Privacy Policy

Last updated: February 14, 2026

1. Introduction

Small Time Devs Inc ("we", "us", "our") operates AramidX ("the Service"). This Privacy Policy explains how we collect, use, and protect your personal information. We are committed to protecting your privacy in accordance with applicable data protection laws, including GDPR for EU/EEA users.

2. Data We Collect

Data Type	Source	Purpose
Email address	OAuth provider	Account identification, transactional emails
Display name	OAuth provider	Personalization
Avatar URL	OAuth provider	UI display
OAuth provider ID	Google, GitHub, Microsoft	Authentication
IP address	HTTP request	Security, audit logging
User agent	HTTP request	Security, audit logging
Trading CSV data	User upload	Analytics processing (not stored permanently)
Billing information	Stripe	Subscription management

3. OAuth Data

We use OAuth 2.0 for authentication via Google, GitHub, and Microsoft. We only request the minimum scopes needed:

Google: email, profile (name, avatar)
GitHub: email (verified primary), profile (name, avatar)
Microsoft: email, profile (name)

We do not access your contacts, files, repositories, or any other data from these providers. OAuth tokens are used only during the login flow and are not stored.

4. Stripe Billing Data

Payment processing is handled entirely by Stripe. We store:

Your Stripe customer ID (for linking your account)
Subscription status and billing period
Invoice IDs (for commission tracking)

We do not store credit card numbers, bank accounts, or full payment details. All payment data is handled by Stripe under their PCI-DSS compliant infrastructure.

5. Cookies

We use a single session cookie (aramid_session) for authentication. This cookie is:

HttpOnly — not accessible to JavaScript
Secure — only sent over HTTPS
SameSite=Lax — CSRF protection
24-hour expiry — automatically cleared

We do not use tracking cookies, analytics cookies, or third-party advertising cookies.

6. How We Use Your Data

Authenticate and identify your account
Process your trading data for analytics (CSV data is processed in-memory and not stored permanently)
Manage your subscription and billing
Send transactional emails (welcome, billing, trial reminders)
Maintain audit logs for security compliance (NIST CSF 2.0)
Prevent fraud and abuse

7. Data Storage and Security

Your data is stored on Cloudflare's infrastructure:

D1 Database: User accounts, sessions, subscriptions, audit logs
KV Store: Session cache, subscription cache (ephemeral)
R2 Storage: Temporary CSV uploads (automatically purged)

All data is encrypted in transit (TLS 1.3) and at rest. Access is restricted by the principle of least privilege.

8. Data Retention

Account data: Retained while your account is active. Deleted upon account deletion request.
Session data: Automatically expires after 24 hours.
Audit logs: Retained for 90 days for security compliance.
CSV uploads: Processed in-memory and not stored permanently.
Email logs: Retained for 90 days.

9. Your Rights (GDPR)

If you are in the EU/EEA, you have the right to:

Access: Request a copy of your personal data
Rectification: Correct inaccurate data
Erasure: Request deletion of your data ("right to be forgotten")
Portability: Receive your data in a portable format
Object: Object to processing of your data
Restrict: Request restricted processing

To exercise these rights, contact support@smalltimedevs.com.

10. Third-Party Services

Cloudflare: Infrastructure, CDN, DNS (Privacy Policy)
Stripe: Payment processing (Privacy Policy)
MailChannels: Transactional emails (Privacy Policy)

11. Children's Privacy

The Service is not intended for users under 18 years of age. We do not knowingly collect data from minors.

12. Changes to This Policy

We may update this Privacy Policy at any time. We will notify users of material changes via email or a notice on the Service.

13. Contact

For questions about this Privacy Policy or to exercise your data rights:

Small Time Devs Inc
Email: support@smalltimedevs.com
Website: aramidx.app