Privacy Policy

Katapult Media, Inc. ("Company," "we," "us," or "our") operates the Katalyst trading journal platform and related services (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

Please read this Privacy Policy carefully. By using Katalyst, you consent to the practices described in this policy. If you do not agree with this policy, please do not use the Service.

1. Information We Collect

Personal Information

When you create an account or use our Service, we may collect:

• Account Information: Name, email address, and password (encrypted)
• Profile Information: Display name, avatar, and trading preferences set during onboarding
• Payment Information: When you subscribe to a paid plan, our payment processor (Stripe) collects billing details. We do not store credit card numbers on our servers.

Trading Data

To provide our core Service, we collect and store trading data that you import or enter:

• Trade Records: Instrument, entry/exit prices, dates, quantities, fees, and profit/loss
• Broker Import Data: CSV or API data imported from supported brokers (Interactive Brokers, Tastytrade, ThinkOrSwim, Schwab, Webull, Robinhood, and others)
• Journal Entries: Notes, tags, and reflections you attach to trades
• Group Activity: Posts, shared trades, files, and messages within trading groups you join

Broker Connection Credentials

If you choose to connect a broker account for automatic trade syncing, we collect and store:

• Broker Login Credentials: Username and password for your brokerage account (e.g., Rithmic). Your password is encrypted with AES-256 before storage and is never stored in plain text, included in API responses, or visible to Katalyst staff.
• Broker Account Identifiers: Account IDs, firm identifiers, and system names returned by the broker during authentication.
• Sync Metadata: Timestamps and status of trade synchronization events.

Providing broker credentials is entirely optional. You can always import trades via CSV file upload instead.

Usage Data

We automatically collect certain information when you use the Service:

• Device Information: Browser type, operating system, device type
• Log Data: IP address, access times, pages viewed, referring URL
• Usage Patterns: Features used, analytics viewed, import history, and interactions with the Service

Cookies and Tracking Technologies

We use cookies and similar technologies to:

• Maintain your session and keep you logged in
• Remember your preferences (theme, layout, sidebar state)
• Analyze usage patterns and improve the Service
• Provide security features (CSRF protection)

You can control cookies through your browser settings, but disabling essential cookies may affect Service functionality.

2. How We Use Your Information

We use the information we collect to:

• Provide the Service: Create and manage your account, process trade imports, generate analytics, and power journaling features
• Process Payments: Manage subscriptions (Free, Pro, Platinum plans) through our payment processor
• Communicate: Send transactional emails (account verification, password resets, subscription confirmations)
• Improve the Service: Analyze usage patterns, fix bugs, develop new features and analytics
• Enable Group Features: Facilitate trading groups, shared trades, message boards, and collaborative features
• Security: Detect and prevent fraud, abuse, and security threats
• Legal Compliance: Comply with applicable laws, regulations, and legal processes

We do not sell your trading data. Your trade records, journal entries, and analytics are yours. We do not share, sell, or monetize your individual trading data with third parties for their marketing or trading purposes.

3. How We Share Your Information

We may share your information in the following circumstances:

Service Providers

We share information with third-party service providers who assist in operating the Service:

• Stripe: Payment and subscription processing
• Cloud Hosting: Data storage and infrastructure
• Email Services: Transactional email delivery
• Analytics: Usage analysis and improvement
• Broker APIs (e.g., Rithmic): When you connect a broker account, your credentials are transmitted directly to the broker's API servers over encrypted (TLS/WSS) connections to authenticate and retrieve your trade history. We act as an intermediary — your credentials are sent to the broker and nowhere else.

Trading Group Members

When you join a trading group, other members can see your:

• Display name and avatar
• Posts, comments, and shared content within the group
• Trades you explicitly share with the group
• Files you upload to the group

Your email address, private trade data, and personal analytics are not shared with group members unless you explicitly choose to share them.

Legal Requirements

We may disclose information if required by law, court order, or government request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

Government & Legal Data Requests

When we receive requests from government authorities or law enforcement for user data, we follow these principles:

• Legal Review: All government data requests are reviewed for legal validity before any disclosure
• Challenge Unlawful Requests: We may challenge requests that are overly broad, legally deficient, or otherwise inappropriate
• Data Minimization: When disclosure is legally required, we provide only the minimum information necessary
• User Notification: Unless legally prohibited, we will attempt to notify affected users of government requests for their data

Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such change.

