1. Data We Collect (The "Need-to-Know" Basis)
Uncharted Investments only collects data essential for the automated execution of the Ashimoto 3-5-7 strategy
and mandatory regulatory compliance:
- Identity Data: Legal name, verified email address, and verified mobile phone number.
- Financial Integration (OAuth): We utilize Alpaca OAuth 2.0. We store your Access Tokens
and Refresh Tokens; we never request or store your Alpaca password.
- Trade Telemetry: Execution timestamps, fill prices, and account balance snapshots
(used solely for the Club Orchestrator and "Nightly True-Up").
OAUTH 2.0 SECURE AUTHENTICATION
2. The "Vault" Protocol & Withdrawal Protection
INSTITUTIONAL-GRADE SECURITY
We treat your brokerage credentials with institutional-grade security:
- AES-256 Encryption: All OAuth tokens and API keys are encrypted at rest using the AES-256 standard.
Keys are only decrypted in memory during an active, authenticated trading session.
- "Trade-Only" Scope Enforcement: In alignment with Alpaca's security standards, our platform
only requests
account:read and
trading scopes.
- Withdrawal Protection: Uncharted Investments is physically incapable of accessing bank details
or initiating withdrawals. Our Security Auditor service automatically purges any connection where "Withdrawal"
permissions are detected.
Zero Withdrawal Access: We cannot access your bank details or move funds out of your account.
Our OAuth scopes are restricted to trading operations only.
3. Third-Party Data Sharing & OAuth Integration
We do not sell or lease member data. Data is shared only with core infrastructure partners to facilitate the service:
- Alpaca Markets: To transmit trade orders and receive execution data via secure OAuth 2.0 handshake.
- Twilio/SendGrid: To deliver the 30-Day Compliance Heartbeat alerts and the 2-hour
"Critical Phase" SMS notifications.
Minimal Data Sharing: These partners only receive the data required to perform their specific function
(e.g., Twilio only receives your phone number).
4. The 30-Day Data Re-Verification (The Heartbeat)
Consistent with our Terms of Service, we perform a "Data Health Check" every thirty (30) days:
- Verification: You must re-verify your contact information to ensure you can receive
critical safety alerts.
- Auto-Halt: If contact data is unverified or your "Heartbeat" expires, trading is paused
and OAuth tokens are moved to a "Restricted" state until the "Communication Pipe" is re-verified.
Why Trading May Be Paused: If your 30-day Heartbeat expires or contact information is unverified,
trading will be automatically paused until you re-verify. This protects you from missed critical alerts.
5. Data Retention & The "Right to Forget"
- Revocation: If a member leaves the club or revokes access via the Alpaca Dashboard,
all associated tokens are permanently deleted from our database within 24 hours.
- Audit Trail: We retain a log of your MSA/ToS Sign-offs and Trade History for legal compliance
and tax reporting purposes for a period of seven (7) years.
6. Member Responsibility & Supervision
While we provide the Dead Man's Switch and Security Auditor, members are responsible for:
- Securing their local machine/device against malware.
- Maintaining Active Supervision (per FINRA 3110) of their trading account during market hours.
- Responding promptly to "Critical Phase" SMS alerts.
7. Data Breach & Incident Response
In the unlikely event of a data breach, Uncharted Investments will:
- Notify affected members within 72 hours via email and SMS.
- Invalidate all potentially compromised OAuth tokens, requiring members to re-authenticate.
- Provide a detailed remediation report.
8. Your Rights & Contact
As a member of the Wyoming LLC, you have the right to access, correct, or request the deletion of your data
(subject to legal retention requirements).
Data Protection Officer:
privacy@unchartedinvesting.com