This Privacy Policy explains how Obelus Labs LLC ("Company," "we," "us," or "our") collects, uses, discloses, and protects your personal information when you use the Guardian platform. We are committed to protecting your privacy and handling your data responsibly.
1. Information We Collect
1.1 Information You Provide Directly
| Data Type |
Purpose |
Required? |
| Email address |
Account creation, authentication, notifications, communications |
Yes |
| Password (hashed) |
Account authentication — stored as a secure hash, never in plaintext |
Yes |
| Display name |
Account personalization |
No |
| Payment information |
Subscription billing — processed and stored exclusively by Stripe; we do not store card numbers |
Paid tiers only |
1.2 Information Collected Automatically
| Data Type |
Purpose |
| Device information (OS, app version, device type) |
Compatibility, debugging, feature optimization |
| IP address |
Security, rate limiting, fraud prevention, approximate geolocation for compliance |
| Usage data (features used, pages viewed, interaction patterns) |
Service improvement, analytics, feature prioritization |
| Push notification tokens (Expo Push) |
Delivering real-time threat alerts to your mobile device |
| API request logs (Sentinel tier) |
Rate limiting, abuse prevention, debugging |
| Error and crash reports |
Service stability and bug fixing |
1.3 Market Data We Collect and Analyze
To provide threat detection and market intelligence, Guardian collects and processes publicly available market data from third-party sources. This includes:
- Cryptocurrency market data: Price feeds, trading volumes, order book data, on-chain transaction data, funding rates, and open interest from exchanges and blockchain networks;
- Stock market data: Equity price feeds, trading volumes, institutional fund flow data, options activity, short interest data, and corporate action information from financial data providers and stock exchanges;
- Sentiment data: Aggregated sentiment scores derived from news articles, social media, and community forums related to both crypto assets and publicly traded stocks.
This market data is publicly available information and does not constitute personal data. It is used solely to generate threat scores, alerts, and market intelligence for our users.
1.4 Information We Do NOT Collect
Guardian does not collect, access, or store:
- Cryptocurrency wallet addresses, private keys, or seed phrases;
- Exchange account credentials or API keys (except where you voluntarily store encrypted portfolio tracking keys locally on your device);
- Brokerage account credentials, login information, or trading account numbers;
- Financial account information (bank accounts, brokerage accounts);
- Social Security numbers or government-issued IDs;
- Precise geolocation data (GPS coordinates);
- Biometric data.
2. How We Use Your Information
We use the information we collect for the following purposes:
- Provide the Service: Deliver threat scores, alerts, and market intelligence for both cryptocurrency and equity markets;
- Authentication and security: Verify your identity, prevent fraud, and protect your account;
- Communication: Send service-related notices, security alerts, and (with your consent) marketing communications;
- Billing: Process subscription payments through Stripe;
- Improvement: Analyze usage patterns to improve features, performance, and reliability;
- Legal compliance: Comply with applicable laws, regulations, and legal processes;
- Support: Respond to your inquiries and provide customer assistance.
3. How We Share Your Information
We do not sell, rent, or trade your personal information to third parties. We share your information only in the following limited circumstances:
3.1 Service Providers
| Provider |
Purpose |
Data Shared |
| Stripe |
Payment processing |
Email, payment method details, billing address, transaction data |
| Supabase |
User authentication and account data storage |
Email, hashed password, account metadata |
| Expo (React Native) |
Mobile push notifications |
Push notification tokens, device identifiers |
Each service provider is contractually obligated to use your data only for the purposes specified and in accordance with their own privacy policies.
3.2 Legal Obligations
We may disclose your information if required to do so by law, subpoena, court order, or other legal process, or if we believe in good faith that disclosure is necessary to:
- Comply with applicable law or legal obligation;
- Protect the rights, property, or safety of Obelus Labs LLC, our users, or the public;
- Detect, prevent, or address fraud, security, or technical issues;
- Enforce our Terms of Service.
3.3 Business Transfers
In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you via email or a prominent notice on the Service before your information becomes subject to a different privacy policy.
4. Data Retention
We retain your personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Specifically:
- Account data: Retained for the duration of your account plus 30 days after account deletion;
- Usage and analytics data: Retained for up to 24 months in aggregated/anonymized form;
- Payment records: Retained for 7 years as required for tax and financial compliance;
- API request logs: Retained for 90 days, then purged;
- Push notification tokens: Deleted when you uninstall the app or revoke notification permissions.
