Skip to content
Bot for Kalshi logo Bot for Kalshi
Blog Start building

Privacy Policy

Effective date: 2026-07-10  ·  Version: 3.0

This Privacy Policy describes how Bot for Kalshi ("we," "us," "our") collects, uses, and shares information when you use our website and Service at botforkalshi.com. By using the Service you agree to the practices described here. If you do not agree, do not use the Service.

The short version. We collect what we need to run a paid trading-bot service for you — your email, your Kalshi API key (encrypted), billing details handled by Stripe, what your bots do, and the prompts and chats you submit to the AI-assisted builder. We use service providers, including Anthropic, to operate those features. When advertising measurement is enabled, Meta and Google may receive the limited event and identifier data described below. We do not sell your personal information. You can ask us to delete your account at any time by emailing support@botforkalshi.com.

Contents

  1. Who we are
  2. What we collect
  3. How we use it
  4. Legal bases (EU/UK users)
  5. When we share data
  6. Service providers & measurement partners
  7. Cookies & analytics
  8. Email communications
  9. Data retention
  10. Security
  11. Your rights
  12. California (CCPA/CPRA)
  13. EU/UK (GDPR)
  14. Children
  15. International transfers
  16. Changes
  17. Contact

1. Who we are

Bot for Kalshi is an independent software service that provides automated trading tools for the Kalshi prediction-market platform. For purposes of EU/UK GDPR, we act as the data controller for the information described in this Policy. We are not affiliated with Kalshi Inc.

2. What we collect

Information you provide

  • Account information. Email address, password (stored only as a salted hash; we never see your plaintext password).
  • Kalshi API credentials. Your Kalshi API key and key ID, used to execute bots you configure. Stored encrypted at rest using envelope encryption; never stored in plaintext. You can remove your key at any time from your account settings.
  • Billing information. Stripe handles your payment method (card number, expiry, CVC, billing address). We receive only a Stripe customer ID, the last four digits of the card, the card brand, your subscription status, and invoice metadata — we do not store full card numbers on our servers.
  • Bot configurations. Strategies, signals, parameters, and limits you set for your bots.
  • Builder prompts and chats. The instructions, follow-up messages, and feedback you submit to the live demo or signed-in bot builder, plus the generated response and relevant bot or market context needed to continue the conversation. Demo chats may be reviewed by our team to improve quality and safety. Do not put passwords, payment-card details, or raw Kalshi API secrets in a builder prompt.
  • Support communications. If you contact us, we keep a record of the conversation (subject, body, timestamps) so we can resolve the issue and reference prior context.

Information we generate or collect automatically

  • Trade activity. Orders placed and filled by your bots through Kalshi, including market, side, quantity, price, fees, and resulting P&L. This is necessary to render your dashboard, charts, and performance pages.
  • Server logs. IP address, user agent, request path, timestamp, and response status. We use these for security, abuse prevention, debugging, and operational analytics. Retained as described in Section 9.
  • In-app analytics and attribution events. First-party events such as pageview, CTA click, pricing-section impression, email-field focus, demo or checkout progress, referral and campaign parameters, and advertising click identifiers such as gclid or fbclid. These events are stored in our database. When the optional advertising integrations described in Section 7 are enabled, selected events are also sent to Meta or Google.
  • AI usage metadata. Model name, request and response timing, token or usage counts, error status, and the account, bot, or anonymous conversation associated with a builder request. We use this to enforce plan limits, debug failures, and monitor service quality.
  • Cookies and similar identifiers. Session and security cookies, a first-party analytics visitor identifier, referral attribution cookies, and — when Meta or Google measurement is enabled — advertising measurement cookies or identifiers. See Section 7.

Information from third parties

  • Stripe. Subscription status, invoice events, and (where you authorize it) a customer portal session.
  • Kalshi. Trade fills, market data, and account information your API key is scoped to read.
  • Resend. Email delivery status (delivered, bounced, complained, opened, clicked) for emails we send you.
  • Anthropic. AI-generated responses and tool instructions returned when you use the builder.

