This Privacy Policy explains how PenuLak LLC (“we,” “us,” or “our”) collects, uses, and protects your personal information when you use the Opt² Options Income Tracker (“App”) at opt2.penulak.com and through the iOS and Android app stores.
1. Who We Are
PenuLak LLC is a California limited liability company building AI-powered software products, headquartered in Los Angeles, California. Data protection contact: hello@penulak.com · Los Angeles, California.
2. Data We Collect
2a. Data you provide directly
- Account information: email address, name, and authentication credentials (passwords are hashed via Base44’s built-in authentication and never stored in plain text)
- Financial goal data: income targets, deployed capital amounts, CSP/covered-call income split preferences
- Manually entered data: trades, holdings, watchlist tickers, and assignment candidates you choose to enter rather than import
2b. Brokerage account data (via SnapTrade read-only connection)
When you connect a brokerage account through SnapTrade’s read-only OAuth flow, we receive and store the following from SnapTrade and/or your brokerage:
- Account identifiers and institution names for your connected accounts;
- Account balances and currency;
- Equity positions and option positions (including quantity, strike, expiry, and cost basis);
- Transaction and activity history (option sells/buys, assignments, dividends, and related events).
This data powers automatic trade import, income classification, position tracking, performance analytics, the Trade Timeline, and the AI Roll Assistant.
2c. Data generated by your use of the App
- Usage analytics: screens viewed, features used, events (anonymized/aggregated via PostHog)
- Onboarding status, alert trigger/dismissal events, and timestamps
- Session and diagnostic data: device type, operating system, app version, crash reports
2d. Data we do NOT collect
- We do not collect or store your brokerage login credentials, passwords, or API keys — SnapTrade and your brokerage handle authentication
- We do not collect credit-card numbers (Stripe handles payment data directly)
- We do not have the ability to trade, move funds, or take any action in your brokerage accounts (read-only access only)
- We do not collect government IDs, Social Security numbers, or tax information
3. Legal Basis for Processing (GDPR)
| Data category | Legal basis | Explanation |
|---|---|---|
| Account data (email, name) | Performance of contract | Necessary to create and maintain your account |
| Brokerage data via SnapTrade | Performance of contract | Core service functionality you request by connecting an account; cannot be provided without it |
| Goal and manually entered trade data | Performance of contract | Core tracking functionality |
| AI Roll Assistant processing | Consent + performance of contract | Position data sent to Anthropic only when you actively use the feature |
| Usage analytics | Legitimate interests | Improving the service. Opt out in Settings. |
| Crash reports | Legitimate interests | Fixing bugs and maintaining stability |
| Push notifications | Consent | Granted explicitly on device; revocable anytime |
| Marketing emails | Consent | Opt-in only; unsubscribe link in every email |
4. Third-Party Data Sharing (Sub-processors)
We share data with the following processors. We do not sell your data.
| Vendor | Data shared | Purpose |
|---|---|---|
| SnapTrade | Read-only brokerage data: account identifiers, balances, positions, activity. No login credentials are ever shared with us. | Brokerage connectivity & trade import |
| Base44 | All data you store or import (trades, holdings, goals, imported positions and activity, user credentials). Encrypted at rest (AES-256). | Platform backend: built-in database (NoSQL), authentication, hosting, and API infrastructure |
| Stripe | Email, subscription tier, billing country. Card data handled directly by Stripe; we never see card numbers. | Payment processing |
| Anthropic (Claude) | Open-position data and market marks for the position(s) you submit to the AI Roll Assistant. Sent only when you actively use the feature. | AI Roll Assistant output |
| PostHog | Anonymized usage events, device type, app version. No personally identifiable information in event data. | Product analytics & feature flags |
| Expo / EAS | Device push token; app version and build metadata. | Push notifications & app distribution |
| Apple / Google | App download, subscription, and crash data per their standard terms. | App Store distribution & billing |
We may also disclose data if required by law or to protect the rights, safety, or property of PenuLak LLC, our users, or others.
5. Data Retention
| Data type | Retention period | Basis |
|---|---|---|
| Account data | Duration of account + 30 days after deletion request | Contract performance |
| Imported brokerage data | Retained while connected; after disconnection, retained for the period needed to maintain historical analytics, then deleted | Contract / legitimate interests |
| Goal & manual trade data | Duration of account + 30 days after deletion | Contract performance |
| AI Roll Assistant inputs | Not retained by us beyond the request and stored result; Anthropic retention per their commercial terms | Consent |
| Usage analytics (PostHog) | 12 months rolling | Legitimate interests |
| Crash reports | 90 days | Legitimate interests |
| Payment records (Stripe) | 7 years | Legal obligation (tax/financial records) |
| Push notification tokens | Until revoked or account deleted | Consent |
| Encrypted backups | Up to 90 days after deletion request | Legitimate interests |
6. Your Rights
For all users
- Access: request a copy of all personal data we hold about you.
- Export: download your data as CSV at any time from Settings → Account → Export Data. Free on all plans.
- Correction: correct inaccurate data via the App or by contacting us.
- Deletion: delete your account and associated data from Settings → Account → Delete Account. Processed within 30 days.
- Disconnect brokerage: disconnect any connected account at any time in the App or through SnapTrade; we stop requesting new data immediately.
For EU/EEA users (GDPR)
- Data portability, restriction of processing, objection to legitimate-interests processing, withdrawal of consent, and the right to lodge a complaint with your national data protection authority (e.g., ICO in the UK, CNIL in France).
For California users (CCPA/CPRA)
- Know, delete, correct, and the right to opt out of “sale” or “sharing.” We do not sell or share personal information as defined under California law.
To exercise any of these rights: hello@penulak.com — we respond within 45 days (CCPA) or 30 days (GDPR).
7. Data Security
- All data in transit is encrypted using TLS 1.2 or higher.
- Data at rest is encrypted in Base44’s built-in NoSQL database (AES-256).
- Authentication uses Base44’s built-in auth service with hashed passwords; passwords are never stored in plain text.
- Row-level security (RLS) is enforced so each user can access only their own data.
- Brokerage credentials are never transmitted to or stored by us — SnapTrade handles all brokerage authentication.
In the event of a data breach that creates a high risk to your rights and freedoms, we will notify you and the relevant supervisory authorities as required by applicable law.
8. Cookies and Tracking (Web / PWA)
- Essential cookies: session management (required for login). Cannot be disabled.
- Analytics cookies (PostHog): anonymized usage data. You may opt out via the in-app cookie consent banner or Settings.
We do not use advertising cookies, cross-site tracking cookies, or third-party ad networks.
9. Children’s Privacy
The App is not directed to persons under 18. We do not knowingly collect personal data from anyone under 18. If you believe we have done so, contact us and we will delete it promptly.
10. International Data Transfers
Our services are hosted primarily in the United States (Base44, Stripe, Anthropic). If you are in the EU/EEA and your data is transferred to the US, we rely on Standard Contractual Clauses (SCCs) and our vendor Data Processing Agreements as the appropriate safeguard. Contact us if you would like more information about the safeguards in place.
11. Changes to This Policy
We will notify you of material changes via in-app notification or email at least 30 days before they take effect. The “Last updated” date above will reflect the current version.
12. Contact Us
PenuLak LLC · hello@penulak.com · Los Angeles, California