Privacy Policy

Last Updated: May 9, 2026 Effective Date: May 9, 2026

This Privacy Policy describes how PastullioBot ("we," "us," or "our") collects, uses, and shares information when you use our website, application, and services (collectively, the "Service"). PastullioBot is operated by Christopher Maffeo, doing business as PastullioBot.

If you have questions about this policy, contact us at hello@pastulliobot.com.

1. Information We Collect

Information You Provide

Account information: Email address, password (hashed; we never see plaintext), Telegram handle (optional, only if you opt into Telegram alerts).
Payment information: When you purchase credits or subscribe, you provide payment details directly to Stripe. We do not receive, store, or have access to credit card numbers, CVVs, or full payment details. We receive only a payment confirmation, the amount paid, the product purchased, and a Stripe session ID.
Communication content: When you email us at hello@pastulliobot.com, we receive whatever you send (your email address, the body of the message, attachments).

Information Collected Automatically

Usage data: Scans you run, categories selected, filters applied, signals returned. This is necessary to operate the Service and provide your purchase history.
Technical data: IP address, browser type, device type, timestamps. Used for security, abuse prevention, and basic operations.
Authentication tokens: A session token stored in your browser's localStorage so you remain logged in. This is the only "cookie-like" technology we use; we do not use tracking cookies.

Information We Do Not Collect

We do not use third-party analytics (no Google Analytics, Mixpanel, Plausible, Posthog, or similar).
We do not track you across other websites.
We do not have advertising partners.
We do not collect precise location data.
We do not access your Kalshi account, balance, trades, or any other Kalshi-side data.

2. How We Use Information

We use the information we collect to:

Operate the Service (run scans, generate AI analysis, deliver alerts)
Process payments and grant credits
Send transactional email (signup confirmation, password resets, receipts)
Respond to support requests
Detect and prevent fraud, abuse, and security incidents
Comply with legal obligations
Improve the Service (in aggregate, non-identifying ways)

We do not sell your personal information. We do not share it with third parties for their marketing purposes.

3. Third-Party Service Providers (Sub-processors)

To operate the Service, we share necessary information with the following providers:

Provider	Purpose	What We Share
Stripe	Payment processing	Email, purchase amount, product purchased
Supabase	Authentication, database hosting	All account and usage data we store
Resend	Transactional email delivery	Email address, message content
Anthropic	AI analysis (Claude API)	Market data and prompts; NO personal account info is sent
DigitalOcean	Server hosting	Server-level data (logs, IP for routing)
Kalshi	Source of market data	None — we read public Kalshi API only; no user data sent

Each provider is contractually obligated to protect data and use it only to provide services to us. Their privacy policies govern their handling:

Stripe: https://stripe.com/privacy
Supabase: https://supabase.com/privacy
Resend: https://resend.com/legal/privacy-policy
Anthropic: https://www.anthropic.com/legal/privacy
DigitalOcean: https://www.digitalocean.com/legal/privacy-policy

We may add or change providers as the Service evolves. Material changes will be reflected in this policy.

4. AI Processing

PastullioBot's analysis is generated by Anthropic's Claude API. When you run a scan:

Public Kalshi market data is sent to Anthropic for analysis
No personal information about you is sent to Anthropic — not your email, not your account ID, not your payment history
Anthropic's data handling is governed by Anthropic's enterprise/API policies, which do not use API request data to train models by default

We log scan metadata (which categories you scanned, when, how many credits used) for billing and audit purposes, but the AI inputs/outputs themselves are not retained after the scan completes other than the resulting signals shown in your scan history.

5. Data Retention

Data Type	Retention Period
Active account information	While your account is active
Account information after deletion request	Anonymized within 30 days
Inactive accounts (24+ months no login)	Notified, then anonymized after 30-day grace
Scan history (detailed)	90 days
Scan history (aggregate stats)	Lifetime of account
Financial records (purchases, ledger, refunds)	7 years (IRS/tax compliance)
Server logs	30 days rolling
Email logs	Per Resend's retention policy

"Anonymized" means we remove personally identifying fields (email, name, telegram handle) but may retain a non-identifying record for audit, analytics, or legal compliance purposes.

6. Your Rights

Depending on where you live, you may have the following rights regarding your personal information:

All Users

Access: Request a copy of the information we hold about you.
Correction: Update inaccurate information via your account page or by contacting us.
Deletion: Request deletion of your account and personal information.
Export: Request a portable copy of your data.

To exercise any right, email hello@pastulliobot.com from the email address associated with your account. We will respond within 30 days, or sooner if required by law.

California Residents (CCPA/CPRA)

In addition to the above:

The right to know what personal information we collect, use, and share
The right to opt out of the "sale" or "sharing" of personal information (note: we do not sell or share personal information for cross-context behavioral advertising)
The right to non-discrimination for exercising your privacy rights

European/UK Residents (GDPR/UK GDPR)

In addition to the above:

Right to restrict processing
Right to object to processing
Right to lodge a complaint with your local data protection authority

Our legal basis for processing is primarily: - Contract (to provide the Service you signed up for) - Legitimate interest (security, fraud prevention, service improvement) - Consent (where you opt into specific features like Telegram alerts) - Legal obligation (financial record retention)

We do not transfer data outside the US, but our service providers (Stripe, Anthropic, Supabase, Resend, DigitalOcean) may. Where required, we rely on Standard Contractual Clauses or equivalent transfer mechanisms.

7. Security

We take reasonable technical and organizational measures to protect your information, including:

TLS/HTTPS encryption for all data in transit
Hashed (not plaintext) password storage via Supabase
Restricted access to production systems
Server-side environment variables for API keys (not client-exposed)
Regular security key rotation
Webhook signature verification for payment events

No system is completely secure. If we discover a breach affecting your personal information, we will notify you and applicable authorities as required by law.

8. Children's Privacy

The Service is not intended for anyone under 18. We do not knowingly collect information from minors. If we learn we have collected information from a minor, we will delete it promptly. If you believe a minor has provided us information, contact hello@pastulliobot.com.

9. International Users

The Service is operated from the United States. By using the Service, you consent to the transfer of your information to the US, which may have different data protection laws than your country of residence. For users in regions with stricter privacy laws (EU, UK, California), we apply protections required under those laws as described in Section 6.

10. Cookies and Tracking

We use a minimal authentication token stored in browser localStorage to keep you logged in. This is a functional necessity, not a tracking cookie.

We do not use: - Advertising cookies - Analytics cookies (no GA, Mixpanel, etc.) - Third-party tracking pixels - Cross-site tracking technologies

If our practices change, we will update this policy and seek consent where required.

11. Changes to This Policy

We may update this policy as the Service evolves. The "Last Updated" date reflects the most recent revision. Material changes will be communicated via email to your account address or via in-app notice at least 14 days before taking effect.

Continued use of the Service after changes constitutes acceptance.

12. Contact

Privacy questions, data requests, or complaints:

Email: hello@pastulliobot.com Operator: Christopher Maffeo, doing business as PastullioBot Mailing Address: Available on request to hello@pastulliobot.com

For unresolved privacy concerns, EU/UK users may contact their local data protection authority. California residents may contact the California Attorney General.