Privacy Policy

Effective date: 2026-05-12 · Version: 2.0

This Privacy Policy describes how Bot for Kalshi ("we," "us," "our") collects, uses, and shares information when you use our website and Service at botforkalshi.com. By using the Service you agree to the practices described here. If you do not agree, do not use the Service.

The short version. We collect what we need to run a paid trading-bot service for you — your email, your Kalshi API key (encrypted), your billing details (handled by Stripe), and what your bots do. We use it to operate the Service and to support you. We do not sell your personal information. We share it only with vendors we need to run the Service (listed below) and when legally required. You can ask us to delete your account at any time by emailing support@botforkalshi.com.

1. Who we are

Bot for Kalshi is an independent software service that provides automated trading tools for the Kalshi prediction-market platform. For purposes of EU/UK GDPR, we act as the data controller for the information described in this Policy. We are not affiliated with Kalshi Inc.

2. What we collect

Information you provide

Account information. Email address, password (stored only as a salted hash; we never see your plaintext password).
Kalshi API credentials. Your Kalshi API key and key ID, used to execute bots you configure. Stored encrypted at rest using AES-256-GCM. You can remove your key at any time from your account settings.
Billing information. Stripe handles your payment method (card number, expiry, CVC, billing address). We receive only a Stripe customer ID, the last four digits of the card, the card brand, your subscription status, and invoice metadata — we do not store full card numbers on our servers.
Bot configurations. Strategies, signals, parameters, and limits you set for your bots.
Support communications. If you contact us, we keep a record of the conversation (subject, body, timestamps) so we can resolve the issue and reference prior context.

Information we generate or collect automatically

Trade activity. Orders placed and filled by your bots through Kalshi, including market, side, quantity, price, fees, and resulting P&L. This is necessary to render your dashboard, charts, and performance pages.
Server logs. IP address, user agent, request path, timestamp, and response status. We use these for security, abuse prevention, debugging, and operational analytics. Retained as described in Section 9.
In-app analytics events. First-party events such as pageview, CTA click, pricing-section impression, sticky-CTA impression, email-field focus, and similar interaction signals. Stored in our own database — we do not use third-party advertising trackers.
Cookies. A session cookie (to keep you logged in) and a CSRF cookie (security). See Section 7.

Information from third parties

Stripe. Subscription status, invoice events, and (where you authorize it) a customer portal session.
Kalshi. Trade fills, market data, and account information your API key is scoped to read.
Resend. Email delivery status (delivered, bounced, complained, opened, clicked) for emails we send you.

3. How we use it

Provide, operate, and maintain the Service (run your bots, render your dashboard, calculate P&L);
Process payments and manage your subscription;
Send you transactional emails (signup, billing, security, support replies, bot-state alerts you opted into);
Send marketing emails when you have opted in, with an unsubscribe link in every message;
Provide customer support and respond to your requests;
Detect, investigate, and prevent fraud, abuse, security incidents, and violations of our Terms;
Comply with legal obligations, respond to lawful requests, and enforce our Terms;
Improve the Service — in aggregate, anonymized, or de-identified form — including by analyzing usage patterns to guide product decisions.

We do not train AI models on your personal information or on Your Content for the benefit of unrelated third parties. If we add features that use AI on your data to provide a feature to you (for example, suggesting signals based on your inputs), we will describe it in-app at the point of use.

4. Legal bases (EU/UK users)

Where GDPR or UK-GDPR applies, our legal bases are:

Performance of a contract — to provide the Service you subscribed to;
Legitimate interests — security, fraud prevention, service improvement, business operations, and limited direct marketing to existing customers, in each case balanced against your rights;
Consent — for marketing emails to non-customers and for any optional features that ask you to opt in;
Legal obligation — to comply with tax, accounting, and law-enforcement obligations.

5. When we share data

We share information only as follows:

Subprocessors. Vendors that help us run the Service, listed in Section 6, each under a written contract that restricts their use of your information.
Kalshi. When your bot executes a trade, we transmit the order to Kalshi using your API key. This is the entire point of the Service.
Legal & safety. When we believe in good faith that disclosure is required by law, court order, or government request, or is reasonably necessary to protect the rights, property, or safety of any person, to investigate suspected fraud or abuse, or to enforce our Terms.
Business transfers. If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you (by email and/or in-app notice) before your information becomes subject to a materially different privacy policy.
With your consent. For any other sharing, we will ask you first.

We do not sell your personal information, and we do not share it for cross-context behavioral advertising.

6. Subprocessors

We use the following third-party service providers ("subprocessors") to run the Service. Each is contractually bound to handle your data only on our instructions and to maintain appropriate security.

Provider	Purpose	Data shared	Privacy policy
Stripe	Payment processing & subscription billing	Name, email, payment method, billing address	stripe.com/privacy
Resend	Transactional & marketing email delivery	Email address, message contents, delivery events	resend.com/privacy
Supabase	Managed Postgres database hosting	All application data stored at rest	supabase.com/privacy
Railway	Application hosting & background jobs	All data processed in memory and in transit by the application	railway.app/privacy
Cloudflare	DNS, DDoS protection, edge security	IP address, request metadata	cloudflare.com/privacypolicy
Fastly	CDN & edge caching	IP address, request metadata	fastly.com/privacy
Kalshi	Prediction-market exchange (data destination, not a typical subprocessor)	API key, order parameters you have configured	kalshi.com/privacy-policy

We may add or change subprocessors as the Service evolves. We will update this list when we do, and material additions will be reflected in the "Effective date" above.

