Claro Foundry Inc. ("Claro," "we," "us," or "our") is a company incorporated in Alberta, Canada. We operate the website clarofoundry.com and The Harbor application, together with related software, APIs, and support services (collectively, the "Services"). The Services are operated from Canada and are made available to users globally.
This Privacy Policy explains what personal information we collect, why we collect it, how we use, share, retain, and protect it, and the choices and rights available to you. It applies to all users of the Services, regardless of where you are located. Capitalised terms not defined in this Policy have the meanings given to them in our Terms of Service.
Controller and contact. Claro Foundry Inc. is the "controller" (as that term is used under EU/UK GDPR), the "business" (as defined under the California Consumer Privacy Act, as amended by the CPRA), and the "organization" (as defined under Canada's PIPEDA) responsible for personal information processed in connection with the Services, except where this Policy expressly states that we act as a processor or service provider on your behalf. To contact us about this Policy or to exercise your privacy rights, see Section 17 (Contact Us).
1. Information We Collect
We collect the following categories of personal information:
(a) Account and identity information. When you sign up for the Services, we collect:
- Your name (or display name) and email address;
- If you sign in using a social login provider — currently Google or Microsoft — limited identity information returned by that provider, typically: provider user ID, email address, full name, profile picture URL, and locale (we do not receive your password);
- If you sign in using email and password, your email address and a salted, hashed representation of your password (we do not store passwords in plaintext);
- Optional profile details you choose to add (e.g., country, time zone, preferred currency);
- Account preferences, settings, and subscription status.
(b) Authentication and security data. To keep your account secure, we (and our authentication provider, Supabase) process:
- Login timestamps, IP addresses, user-agent strings, and approximate location derived from your IP address;
- Session and refresh tokens, multi-factor authentication (MFA) status and metadata, and device identifiers tied to active sessions;
- Password reset and email verification tokens (short-lived);
- Records of failed login attempts and other security signals used to detect abuse or account takeover.
(c) Financial data — Trading Data. When you connect a broker account (e.g., MetaTrader 5, cTrader) to The Harbor, you authorise us to access trading information from that broker, including: trade history, open positions, pending orders, account balance, equity, leverage, margin, instrument and symbol data, executions, fees and commissions, and related account metadata (collectively, "Trading Data"). Trading Data is treated as sensitive financial information and is subject to the heightened protections described in Sections 5 and 8.
(d) Journal and user-generated content. Notes, tags, screenshots, attachments, journal entries, simulation inputs, and any other content you create or upload while using the Services.
(e) Billing and payment information. When you purchase a paid plan, our payment processor (currently Stripe) collects payment-card details, billing address, billing country, tax identifiers (where applicable), and transaction history. Claro does not see or store your full payment-card number; we receive only a tokenised reference and limited metadata (such as card brand, last four digits, expiry month/year, and cardholder name) needed to manage your subscription and reconcile billing.
(f) Communications and support. Records of your messages to us (support tickets, emails, chat), survey responses, feedback, and the contents of any forms you submit (including the waitlist).
(g) Device, log, and technical data automatically collected.
- Device and browser information (browser type and version, operating system, screen size, language, time zone, device identifiers);
- IP address and approximate location (typically city/region) derived from it;
- Server logs (request URLs, status codes, error traces, latency, referrer);
- Cookies, local storage, and similar technologies (see Section 12).
(h) Usage and product analytics. Information about how you interact with the Services — pages and screens viewed, features used, clicks, time spent, performance metrics, and similar usage data — collected to help us understand and improve the product.
We do not intentionally collect "special categories" of personal data under EU/UK GDPR (such as data revealing racial or ethnic origin, religious beliefs, health data, or biometric data), and we do not collect government identification numbers (such as SIN, SSN, or passport numbers).
2. How We Use Your Information
We use personal information for the following purposes:
- Provide and operate the Services — create and authenticate your account, sync and analyse Trading Data, generate analytics and journals, run simulations, and deliver the features you request;
- Manage subscriptions and billing — process payments, issue invoices and receipts, calculate applicable taxes, manage trials, renewals, and cancellations;
- Communicate with you — send transactional and service messages (account confirmations, billing receipts, security alerts, important Service updates) and, with your consent or where otherwise permitted, product news, tips, and announcements (you can opt out of marketing emails at any time);
- Provide customer support — respond to your questions, troubleshoot issues, and follow up on feedback;
- Secure the Services — detect, investigate, and prevent fraud, abuse, account takeover, security incidents, and breaches of our Terms of Service;
- Improve the Services — measure performance, debug, and improve features, in most cases using aggregated or de-identified data;
- Comply with law — meet our legal, regulatory, tax, accounting, and reporting obligations, and respond to lawful requests from public authorities; and
- Protect rights — establish, exercise, or defend legal claims and protect the rights, property, and safety of Claro, our users, and others.
We do not use your Trading Data, personal information, or broker account data for cross-context behavioural advertising, third-party advertising, profile-building unrelated to the Services, sale to third parties, or training of general-purpose machine-learning models.
3. Legal Bases for Processing (EU / UK GDPR and Similar Laws)
For users in the European Economic Area, the United Kingdom, Switzerland, and other jurisdictions whose laws require us to identify a legal basis for processing, we rely on the following bases:
- Performance of a contract (Art. 6(1)(b) GDPR) — to deliver the Services you have signed up for, manage your account, and process your subscription, including syncing and analysing Trading Data on your instructions;
- Consent (Art. 6(1)(a) GDPR) — for optional features such as marketing emails, non-essential cookies, or connecting an additional broker account; you may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal;
- Legitimate interests (Art. 6(1)(f) GDPR) — for security, fraud prevention, network and information security, product analytics and improvement, internal administration, and direct communications about features similar to those you already use, where our interests are not overridden by your rights and freedoms;
- Legal obligation (Art. 6(1)(c) GDPR) — to meet obligations under tax, accounting, anti-money-laundering, sanctions, and other applicable laws.
Where required by your local law (for example, Quebec's Law 25 in Canada, the LGPD in Brazil, or the PDPA in Singapore), we identify and rely on equivalent local lawful bases.
4. How We Share Your Information
We do not sell your personal information, and we do not "share" it for cross-context behavioural advertising as defined under the CCPA/CPRA. We disclose personal information only in the limited circumstances described below.
(a) Service providers and sub-processors. We use a small number of trusted vendors that process personal information on our behalf, under written agreements that require them to protect the data and use it only for the purposes we direct. They fall into the following categories:
- Authentication, database, and storage provider — currently Supabase, which provides authentication (including OAuth flows for Google and Microsoft, and email-and-password sign-in), managed Postgres database hosting, file storage, and back-end APIs. Supabase processes data in the geographic region we have configured for our project (see Section 11);
- Payment processor — currently Stripe, which handles payment processing, subscription management, tax calculation, and fraud screening for paid plans;
- Social login identity providers — Google LLC and Microsoft Corporation, which authenticate you when you choose "Sign in with Google" or "Sign in with Microsoft" (see Section 6);
- Application and infrastructure hosts — to host and deliver our website and back-end services;
- Email and form-handling providers — to deliver verification, security, and notification messages and to receive form submissions;
- Product analytics and error monitoring providers — to help us understand product usage and diagnose errors, configured wherever possible to minimise the personal data captured.
The specific vendors we use within each category may change from time to time as our infrastructure evolves. The current list of named sub-processors is available on request via the contact details in Section 17.
(b) Broker platforms. When you connect a broker account, authentication tokens and API requests are exchanged with the broker (e.g., the cTrader Open API or MetaTrader 5 server) solely to retrieve your Trading Data. We do not push trades, orders, or other instructions back to the broker, and we do not share your Trading Data with other brokers.
