Privacy Policy

SettleRisk ("we," "our," or "us") operates the settlerisk.com website and the SettleRisk API platform (collectively, the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website or use our API services.

We are committed to protecting the privacy and security of our users. We treat your data with the same rigor we apply to our deterministic scoring algorithms — transparently, predictably, and with full accountability.

By accessing or using the Service, you agree to this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access the Service.

We collect information that you provide directly to us, information we collect automatically when you use the Service, and information from third-party sources.

2.1 Information You Provide

• Account Information: When you create an account, we collect your name, email address, and authentication credentials (via Google OAuth or other supported providers).
• Billing Information: Payment details are processed securely through Stripe. We do not store your full credit card number, CVV, or other sensitive payment details on our servers. Stripe's privacy policy governs the handling of your payment information.
• API Keys: We generate and store API key identifiers and hashed secrets associated with your account for authentication purposes.
• Communications: When you contact us via email or our contact form, we collect your name, email address, and the content of your message.
• Resolution Rules Text: When you submit market resolution rules via the /v1/evaluate-rules endpoint, we process the text to generate risk scores. This text may be temporarily retained for audit and idempotency purposes.

2.2 Information Collected Automatically

• Usage Data: API request logs including endpoints called, request timestamps, response codes, latency metrics, and rate limit utilization. This data is used to provide usage analytics in your dashboard and to enforce plan limits.
• Device Information: Browser type, operating system, IP address, and referring URLs when you visit our website.
• Cookies: We use essential cookies for session management and authentication. We use Google Analytics to understand website usage patterns. You can control cookie preferences through your browser settings.

2.3 Information from Third Parties

• OAuth Providers: When you authenticate via Google, we receive your name, email address, and profile picture from Google, subject to your Google privacy settings.
• Prediction Market Platforms: We ingest publicly available market data from Polymarket, Kalshi, and other supported platforms to compute risk scores. This data is publicly accessible market metadata and resolution rules — not user-specific trading data.

We use the information we collect to:

• Provide, operate, and maintain the Service, including risk scoring, delay modeling, and pricing engine computations
• Authenticate your identity and authorize API access via HMAC-SHA256 signed requests
• Process your transactions and manage your subscription through Stripe
• Send transactional communications such as welcome emails, API key notifications, rate limit warnings, and weekly usage digests
• Monitor and enforce rate limits, batch limits, and plan-tier restrictions
• Deliver webhook notifications to your registered endpoints for events you subscribe to (e.g., score.tier_changed, rules.changed)
• Detect and prevent fraud, abuse, and replay attacks via nonce tracking and timestamp validation
• Improve the Service, including refining our heuristic scoring models and driver taxonomy
• Respond to your inquiries and provide customer support
• Comply with legal obligations and enforce our Terms of Service

We do not sell your personal information. We share your information only in the following circumstances:

• Service Providers: We share information with third-party vendors who perform services on our behalf, including Stripe (payment processing), Resend (email delivery), Vercel (hosting), and cloud infrastructure providers (PostgreSQL database hosting, Redis caching). These providers are contractually obligated to protect your information.
• Legal Requirements: We may disclose your information if required to do so by law, in response to valid legal process, or to protect our rights, privacy, safety, or property.
• Business Transfers: In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.
• With Your Consent: We may share your information with third parties when you give us explicit consent to do so.

We implement industry-standard security measures to protect your information:

• All API communication is encrypted via TLS 1.2+ (HTTPS). Plain HTTP connections are rejected.
• API authentication uses HMAC-SHA256 request signing with nonce replay protection (Redis primary + PostgreSQL fallback) and 300-second timestamp skew validation.
• API key secrets are hashed before storage. Raw secrets are never persisted after initial generation.
• Webhook payloads delivered to your endpoints are signed with HMAC-SHA256 using your webhook secret, allowing you to verify authenticity.
• Database access is restricted to authenticated application connections with least-privilege permissions.
• Idempotency keys are validated with payload hash comparison to prevent request tampering.

While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

We retain your information as follows:

• Account Data: Retained for the duration of your active account plus 30 days after deletion request.
• API Request Logs: Retained for 90 days for usage analytics and debugging, then aggregated and anonymized.
• Risk Score Snapshots: Retained indefinitely as append-only versioned records (per our versioning contract) to ensure deterministic reproducibility.
• Nonce Replay Data: Nonces expire after 600 seconds (TTL) in Redis. PostgreSQL nonce records are purged during periodic maintenance.
• Idempotency Keys: Retained for 24 hours to ensure request deduplication, then automatically purged.
• Webhook Delivery Records: Retained for 30 days to support replay functionality.

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate or incomplete personal information.
• Deletion: Request deletion of your personal information, subject to legal retention obligations.
• Portability: Request a machine-readable export of your data.
• Opt-Out: Opt out of non-essential communications. Note that transactional emails (security alerts, billing confirmations) cannot be opted out of.
• Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time.

To exercise any of these rights, contact us at privacy@settlerisk.com. We will respond within 30 days.

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that differ from your jurisdiction. When we transfer data internationally, we implement appropriate safeguards including standard contractual clauses and encryption in transit.

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@settlerisk.com and we will promptly delete such information.

The Service may contain links to third-party websites and services, including prediction market platforms (Polymarket, Kalshi), payment processors (Stripe), and documentation resources. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any information.

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date. For significant changes, we will also send a notification to the email address associated with your account.

Your continued use of the Service after any changes constitutes your acceptance of the updated Privacy Policy.

If you have questions or concerns about this Privacy Policy or our data practices, please contact us:

• Email: privacy@settlerisk.com
• General Inquiries: contact@settlerisk.com
• Contact Page: settlerisk.com/contact