5. Data Security
We implement industry-standard security measures to protect your personal information, including:
- Encryption in transit: All data transmitted between your device and our servers uses TLS/HTTPS encryption;
- Encryption at rest: Sensitive data is encrypted using AES-256 encryption;
- Password security: Passwords are hashed using industry-standard algorithms and are never stored in plaintext;
- Authentication: JWT-based authentication with token expiration and refresh mechanisms;
- Access control: Internal access to user data is restricted to authorized personnel on a need-to-know basis;
- Rate limiting: Per-user rate limiting to prevent abuse and brute-force attacks;
- SQL injection protection: Parameterized queries and input validation throughout the API.
While we take reasonable steps to protect your information, no method of transmission over the internet or method of electronic storage is 100% secure. We cannot guarantee absolute security.
6. Your Rights and Choices
6.1 All Users
Regardless of your location, you have the right to:
- Access: Request a copy of the personal information we hold about you;
- Correction: Request correction of inaccurate or incomplete information;
- Deletion: Request deletion of your personal information (subject to legal retention requirements);
- Portability: Request your data in a structured, commonly used, machine-readable format;
- Opt-out of marketing: Unsubscribe from marketing emails at any time via the unsubscribe link in each email;
- Withdraw consent: Where processing is based on consent, withdraw that consent at any time.
To exercise any of these rights, contact us at privacy@obeluslabs.com. We will respond to your request within 30 days.
6.2 California Residents — CCPA/CPRA Rights
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
- Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collecting it, and the categories of third parties with whom we share it;
- Right to Delete: You may request deletion of your personal information, subject to certain exceptions;
- Right to Correct: You may request that we correct inaccurate personal information;
- Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information as defined by the CCPA/CPRA. If this changes, we will provide a "Do Not Sell or Share My Personal Information" link;
- Right to Limit Use of Sensitive Information: We do not use sensitive personal information for purposes beyond what is necessary to provide the Service;
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.
To submit a CCPA request, email privacy@obeluslabs.com with the subject line "CCPA Request." We may need to verify your identity before processing your request.
Categories of personal information collected in the preceding 12 months:
- Identifiers (email address, IP address, device identifiers);
- Commercial information (subscription tier, payment history);
- Internet/electronic network activity (usage data, API logs, error reports);
- Inferences drawn from the above (feature preferences, usage patterns).
6.3 European Economic Area (EEA) and UK Residents — GDPR
If you are located in the EEA or the UK, we process your personal data under the following legal bases:
- Contract performance: Processing necessary to provide you with the Service;
- Legitimate interests: Processing for service improvement, security, and fraud prevention;
- Consent: Where you have given explicit consent (e.g., marketing emails);
- Legal obligation: Processing required to comply with applicable laws.
In addition to the rights listed in Section 6.1, EEA/UK residents have the right to:
- Restrict processing: Request that we limit the processing of your personal data in certain circumstances;
- Object to processing: Object to processing based on legitimate interests;
- Lodge a complaint: File a complaint with your local data protection authority.
Data transfers outside the EEA/UK are conducted using appropriate safeguards, including Standard Contractual Clauses approved by the European Commission.
7. Cookies and Tracking Technologies
Our website and applications may use the following technologies:
- Essential cookies: Required for authentication and core functionality (e.g., session tokens, JWT storage in localStorage);
- Analytics: We may use privacy-respecting analytics to understand aggregate usage patterns. We do not use invasive third-party tracking services;
- Local storage: The desktop and mobile applications store authentication tokens, user preferences, and cached data locally on your device.
You can control cookie preferences through your browser settings. Disabling essential cookies may impair the functionality of the Service.
8. Children's Privacy
The Service is not intended for use by anyone under the age of 13 (or 16 in the EEA/UK). We do not knowingly collect personal information from children under these ages. If we become aware that we have collected personal information from a child under the applicable age, we will take steps to delete that information promptly.
If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@obeluslabs.com.
9. International Data Transfers
The Service is operated from the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction.
By using the Service, you consent to the transfer of your information to the United States. We take appropriate measures to ensure that your personal information receives an adequate level of protection in the jurisdictions in which we process it.
10. Third-Party Links
The Service may contain links to third-party websites, applications, or services. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access through the Service.
11. Do Not Track Signals
Some browsers transmit "Do Not Track" (DNT) signals. Because there is no common industry standard for DNT, we do not currently respond to DNT signals. We will update this policy if a standard is established.
12. Data Breach Notification
In the event of a data breach that affects your personal information, we will:
- Notify affected users via email within 72 hours of becoming aware of the breach;
- Notify applicable regulatory authorities as required by law;
- Provide a description of the breach, the data affected, and the steps we are taking to address it.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. When we make material changes, we will:
- Update the "Effective Date" at the top of this page;
- Notify you via email or a prominent notice on the Service;
- Provide at least 30 days' notice before material changes take effect.
Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy.
14. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
Obelus Labs LLC
Email: privacy@obeluslabs.com
For CCPA requests: privacy@obeluslabs.com (subject: "CCPA Request")
Website: guardian.dev