Aggregated Data

We may share aggregated, anonymized data that cannot identify you for analytics and research purposes.

4. Data Security

We implement appropriate technical and organizational measures to protect your information:

• Encryption: Data transmitted to and from the Service is encrypted using TLS/SSL
• Password Security: Passwords are hashed using industry-standard algorithms and never stored in plain text
• Access Controls: Employee access to user data is limited and logged
• Secure Infrastructure: We use reputable cloud providers with strong security practices
• Trading Data Isolation: Your trading data is stored in a manner that prevents unauthorized access by other users
• Broker Credential Encryption: Broker passwords are encrypted with AES-256-GCM using a unique encryption key per deployment. Encrypted credentials are stored separately from the encryption key. Credentials are only decrypted in memory at the moment of broker authentication and are never written to logs or disk in decrypted form.

Breach Notification: In the event of a data breach affecting your personal information, we will notify you and relevant authorities as required by applicable law.

While we strive to protect your information, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

5. Your Rights & Controls

You have the following rights regarding your personal information:

• Access: Request a copy of the personal data we hold about you
• Correction: Update or correct inaccurate information in your profile settings
• Deletion: Request deletion of your account and associated data, including all trade records and journal entries
• Data Export: Export your trading data in a portable format
• Marketing Opt-Out: Unsubscribe from marketing communications at any time

To exercise these rights, contact us at legal@katapultmedia.com. We will respond within 30 days.

6. Data Retention

We retain your information for as long as your account is active or as needed to provide the Service. Specifically:

• Account Data: Retained until you delete your account
• Trading Data: Retained until you delete your account or request removal
• Subscription Records: Retained for 7 years for legal and tax compliance
• Usage Logs: Retained for up to 12 months
• Backup Data: May persist in backups for up to 90 days after deletion
• Broker Credentials: Encrypted broker credentials are retained only while your broker connection is active. When you disconnect a broker, your credentials are permanently and immediately deleted from our database — not soft-deleted or retained in backups.

After account deletion, we may retain certain information as required by law or for legitimate business purposes (such as resolving disputes or enforcing our agreements).

7. Children's Privacy

Katalyst is not intended for children under the age of 18. We do not knowingly collect personal information from children under 18. If you are under 18, please do not use the Service or provide any personal information.

If we learn that we have collected personal information from a child under 18, we will take steps to delete that information as soon as possible. If you believe we may have collected information from a child under 18, please contact us at legal@katapultmedia.com.

8. International Users

Katalyst is operated from the United States. If you access the Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States.

European Users (GDPR)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):

• Right to access, rectify, or erase your personal data
• Right to restrict or object to processing
• Right to data portability
• Right to withdraw consent at any time
• Right to lodge a complaint with a supervisory authority

Our legal basis for processing your data includes: performance of our contract with you, your consent, and our legitimate business interests.

California Users (CCPA)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

• Right to know what personal information we collect and how it is used
• Right to delete your personal information
• Right to opt-out of the sale of personal information (we do not sell your data)
• Right to non-discrimination for exercising your rights

To exercise your CCPA rights, contact us at legal@katapultmedia.com.

9. Third-Party Services

The Service may contain links to third-party websites or integrate with third-party services. This Privacy Policy does not apply to those third parties. We encourage you to review their privacy policies:

• Stripe: stripe.com/privacy

Broker API Connections: If you connect a broker account (such as Rithmic), we store your encrypted credentials and use them to connect to the broker's API on your behalf when you trigger a trade sync. Connections are short-lived — we connect, retrieve your trade data, and disconnect. We do not maintain persistent connections or monitor your account in real time. You can disconnect your broker at any time, which permanently deletes your stored credentials.

Rithmic: rithmic.com — Rithmic is a third-party trading technology provider. When you connect your Rithmic account, your credentials are transmitted to Rithmic's servers over encrypted WebSocket connections. Rithmic's own privacy policy and terms govern their handling of your data. We are not affiliated with Rithmic and do not control their services.

You may continue to import trades via CSV file upload without providing any broker credentials.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

• Update the "Effective Date" at the top of this policy
• Post the updated policy on the Service
• Notify you via email or in-app notification for significant changes

Your continued use of the Service after changes are posted constitutes acceptance of the updated policy.

11. Contact Us

If you have questions about this Privacy Policy or our privacy practices, please contact us: