We store the minimum data required to operate the service: user identifier, email, profile name, run history, trade results, technical logs, notification settings, strategy settings, and encrypted exchange API keys.

If a user chooses Google Sign-In, BadRock requests only the basic OAuth scopes openid, email, and profile. Through Google Sign-In the app receives the Google account ID, email address, email verification flag, profile name, and, if returned by Google's userinfo endpoint, profile picture/locale. We do not request or receive Gmail, Google Drive, Calendar, Contacts, payment data, or other Google API data.

Google user data is used only to sign the user in, create or link a BadRock account, display the user's name/email in the product UI, and create security notifications about sign-in events. The OAuth access token is used briefly to request userinfo and is not stored. We do not use Google user data for ads, retargeting, credit-worthiness decisions, data sale, or transfer to advertising platforms.

Google account ID, email, name, and basic profile are stored in the BadRock database to support sign-in and session recovery. The data is retained until account deletion or a user's deletion request. We do not sell Google user data or transfer it to third parties except where necessary to operate service infrastructure, maintain security, comply with law, or process the user's own request.

Data is transmitted over HTTPS. Exchange keys are stored encrypted. Access to data is limited by role-based permissions, server-side checks, and event logging. Employees or contractors do not access Google user data unless required for security, support requested by the user, or legal compliance.

A user can request deletion of the account and related data through support. The user can also revoke BadRock's access to Google Sign-In in Google Account security settings; after revocation, a new Google sign-in will require consent again.

BadRock's use of information received from Google APIs complies with the Google API Services User Data Policy, including the Limited Use requirements. We use this data only for the user-facing sign-in and security features described in this policy. Google API Services User Data Policy / Google APIs Terms of Service