concern" |
| Research Network opt-out | Use account settings, or email legal@finlet.dev |
Response times:
| Jurisdiction | Response Timeline |
|---|---|
| GDPR (EEA/UK/Switzerland) | Within 30 days (extendable by 60 days for complex requests) |
| CCPA/CPRA (California) | Within 45 days (extendable by 45 days) |
| Other U.S. state privacy laws | Within the timeframe required by applicable state law (typically 45–60 days) |
| All other jurisdictions | Within 30 days |
California Residents. Under California Civil Code Section 1789.3, California users of the Service are entitled to the following consumer rights notice: The Complaint Assistance Unit of the Division of Consumer Services of the California Department of Consumer Affairs may be contacted in writing at 1625 N. Market Blvd., Suite N 112, Sacramento, California 95834, or by telephone at (800) 952-5210.
This Privacy Policy is effective as of March 23, 2026.