Privacy Policy

ZEUS AI TRADING — PRIVACY POLICY Effective Date: March 19, 2026 Last Updated: March 19, 2026 Zeus AI Trading ("Zeus AI," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy describes how we collect, use, disclose, and safeguard your personal information when you use the Zeus AI Trading platform at portal.zeusai-tech.com (the "Service"). 1. INFORMATION WE COLLECT 1.1 Information You Provide - Account Information: email address, first name, last name, phone number, country, and postal code. - Onboarding Information: terms acceptance records (timestamp and version), strategy preferences, and portfolio configuration. - Payment Information: payment method details collected via Stripe. Zeus AI does not directly store your full credit card number; this is handled by Stripe in accordance with PCI DSS standards. 1.2 Information Collected Through Third-Party Integrations - Brokerage Data (via SnapTrade): brokerage account identifiers, account types, account balances, holdings, positions, and trade execution details. Your brokerage login credentials are never transmitted to or stored by Zeus AI; all brokerage connectivity uses SnapTrade's secure OAuth integration. - Authentication Data (via Clerk): authentication tokens, session identifiers, and sign-in metadata. 1.3 Information Generated Through Your Use of the Service - Trading Data: trade history (securities traded, quantities, prices, timestamps, execution status), portfolio snapshots, performance metrics, and reconciliation records. - System Logs: API request logs, error logs, and service usage data for operational monitoring and debugging. - Communication Records: records of emails sent to you (trading summaries, alerts, notifications). 2. HOW WE USE YOUR INFORMATION We use your information to: (a) Provide and operate the Service, including executing trades, managing portfolios, and reconciling positions; (b) Process payments and manage billing via Stripe; (c) Send you transactional communications, including daily trading summaries, trade failure alerts, and brokerage connection status notifications; (d) Comply with legal and regulatory obligations, including maintaining audit trails of trading activity; (e) Monitor and improve the security, performance, and reliability of the Service; (f) Respond to your inquiries and provide customer support. We do not use your information for advertising, behavioral profiling, or sale to third parties. 3. LEGAL BASIS FOR PROCESSING (EEA/UK USERS) If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data under the following legal bases: (a) Contractual Necessity: processing necessary to perform our contract with you, including executing trades, managing your portfolio, and processing payments (Sections 2(a)-(c)). (b) Legitimate Interest: processing necessary for our legitimate business interests, including maintaining security, preventing fraud, improving the Service, and monitoring system performance (Sections 2(e)-(f)), where those interests are not overridden by your data protection rights. (c) Legal Obligation: processing necessary to comply with applicable laws, including financial record-keeping, tax reporting, and responding to lawful requests from regulators or law enforcement (Section 2(d)). (d) Consent: where required by applicable law, we will obtain your consent before processing. You may withdraw consent at any time by contacting support@zeusai-tech.com, though withdrawal does not affect the lawfulness of processing performed prior to withdrawal. 4. HOW WE SHARE YOUR INFORMATION We share your personal information only in the following circumstances: 4.1 Service Providers We share data with third-party service providers who process information on our behalf. Each provider is contractually obligated to protect your data: - SnapTrade (https://snaptrade.com/privacy): brokerage account connectivity, order execution, and position data retrieval. - Stripe, Inc. (https://stripe.com/privacy): payment processing, billing, and invoice management. - Clerk (https://clerk.com/privacy): user authentication and session management. - Amazon Web Services (https://aws.amazon.com/privacy/): cloud infrastructure, including compute (Lambda), database (RDS), email delivery (SES), encryption (KMS), and storage (S3). 4.2 Legal Requirements We may disclose your information if required to do so by law, regulation, legal process, or governmental request, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others. 4.3 Business Transfers In the event of a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will notify you via email of any such change in ownership. We do not sell, rent, or trade your personal information to third parties for their marketing purposes. 5. DATA SECURITY We implement industry-standard security measures to protect your information: - Encryption at Rest: sensitive data, including SnapTrade user secrets, phone numbers, and Stripe payment identifiers, is encrypted using AWS Key Management Service (KMS). - Encryption in Transit: all data transmitted between your browser, our APIs, and third-party services uses TLS/HTTPS encryption. - Network Isolation: our database and core infrastructure operate within a private Virtual Private Cloud (VPC) that is not directly accessible from the public internet. - Access Controls: brokerage API calls use per-request HMAC-SHA256 authentication signatures. Administrative access is restricted and audited. - Session Isolation: each API request to your brokerage creates and closes an independent session to prevent cross-user data leakage. No method of electronic transmission or storage is 100% secure. While we strive to use commercially reasonable means to protect your information, we cannot guarantee its absolute security. 