Legal

Privacy Policy

Last updated: April 2026

PredictFlow is a client-side application. We collect as little data as technically possible. This policy explains exactly what is collected, stored, and transmitted — and to whom.

1. Data we do not collect

• We do not collect your name, email, or postal address.
• We do not collect your private keys, seed phrases, or wallet credentials.
• We do not track you across websites.
• We do not sell or rent any data to any third party, ever.

2. Data processed locally in your browser

The following is stored in your browser's localStorage. It never leaves your device unless you explicitly export it:

• Wallet public key — so the app can reconnect on reload. Never the private key.
• Filled positions — market, side, amount, transaction signature, entry price.
• Conditional orders — pending, filled, and cancelled limit / stop-loss / take-profit orders.
• DCA strategies — schedule, budget, execution history.
• Markets cache — a 60-second cache of the DFlow markets list for faster reloads.
• KYC status — a boolean indicating whether you completed the Proof verification flow.

Clearing site data in your browser removes all of the above. We have no server-side copy.

3. Data transmitted to third-party services

When you use the application, the following requests are made directly from your browser to services we do not control:

• DFlow — market/event/quote/order API. Sees your wallet public key (to build trade transactions), order amounts, and market selections. Governed by DFlow's own privacy policy at docs.dflow.net.
• Solana RPC provider — your configured RPC endpoint (Helius, Triton, QuickNode, or public). Sees public-key scans and transaction simulations.
• Wallet provider — Phantom / Solflare / Backpack, in your own browser. Signs transactions locally.
• Proof — only if you initiate KYC verification for CFTC-regulated markets. Governed by Proof's own privacy policy.

4. Analytics

PredictFlow may optionally load a privacy-respecting analytics integration (Plausible / PostHog) when deployed with an analytics provider configured. Where analytics are enabled:

• Wallet public keys are SHA-256-hashed before being recorded.
• No IP addresses are stored in long-term analytics storage.
• No cross-site cookies are set for tracking.

Self-hosted deployments can disable analytics entirely by leaving the provider env var blank.

5. Error reporting

When the operator has configured Sentry (VITE_SENTRY_DSN), runtime errors may be reported for debugging. Error messages are sanitized — stripped of HTML, control characters, and any PII-shaped strings — before leaving the browser.

6. Cookies

The site itself uses no cookies. localStorage is used for the purposes described in Section 2 and is not shared cross-site.

7. Children

PredictFlow is not intended for children under 18 (or the legal age of majority in your jurisdiction, if higher). We do not knowingly collect any data from children.

8. Your rights

Because we hold no server-side personal data about you, most data-subject rights (access, deletion, portability) resolve to clearing your browser's site data. For data held by DFlow, Solana RPC providers, or Proof, contact those providers directly.

9. Changes

We may update this policy; the "Last updated" date reflects the most recent change. Material changes will be announced in the app.

10. Contact

Questions about privacy: support@predictflow.org.