(c) Legal and safety disclosures. We may disclose personal information when we believe in good faith that disclosure is necessary to: comply with a law, regulation, court order, subpoena, or other legal process; respond to a lawful request from a government or law-enforcement authority (including in jurisdictions outside Canada); enforce our Terms of Service; protect the security or integrity of the Services; or protect the rights, property, or safety of Claro, our users, or others.
(d) Corporate transactions. If we are involved in a merger, acquisition, financing, restructuring, bankruptcy, or sale of all or a portion of our assets, personal information may be transferred to the counterparty as part of due diligence and the transaction itself, subject to standard confidentiality protections and continued application of this Policy (or notice of any material changes).
(e) With your consent or at your direction. We may share information with other parties where you have asked us to or otherwise given your consent.
5. Trading Data and Financial Information
Trading Data is treated as sensitive financial information. We apply additional safeguards and restrictions to it:
- We use Trading Data solely to provide and improve the analytics, journaling, performance, and simulation features within the Services that you have requested;
- We do not sell Trading Data, "share" it for cross-context behavioural advertising, use it for advertising or unrelated profiling, or use it to train general-purpose machine-learning models;
- Broker API credentials (access tokens, refresh tokens, and similar secrets) are encrypted at rest using strong, industry-standard encryption (currently AES-256 in Fernet construction) and are never stored in plaintext;
- You may disconnect a broker account at any time from within the application, which immediately revokes our ongoing access;
- Upon disconnection of a broker, deletion of your Claro account, or a verified deletion request, broker-sourced Trading Data is deleted, returned, or anonymised within thirty (30) days, except where we are required by law (including tax, accounting, or anti-fraud obligations) or to establish, exercise, or defend legal claims to retain it;
- We comply with the terms of use and data-protection requirements of each broker API we integrate with, including the cTrader Open API Terms of Use.
If you are a regulated person (for example, a licensed trader, fund manager, or employee of a financial institution), you are responsible for ensuring that your use of the Services and your sharing of Trading Data with us complies with the rules of your regulator and your employer.
6. Authentication, Passwords, and Social Login
We offer two ways to access the Services. Authentication is handled by our authentication provider, Supabase, on our behalf.
(a) Email and password. If you choose to sign up with an email and password:
- Your password is stored only as a salted, one-way cryptographic hash. Claro and its personnel do not have access to your plaintext password;
- Passwords must meet rigorous strength requirements (including minimum length and complexity) and are checked against common-password and breach lists; weak or known-compromised passwords are rejected at signup or password change;
- You may be required to verify your email address before some features become available, and we may rate-limit or temporarily lock accounts that exhibit suspicious sign-in activity;
- Where supported, we strongly recommend enabling multi-factor authentication (MFA);
- Password reset links and email-verification tokens are short-lived and single-use.
(b) Social login (Google, Microsoft). If you choose to sign in with Google or Microsoft:
- You are redirected to the provider's standard OAuth 2.0 / OpenID Connect authorisation flow, where the provider authenticates you and asks you to consent to share specific profile information with us;
- We request only the minimum scopes required to create and operate your account — typically your provider user ID, email address, name, profile picture URL, and locale. We do not receive your password, and we do not request access to your email inbox, calendar, files, or other Google/Microsoft data unless we explicitly tell you so and you separately consent;
- Your use of Google "Sign in with Google" is also subject to Google's Privacy Policy, and your use of "Sign in with Microsoft" is subject to Microsoft's Privacy Statement;
- You can revoke our access to your Google or Microsoft identity at any time from the security settings of your Google or Microsoft account, and/or by deleting your Claro account.
(c) Sessions. Authenticated sessions are maintained using signed JWT tokens and refresh tokens issued by Supabase Auth. You can sign out of an individual session at any time, and we may automatically expire idle sessions for security reasons.
