> ## ⚠️ DRAFT — NOT LEGAL ADVICE
>
> **This template must be reviewed and finalized by a qualified attorney before any
> real-money/public use.** It is a working draft only and does not yet constitute a
> binding policy. See also the [End User License Agreement](EULA.md) and the
> [Terms of Service](TERMS.md), which are likewise DRAFTs.

<!-- TODO(lawyer-review): Whole document is a DRAFT. Counsel must confirm applicable privacy laws (GDPR/UK GDPR/CCPA/CPRA and others), lawful bases, controller/processor roles, data-subject rights, retention, and any required Data Processing Agreement before publication. -->

# Privacy Policy

This is a working draft of the Privacy Policy for the CS2 Arbitrage Bot ("the Software") by
Practical Systems ("we", "us"). It is **not legal advice** and **must be reviewed by a
qualified attorney** before use.

## 1. Local-first by design

The Software is **local-first**. It runs on your machine, stores its data in a local SQLite
database on your device, and forks its backend on loopback (`127.0.0.1`). Your API keys,
Steam secrets, dashboard token, trade history, watchlists, license, and analytics **stay on
your device**. We do not collect or have access to them in the course of normal operation.
Secrets are read from your local, git-ignored `.env`; the desktop app stores the dashboard
token in your OS keychain, not in plaintext.

## 2. What we do NOT collect by default

By default the Software sends **no telemetry, analytics, or usage data** to us or any third
party. There is no account login required to use simulation. The Software does not transmit
your secrets, keys, or trade data off your device as part of its core function.

## 3. Opt-in error monitoring (telemetry), scrubbed

Error monitoring (Sentry) is **strictly opt-in and disabled by default**
(`SENTRY_ENABLED=false`). If — and only if — you enable it and provide a DSN, diagnostic error
events may be sent to your configured Sentry project. Before any event is sent, a `beforeSend`
scrubber **removes personally identifying and sensitive data**, including IP addresses, email
addresses, Steam IDs, API keys/tokens, webhook/bot-token URLs, and dollar amounts. You control
this entirely; leaving it off means no such data leaves your machine.

<!-- TODO(lawyer-review): Confirm Sentry processor terms, sub-processor disclosure, and that the scrubber's coverage is described accurately and not overstated. [LAWYER REVIEW REQUIRED] -->

## 4. Opt-in notifications

Notification channels (Discord, Telegram, email, desktop, ntfy) are **opt-in and off by
default**. If you enable a channel, the Software sends the notifications you configure to the
third-party service you chose (e.g. Discord, Telegram, your email provider, ntfy), using the
credentials you supply. That data is then handled under **that third party's** privacy policy,
not ours. We do not receive a copy.

## 5. Third-party marketplaces and APIs

When you connect a marketplace or price API (CSFloat, Steam, Skinport, DMarket, Buff163,
Bitskins, Waxpeer, CS.MONEY, Pricempire), the Software communicates directly from your machine
with **that service** using your credentials. Your interactions with those services are
governed by **their** privacy policies and terms, and you are responsible for reviewing them.

## 6. Payments and licensing

Purchases are handled by our **Merchant of Record, Polar**, for both the one-time perpetual
license and the monthly subscription (see the [EULA](EULA.md) for tiers). Payment and billing
data — and applicable VAT/sales tax — are processed by **Polar** under its own privacy policy;
we do not store your full payment details. A license issued to you is verified **offline** on
your device against a baked-in public key; the verify path makes no network call. The optional
`LICENSE_REVALIDATE_URL` re-check, if you configure one, is a soft, non-blocking call you
control.

<!-- TODO(lawyer-review): Confirm Polar's role (Merchant of Record / processor), the data it collects, any Data Processing Agreement, and required sub-processor disclosures. [LAWYER REVIEW REQUIRED] -->

[LAWYER REVIEW REQUIRED] — The data-processing relationship with Polar (and any required DPA
and sub-processor list) must be confirmed and disclosed accurately by counsel.

## 7. Data retention and deletion

Your local data persists on your device until you delete it. To remove it, delete the local
database (default `data/bot.sqlite` or the desktop app's user-data directory) and your `.env`.
Uninstalling the desktop app and clearing its user-data directory removes local app data. The
Ledger and any tax/cost-basis worksheet are likewise stored locally and removed the same way.

<!-- TODO(lawyer-review): Specify retention periods for any data processed by us or our processors (e.g. billing records held by Polar), and the mechanism for data-subject deletion/access requests. [LAWYER REVIEW REQUIRED] -->

## 8. Your rights and requests

Depending on your jurisdiction you may have rights to access, correct, delete, or port
personal data, and to object to or restrict certain processing. Because the Software is
local-first, most such data is already on your own device and under your control; requests
relating to data held by our payment processor (Polar) are subject to its policies.

<!-- TODO(lawyer-review): Enumerate the actual data-subject rights and a compliant request process for the relevant regimes (GDPR/UK GDPR/CCPA/CPRA, etc.); add contact and verification steps. [LAWYER REVIEW REQUIRED] -->

## 9. Children

The Software is not directed to children and should not be used by anyone under the age
required to trade in their jurisdiction.

## 10. Changes

We may update this policy; material changes will be communicated reasonably. Contact and
data-subject-request details to be specified on attorney review.

<!-- TODO(lawyer-review): Add the data controller's legal name/address, a privacy contact, the change-notification mechanism, and effective date. [LAWYER REVIEW REQUIRED] -->