3. How we use it

  • Provide, operate, and maintain the Service (run your bots, render your dashboard, calculate P&L);
  • Process payments and manage your subscription;
  • Send builder prompts and relevant conversation or bot context to Anthropic so it can generate the response or bot changes you requested;
  • Send you transactional emails (signup, billing, security, support replies, bot-state alerts you opted into);
  • Send marketing emails when you have opted in, with an unsubscribe link in every message;
  • Provide customer support and respond to your requests;
  • Detect, investigate, and prevent fraud, abuse, security incidents, and violations of our Terms;
  • Comply with legal obligations, respond to lawful requests, and enforce our Terms;
  • Improve the Service — in aggregate, anonymized, or de-identified form — including by analyzing usage patterns to guide product decisions.
  • Measure marketing and checkout performance, attribute conversions, and optimize advertising campaigns when the optional Meta or Google measurement integrations are enabled.

We do not train our own general-purpose AI model on your personal information or sell your prompts as training data. Anthropic processes the prompt, relevant conversation context, and generated output to provide the AI-assisted feature you requested, subject to Anthropic's terms and privacy policy. We may review stored demo or builder conversations internally to improve product quality, safety, and reliability.

4. Legal bases (EU/UK users)

Where GDPR or UK-GDPR applies, our legal bases are:

  • Performance of a contract — to provide the Service you subscribed to;
  • Legitimate interests — security, fraud prevention, service improvement, business operations, and limited direct marketing to existing customers, in each case balanced against your rights;
  • Consent — for marketing emails to non-customers and for any optional features that ask you to opt in;
  • Legal obligation — to comply with tax, accounting, and law-enforcement obligations.

5. When we share data

We share information only as follows:

  • Service providers and measurement partners. Third parties that help us run the Service or, when enabled, measure advertising, as listed in Section 6 and subject to applicable contracts and provider terms.
  • Kalshi. When your bot executes a trade, we transmit the order to Kalshi using your API key. This is the entire point of the Service.
  • Legal & safety. When we believe in good faith that disclosure is required by law, court order, or government request, or is reasonably necessary to protect the rights, property, or safety of any person, to investigate suspected fraud or abuse, or to enforce our Terms.
  • Business transfers. If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you (by email and/or in-app notice) before your information becomes subject to a materially different privacy policy.
  • With your consent. For any other sharing, we will ask you first.

We do not sell your personal information. We may disclose limited identifiers, internet activity, and conversion events to Meta and Google for advertising measurement and campaign optimization when those integrations are enabled. Some state privacy laws may define that disclosure as “sharing” or targeted advertising even though we do not receive money for the data. See Sections 7 and 12 for details and choices.

6. Service providers and measurement partners

We use the following third parties to run the Service and, when enabled, measure advertising. Some act as processors on our instructions; others, including advertising platforms, may also process data under their own terms and privacy policies.

ProviderPurposeData sharedPrivacy policy
Anthropic Generative AI processing for the builder and bot instructions Builder prompt, relevant conversation and bot/market context, generated response, and usage metadata; not payment-card details anthropic.com/legal/privacy
Stripe Payment processing & subscription billing Name, email, payment method, billing address stripe.com/privacy
Resend Transactional & marketing email delivery Email address, message contents, delivery events resend.com/privacy
Supabase Managed Postgres database hosting All application data stored at rest supabase.com/privacy
Railway Application hosting & background jobs All data processed in memory and in transit by the application railway.app/privacy
Cloudflare DNS, DDoS protection, edge security IP address, request metadata cloudflare.com/privacypolicy
Fastly CDN & edge caching IP address, request metadata fastly.com/privacy
Meta Optional advertising measurement via Meta Pixel and Conversions API Page and conversion events, page URL, IP address, user agent, Meta click/browser identifiers, plan and purchase value; email is SHA-256 hashed before a server-side purchase event is sent facebook.com/privacy/policy
Google Optional Google Ads purchase conversion and enhanced-conversion measurement Purchase event and value, advertising click/cookie data, and SHA-256-hashed email when enhanced conversions are enabled policies.google.com/privacy
Kalshi Prediction-market exchange and data destination API key, order parameters you have configured kalshi.com/privacy-policy