7. Cookies & analytics

We use a small number of first-party cookies that are strictly necessary for the Service to function:

Session cookie — keeps you logged in. Deleted when you sign out or when your session expires.
CSRF cookie — protects against cross-site request forgery on forms.

We do not use third-party advertising cookies, ad-network pixels, or cross-site tracking. Our in-app analytics are first-party and stored only in our own database; they record events such as which pages were viewed, which CTAs were clicked, and which features were used, associated with your account if you are signed in or with an anonymous visitor ID if you are not.

8. Email communications

We send three categories of email:

Transactional — signup, billing receipts, security alerts, password resets, support replies, and bot-state alerts you have configured. These are necessary for the Service and cannot be unsubscribed from while your account is active.
Drip / onboarding — a short series of guidance emails after signup. Each contains an unsubscribe link.
Marketing — product updates and occasional promotions. We send these only to users who have opted in or who are existing customers. Every marketing email contains an unsubscribe link and a "marketing-only unsubscribe" option that preserves transactional email.

You can manage your preferences at /emails/preferences (signed-in) or via the link in any email we send.

9. Data retention

Account data. Kept while your account is active and for 30 days after cancellation, after which we delete or anonymize account-identifying records, except as noted below.
Encrypted API keys. Deleted immediately when you delete the key or when your account is terminated.
Trade and billing records. Retained for up to 7 years to satisfy U.S. tax, accounting, and recordkeeping obligations.
Server logs. Typically 30–90 days for operational use; longer where retained for security investigation.
Support communications. Retained for up to 3 years after the last interaction.
Backups. Encrypted backups may retain data for up to 35 days after deletion before they roll off.

You can request earlier deletion as described in Section 11.

10. Security

We take reasonable technical and organizational measures to protect your information, including:

TLS in transit for all connections;
AES-256-GCM encryption at rest for Kalshi API keys;
Salted password hashing — we never store plaintext passwords;
Principle-of-least-privilege access controls for our systems and team;
Logging and monitoring of administrative actions;
Vendor due diligence for subprocessors that handle your data.

No system is perfectly secure. If we become aware of a breach affecting your personal information, we will notify affected users without undue delay and, where required by law, within the timeframe set by that law.

11. Your rights (all users)

Regardless of where you live, you may:

Access the personal information we hold about you;
Correct information that is inaccurate;
Delete your account and associated personal information, subject to retention required by law (Section 9);
Export a copy of your account data in a portable format;
Unsubscribe from marketing email at any time.

To exercise any right, email support@botforkalshi.com from the email address on your account. We will respond within 30 days. We may need to verify your identity before acting.

12. California residents (CCPA/CPRA)

If you are a California resident, you have specific rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

Right to know. The categories of personal information we collect, the sources, the purposes, and the categories of recipients are described in Sections 2, 3, 5, and 6.
Right to delete personal information we hold about you, subject to legal exceptions.
Right to correct inaccurate personal information.
Right to opt out of sale or sharing. We do not sell your personal information and we do not share it for cross-context behavioral advertising. Because we do not engage in either activity, there is no opt-out to exercise — but we honor Global Privacy Control signals if your browser sends them.
Right to limit use of sensitive personal information. The only "sensitive" data category we collect is account log-in credentials, which we use solely to provide the Service. We do not use sensitive personal information for inferring characteristics about you.
Right to non-discrimination for exercising any of these rights.
Authorized agent. You may designate an authorized agent to submit a request on your behalf; we will require written authorization and may verify your identity.

To exercise California rights, email support@botforkalshi.com with subject "California Privacy Request."

Categories of personal information collected (last 12 months)

Identifiers (email, IP address, user ID);
Customer-records information (billing address via Stripe);
Commercial information (subscription status, transactions);
Internet/network activity (server logs, in-app events);
Inferences (limited — e.g., engagement scoring for product analytics);
Sensitive personal information: account log-in credentials.

We have not sold or shared (as those terms are defined under California law) any personal information in the last 12 months.

13. EU/UK residents (GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have the rights described in Section 11 plus the right to: (a) restrict processing; (b) object to processing based on legitimate interests; (c) withdraw consent where processing is based on consent; and (d) lodge a complaint with your local supervisory authority. We are the data controller. Our legal bases are described in Section 4.

14. Children

The Service is intended for adults age 18 and over. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, please contact us and we will delete it.

15. International data transfers

We operate primarily from the United States, and our subprocessors may process data in the United States or other countries. If you access the Service from outside the United States, your information will be transferred to and processed in the United States, which may have data-protection laws that differ from those of your country. Where required for EU/UK transfers, we rely on Standard Contractual Clauses or other lawful mechanisms.

16. Changes to this Policy

We may update this Policy as the Service evolves. If we make a material change, we will notify you by email and/or by posting an in-app notice before the change takes effect. The "Effective date" at the top reflects the latest version. Your continued use of the Service after that date constitutes acceptance of the updated Policy.

17. Contact

Questions, requests, or complaints about this Policy or our handling of your information? Email support@botforkalshi.com. We respond to all privacy requests within 30 days.