Privacy Policy
Effective date: 2026-07-17 Version: v1
This Privacy Policy explains how Longtail Studios, LLC ("we", "us") handles information in connection with the kestrel.markets Platform. It is written to be consistent with the Platform's core design: impersonal by default, anonymous trial, no signup.
1. Our privacy posture
- Anonymous by default. Running free simulations and viewing proofs requires **no
account and no personal data**. Trial use is impersonal.
- We collect the minimum. We collect personal data only when you take an action
that requires it — principally completing a payment.
- Derived, not raw. We never share raw licensed market data; that is a licensing
and data-firewall matter, separate from your personal data.
- First-party only. We use no third-party analytics vendor and set no third-party
cookies. Our analytics run on our own infrastructure and never follow you across other sites.
- We honor Do Not Track. If your browser sends
DNT: 1(Do Not Track) or
Sec-GPC: 1 (Global Privacy Control), we set no analytics cookie and record no analytics event for you.
2. Information we collect
- Usage & technical data: request metadata and coarse telemetry needed to operate,
secure, and rate-limit the Platform. Your IP address is processed transiently at the edge to serve, secure, and rate-limit your request; we do not store it.
- Analytics events: we record how the Platform is used — pages viewed, docs read,
simulations run — so we can improve it. Each event carries coarse, IP-derived signals only: your network's ASN, country, and region. We never store your raw IP address, city, postal code, coordinates, user agent, or the contents of what you run. Your first-party visitor_id cookie is recorded only as a one-way hash, never in the clear, and the query strings and referrer URLs that could carry identifiers are reduced to a coarse path and a referrer host before storage. Analytics events are retained for 180 days, after which they are automatically deleted. If you send DNT: 1 or Sec-GPC: 1, none of this is recorded at all.
- Payment data: when you claim and fund an Offer, our payment processor (currently
Stripe) collects and processes your payment details. We do not store full card numbers. We retain a payment reference, amount, and Offer/Operation id to deliver the purchased work and for tax/accounting records.
- Communications: if you contact legal@kestrel.markets, we keep your message.
We do not sell your personal data.
3. How we use information
To operate, secure, and improve the Platform; to process payments and deliver purchased work; to issue and verify certified proofs and receipts; to comply with legal, tax, and accounting obligations; and to prevent fraud and abuse.
"Improve" is bounded by the data-rights rule in the Terms of Service ("Traces, model training, and data rights"): operational traces of anonymous/free-tier usage are licensed to us for model training and evaluation (they are not published); traces of paid work are 100% proprietary to the customer and are never used to train, fine-tune, or evaluate any model.
4. Third parties (processors)
We share personal data with service providers ("sub-processors") only as needed to operate the Platform. The sub-processors we currently rely on include:
- Stripe — payment processing. Subject to Stripe's own privacy policy.
- Cloudflare — hosting, edge delivery, and security.
- Cloudflare R2 — object storage of Platform artifacts and records.
- Databento — market-data licensing (source feeds are licensed to the Platform; see
the raw-data firewall in the Terms of Service).
- Our email provider — transactional and magic-link email; processes your email
address to deliver Platform messages.
- Alpaca — broker execution, where you establish broker connectivity.
- Interactive Brokers (IBKR) — broker execution, where you establish broker
connectivity.
- OpenRouter — language-model inference routing for Platform features that use
language models. We do not send your payment details to this provider.
- Anthropic — language-model inference (Claude) for Platform features that use
language models. We do not send your payment details to this provider.
This list may change as the Platform evolves; we will update this Policy when we add or change a sub-processor. Each processes personal data only as needed to provide the service described.
5. International transfers
Data is processed in the United States. Where we transfer personal data to a sub-processor (see §4) located in a different country, or where personal data reaches us from a region whose law restricts cross-border transfers (such as the EEA or the UK), we rely on appropriate safeguards for that transfer, such as the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum) or another lawful transfer mechanism.
6. Your rights
Depending on your location (e.g. GDPR/UK GDPR, CCPA/CPRA), you may have rights to access, correct, delete, port, or object to processing of your personal data. To exercise them, contact legal@kestrel.markets. We will respond within the period required by applicable law.
7. Data retention
Analytics events are retained for 180 days, then automatically deleted by a storage lifecycle rule — two quarters of usage history, long enough to understand how the Platform is adopted and no longer.
We retain other personal data only as long as needed for the purposes above or as required by law (for example, payment and tax records for as long as applicable tax and accounting law requires).
8. Security
We use reasonable technical and organizational safeguards. No method of transmission or storage is perfectly secure; we cannot guarantee absolute security.
9. Children
The Platform is not directed to children under 18, and we do not knowingly collect their personal data.
10. Changes
We may update this Policy; the effective date above reflects the latest version.
11. Contact
Longtail Studios, LLC, Miami, Florida, United States, legal@kestrel.markets. Data controller: Longtail Studios, LLC. Longtail Studios, LLC is established in the United States and has no establishment in the EU or the UK. To the extent the GDPR or UK GDPR applies to our processing (see §6) and requires the appointment of a representative under Article 27, we will appoint a representative in the relevant territory where and when that obligation applies, and will name the representative here.