We may add or change service providers or measurement partners as the Service evolves. We will update this list when we do, and material additions will be reflected in the "Effective date" above.

7. Cookies & analytics

We use first-party cookies and similar identifiers for the Service, security, analytics, and attribution:

  • Session cookie — keeps you logged in. Deleted when you sign out or when your session expires.
  • Security and preference data — protects forms and remembers limited product or experiment state.
  • First-party analytics and attribution identifiers — connect page, demo, referral, email, and checkout activity to an anonymous browser or signed-in account so we can understand the funnel and prevent duplicate attribution.

Meta measurement (conditional). When configured, the Meta Pixel loads on site pages and sends PageView and selected funnel events such as ViewContent, AddToCart, and Purchase to Meta. The pixel may set or read Meta browser and click identifiers (including _fbp and _fbc) and receive the page URL, IP address, user agent, and event details. For a verified purchase, we may also send a matching server-side Conversions API event containing the same event ID for deduplication, purchase details, IP address, user agent, Meta identifiers, and a normalized email hashed with SHA-256.

Google Ads measurement (conditional). On a verified post-checkout success page, and only when configured, Google Ads conversion code sends the purchase event, value, advertising click/cookie data available to Google, and a normalized email hashed with SHA-256 for enhanced-conversion matching.

These advertising integrations are configuration-gated and may not be active at all times. Our own product analytics remain first-party and are stored in our database. Browser privacy settings, content blockers, and supported opt-out signals may limit client-side measurement; a server-side purchase event may still be sent where legally permitted. To request that we stop using your information for targeted-advertising or advertising-sharing purposes, email support@botforkalshi.com.

8. Email communications

We send three categories of email:

  • Transactional — signup, billing receipts, security alerts, password resets, support replies, and bot-state alerts you have configured. These are necessary for the Service and cannot be unsubscribed from while your account is active.
  • Drip / onboarding — a short series of guidance emails after signup. Each contains an unsubscribe link.
  • Marketing — product updates and occasional promotions. We send these only to users who have opted in or who are existing customers. Every marketing email contains an unsubscribe link and a "marketing-only unsubscribe" option that preserves transactional email.

You can manage your preferences at /emails/preferences (signed-in) or via the link in any email we send.

9. Data retention

  • Account data. Kept while your account is active and for 30 days after cancellation, after which we delete or anonymize account-identifying records, except as noted below.
  • Encrypted API keys. Deleted immediately when you delete the key or when your account is terminated.
  • Trade and billing records. Retained for up to 7 years to satisfy U.S. tax, accounting, and recordkeeping obligations.
  • Server logs. Typically 30–90 days for operational use; longer where retained for security investigation.
  • Support communications. Retained for up to 3 years after the last interaction.
  • Builder and demo conversations. Retained as part of the related bot or account, or for as long as reasonably needed for product quality, abuse prevention, and support. You may request deletion; we may retain de-identified quality or safety records and records required by law.
  • Advertising measurement events. Retained according to our account settings and the applicable Meta or Google retention controls; our first-party attribution records follow the account and log retention rules above.
  • Backups. Encrypted backups may retain data for up to 35 days after deletion before they roll off.

You can request earlier deletion as described in Section 11.

10. Security

We take reasonable technical and organizational measures to protect your information, including:

  • TLS in transit for all connections;
  • Envelope encryption at rest for Kalshi API keys — keys are never stored in plaintext;
  • Salted password hashing — we never store plaintext passwords;
  • Principle-of-least-privilege access controls for our systems and team;
  • Logging and monitoring of administrative actions;
  • Vendor due diligence for service providers that handle your data.