6. DATA RETENTION - Account Data: retained for the duration of your account and for 7 years after account closure to comply with financial record-keeping obligations. - Trading Data and Audit Logs: retained for the duration of your account and for 7 years after account closure, or longer if required by applicable securities regulations or to resolve pending disputes. - System Logs: retained for 7 to 30 days depending on the log type, then automatically deleted. - Payment Records: retained in accordance with Stripe's data retention policies and applicable tax and financial regulations. Upon expiration of the applicable retention period, data will be securely deleted or anonymized. 7. YOUR RIGHTS AND CHOICES Depending on your jurisdiction, you may have the following rights: (a) Access: request a copy of the personal information we hold about you. (b) Correction: request that we correct inaccurate or incomplete information. (c) Deletion: request that we delete your personal information, subject to our legal retention obligations. Note that trade history and audit logs may be retained as required by law. (d) Data Portability: request a copy of your data in a structured, machine-readable format. (e) Restriction of Processing: request that we restrict processing of your data under certain circumstances (EEA/UK users). (f) Objection to Processing: object to processing based on legitimate interest grounds (EEA/UK users). (g) Opt-Out of Communications: you may opt out of non-essential email communications by contacting support@zeusai-tech.com. Transactional emails related to your account activity and security cannot be opted out of while your account is active. To exercise any of these rights, contact us at support@zeusai-tech.com. We will respond to your request within 30 days (or 45 days for requests made under the California Consumer Privacy Act, with notice of any extension). 8. CALIFORNIA PRIVACY RIGHTS (CCPA/CPRA) If you are a California resident, the California Consumer Privacy Act ("CCPA"), as amended by the California Privacy Rights Act ("CPRA"), provides you with additional rights regarding your personal information: 8.1 Right to Know. You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which it was collected, the business purpose for collecting it, and the categories of third parties with whom we share it. 8.2 Right to Delete. You have the right to request deletion of your personal information, subject to certain exceptions (including legal record-keeping obligations for financial data). 8.3 Right to Correct. You have the right to request that we correct inaccurate personal information. 8.4 Right to Opt-Out of Sale or Sharing. Zeus AI does not sell your personal information and does not share your personal information for cross-context behavioral advertising purposes. Because we do not engage in these activities, there is no need to opt out. 8.5 Non-Discrimination. We will not discriminate against you for exercising any of your CCPA/CPRA rights. 8.6 Categories of Personal Information Collected. In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA: identifiers (name, email, phone number); financial information (brokerage account data, portfolio holdings, trade history); commercial information (billing records, payment method details via Stripe); and internet or electronic network activity (system logs, API usage data). To submit a CCPA/CPRA request, contact us at support@zeusai-tech.com. We will verify your identity before processing your request. 9. COOKIES AND TRACKING TECHNOLOGIES The Service uses only essential cookies and session tokens required for authentication (via Clerk) and payment processing (via Stripe). We do not use advertising cookies, analytics trackers, or behavioral profiling tools. We do not use Google Analytics, Facebook Pixel, or similar third-party tracking services. 10. CHILDREN'S PRIVACY The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected information from a child under 18, we will take steps to delete that information promptly. 11. INTERNATIONAL DATA TRANSFERS Your information is processed and stored in the United States using AWS infrastructure in the us-east-1 (N. Virginia) region. If you access the Service from outside the United States, your information will be transferred to and processed in the United States, which may have different data protection laws than your jurisdiction. For EEA/UK users, such transfers are made pursuant to appropriate safeguards, including Standard Contractual Clauses approved by the European Commission, as applicable. 12. DATA BREACH NOTIFICATION In the event of a security breach that compromises your personal information, we will notify affected users via email as promptly as practicable and in accordance with applicable law (including, where applicable, within 72 hours of becoming aware of the breach as required by GDPR, and within the timeframes required by applicable U.S. state breach notification laws). Notification will include the nature of the breach, the categories of data affected, the measures taken to address the breach, and recommended steps you can take to protect yourself. 13. CHANGES TO THIS PRIVACY POLICY We may update this Privacy Policy from time to time. Material changes will be communicated via email at least 30 days before they take effect. The "Last Updated" date at the top of this policy indicates when revisions were last made. Your continued use of the Service after the effective date constitutes acceptance of the revised policy. 14. CONTACT US If you have questions or concerns about this Privacy Policy or our data practices, contact us at: Email: support@zeusai-tech.com [DRAFT — Subject to legal review]