Vrelum

Legal · Privacy Policy

Privacy Policy

Vrelum is operated by Plovum Co. We respect your privacy and aim for transparent data practices. This Policy explains what data we collect, why, who we share it with, and what rights you have.

Last updated · 2026-05-22

§ 1

Data we collect

When you create an account

  • Email address.
  • Display name (if provided).
  • Password — hashed with bcrypt; we never see plaintext.
  • OAuth identifiers if you sign in via Google or GitHub.

When you connect a broker account

  • Broker name (e.g. Pepperstone).
  • Account login ID (numeric; not the password).
  • API keys for trading (encrypted at rest with AES-256).
  • Account balance and equity, polled read-only.

Automatically collected

  • IP address — for security, rate-limiting, and analytics.
  • Browser type and operating system.
  • Page views and session duration.
  • Referrer URL.
  • Cookie identifiers (anonymous unless logged in).

What we do not collect

  • Browser fingerprinting beyond standard analytics.
  • Third-party advertising tracking pixels.
  • Behavioural profiles for ad targeting (we do not sell ads).
§ 2

How we use your data

Service delivery

  • Authenticate you across sessions.
  • Execute trades on your behalf via your connected broker.
  • Send transactional emails (welcome, password reset, trade alerts).
  • Track subscription status.

Improvement

  • Aggregate analytics on which features are used.
  • Performance monitoring and error tracking.
  • A/B testing for UI improvements (anonymised).

Communications

  • Transactional emails — always.
  • Product updates and audit reports — opt-out at any time.
  • Marketing emails — opt-in only.

We do not sell your data to third parties, share your individual trading activity outside aggregate statistics, or use your data for ad targeting.

§ 3

Third parties we share data with

Service providers (under data processing agreements)

  • Vercel — hosting infrastructure.
  • Neon — managed PostgreSQL database.
  • Resend — transactional email delivery.
  • Stripe — payment processing (we never see full card numbers).
  • Sentry — error tracking.
  • Cloudflare — DDoS protection and content delivery.

Required by law

Court orders, subpoenas, or regulatory requests. We will notify you unless legally prohibited from doing so.

Business transfers

If Plovum Co. is acquired or merged, your data may transfer to the acquiring entity subject to this Policy.

§ 4

Cookies

  • Essential cookies — authentication and session management. Always on.
  • Analytics cookies — Vercel Analytics, privacy-respecting, no personal data.
  • Preference cookies — theme and language selection.
  • No tracking cookies. We do not use Google Analytics, Facebook Pixel, or similar.

You can disable cookies in your browser, but core functionality may be impaired.

§ 5

Data retention

  • Active accounts — data retained while the account is active.
  • Trading history — retained for 7 years for regulatory compliance.
  • Closed accounts — deleted after 90 days, except where legal hold applies.
  • Audit data — aggregated and anonymised; retained indefinitely for methodology purposes.
  • Marketing list — unsubscribes are honoured immediately; metadata retained 30 days.
§ 6

Your rights

Under PDPA (Thailand), GDPR (EU), CCPA (California), and similar laws, you may:

  • Access your data — request a copy.
  • Correct inaccurate data.
  • Delete your data, subject to legal retention requirements.
  • Port your data to another service.
  • Object to certain processing.
  • Withdraw consent for marketing communications.

Email privacy@vrelum.com to exercise these rights. We respond within 30 days.

§ 7

International data transfers

Vrelum servers may be located in:

  • Singapore — primary bot infrastructure (Contabo VPS).
  • United States — marketing site (Vercel).
  • EU — database (Neon region selectable).

We use Standard Contractual Clauses for transfers from EU to non-EU jurisdictions.

§ 8

Children's privacy

Vrelum is not directed at users under 18. We do not knowingly collect data from minors. If we learn that a minor has provided us data, we will delete it promptly.

§ 9

Security

We protect your data with:

  • TLS encryption in transit (HTTPS everywhere).
  • Encryption at rest for sensitive fields including API keys and password hashes.
  • Bcrypt password hashing.
  • Rate-limiting and DDoS protection.
  • Regular security audits.
  • Principle of least privilege for staff access.
  • 2FA on critical infrastructure.

No system is 100% secure. We will notify affected users of any breach within 72 hours per applicable regulations.

§ 10

Changes to this policy

We may update this Policy from time to time. Material changes are communicated by email and posted here. Continued use of the Service after changes constitutes acceptance.

§ 11

Contact

Privacy questions or rights requests: privacy@vrelum.com

General questions: support@vrelum.com

Back to vrelum.com© Plovum Co · 2026-05-22