No system is perfectly secure. If we become aware of a breach affecting your personal information, we will notify affected users without undue delay and, where required by law, within the timeframe set by that law.

11. Your rights (all users)

Regardless of where you live, you may:

  • Access the personal information we hold about you;
  • Correct information that is inaccurate;
  • Delete your account and associated personal information, subject to retention required by law (Section 9);
  • Export a copy of your account data in a portable format;
  • Unsubscribe from marketing email at any time.

To exercise any right, email support@botforkalshi.com from the email address on your account. We will respond within 30 days. We may need to verify your identity before acting.

12. California residents (CCPA/CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

  • Right to know. The categories of personal information we collect, the sources, the purposes, and the categories of recipients are described in Sections 2, 3, 5, and 6.
  • Right to delete personal information we hold about you, subject to legal exceptions.
  • Right to correct inaccurate personal information.
  • Right to opt out of sale, sharing, or targeted advertising. We do not sell personal information. The optional Meta and Google measurement disclosures described in Section 7 may be treated as “sharing” or targeted advertising under some state laws. You may opt out by emailing support@botforkalshi.com with the subject “Advertising Privacy Opt-Out.” We will not discriminate against you for exercising this right.
  • Right to limit use of sensitive personal information. Account log-in credentials and Kalshi API credentials are used to secure and provide the Service, not to infer characteristics about you.
  • Right to non-discrimination for exercising any of these rights.
  • Authorized agent. You may designate an authorized agent to submit a request on your behalf; we will require written authorization and may verify your identity.

To exercise California rights, email support@botforkalshi.com with subject "California Privacy Request."

Categories of personal information collected (last 12 months)

  • Identifiers (email, IP address, user ID);
  • Customer-records information (billing address via Stripe);
  • Commercial information (subscription status, transactions);
  • Internet/network activity (server logs, in-app events);
  • Electronic communications and user content (builder prompts, chats, bot configurations, and support messages);
  • Inferences (limited — e.g., engagement scoring for product analytics);
  • Sensitive personal information: account log-in credentials and Kalshi API credentials.

We have not sold personal information in the last 12 months. We have disclosed identifiers, internet/network activity, and commercial event data to the advertising-measurement recipients described in Section 7 when those integrations were enabled. Depending on the circumstances, California law may treat those disclosures as “sharing.”

13. EU/UK residents (GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the rights described in Section 11 plus the right to: (a) restrict processing; (b) object to processing based on legitimate interests; (c) withdraw consent where processing is based on consent; and (d) lodge a complaint with your local supervisory authority. We are the data controller. Our legal bases are described in Section 4.

14. Children

The Service is intended for adults age 18 and over. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, please contact us and we will delete it.

15. International data transfers

We operate primarily from the United States, and our service providers or measurement partners may process data in the United States or other countries. If you access the Service from outside the United States, your information will be transferred to and processed in the United States, which may have data-protection laws that differ from those of your country. Where required for EU/UK transfers, we rely on Standard Contractual Clauses or other lawful mechanisms.

16. Changes to this Policy

We may update this Policy as the Service evolves. If we make a material change, we will notify you by email and/or by posting an in-app notice before the change takes effect. The "Effective date" at the top reflects the latest version. Your continued use of the Service after that date constitutes acceptance of the updated Policy.

17. Contact

Questions, requests, or complaints about this Policy or our handling of your information? Email support@botforkalshi.com. We respond to all privacy requests within 30 days.

See also our Terms of Service · Affiliate Program Terms · Affiliate Privacy Notice.

© 2026 botforkalshi.com.  Terms · Privacy · Affiliate Terms · Affiliate Privacy · Support

Trading prediction market contracts involves risk. Past performance does not guarantee future results.