7. Cloud Storage and Hosting Infrastructure
We do not run our own data centres. The Services are delivered using cloud infrastructure operated by enterprise-grade providers:
- Supabase hosts our managed Postgres database, file storage, and authentication service. Supabase in turn runs on AWS infrastructure in the geographic region we have configured for our project. All database tables containing user-scoped data are protected by Row-Level Security (RLS) policies designed to ensure that one user cannot access another user's data through the API;
- Application hosting providers run our front-end and back-end services. They process data such as request metadata, IP addresses, and logs needed to deliver and operate the application;
- Stripe hosts payment data on its own PCI-DSS-compliant infrastructure;
- Email and analytics providers host the data described in Section 4 on their own infrastructure.
Each of these providers is contractually obligated to implement appropriate technical and organisational security measures, to act only on documented instructions from Claro, and to assist us in meeting our obligations under applicable data-protection law.
8. Data Security
We implement administrative, technical, and physical safeguards designed to protect personal information against unauthorised access, disclosure, alteration, loss, or destruction. These include:
- Encryption in transit — HTTPS/TLS for all connections between your browser or device and our Services, and between our Services and our sub-processors;
- Encryption at rest — for the database, file storage, and backups maintained by Supabase, and for sensitive secrets such as broker API tokens (currently using AES-256 in Fernet construction);
- Authentication and access controls — Supabase Auth with hashed passwords and OAuth, JWT-based session tokens, optional MFA for end users, principle-of-least-privilege access for Claro personnel, and audit logging of administrative actions;
- Tenant isolation — Row-Level Security (RLS) policies on database tables that scope each row to its owning user, so requests authenticated as one user cannot read or modify another user's data;
- Network and platform security — managed firewalls, DDoS protection, and security patching provided by our cloud providers;
- Software security practices — code review, dependency scanning, security-relevant testing, and prompt patching of known vulnerabilities;
- Backups — encrypted, regularly scheduled backups for disaster recovery, with restricted access.
Despite these measures, no system is perfectly secure. You also have an important role to play: choose a strong, unique password (or use a trusted social login provider), enable MFA where available, keep your devices and browsers up to date, and notify us immediately if you suspect that your account has been compromised.
Breach notification. In the event of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authorities and affected users without undue delay, in accordance with applicable law (including the breach-notification requirements under PIPEDA, EU/UK GDPR, and similar laws).
9. Data Retention
We retain personal information only for as long as necessary to fulfil the purposes for which it was collected, including to provide the Services, comply with our legal, accounting, and reporting obligations, resolve disputes, and enforce our agreements. In general:
- Account data — for the life of your account; deleted, anonymised, or returned within thirty (30) days after you delete your account, subject to legal retention requirements;
- Trading Data — see Section 5;
- Broker API credentials — deleted promptly upon broker disconnection or account deletion;
- Billing and tax records — typically retained for six (6) to seven (7) years, or longer where local tax law requires;
- Server and security logs — typically retained for up to twelve (12) months, then deleted or aggregated;
- Support communications — typically retained for up to twenty-four (24) months after the matter is closed;
- Marketing contact data — until you unsubscribe, plus a reasonable period thereafter to honour your opt-out.
Where we anonymise data so that it can no longer reasonably be associated with you, we may retain and use that anonymised data indefinitely for analytics, research, and product improvement.
10. Cookies and Similar Technologies
We use cookies, browser local storage, and similar technologies to operate the Services, remember your preferences, keep you signed in, secure your account, measure performance, and understand how the product is used. We use the following broad categories:
- Strictly necessary — required to deliver the Services, including authentication, session management, and security (these cannot be disabled without breaking the Services);
- Functional — to remember settings such as language, time zone, and UI preferences;
- Analytics — to help us understand product usage and diagnose errors.
We do not use advertising cookies and do not allow third-party advertisers to track you across other sites through the Services. You can control cookies through your browser settings, and where required by law (e.g., in the EEA and UK) we will request your consent for non-essential cookies via a cookie banner. Disabling certain cookies may limit your ability to use the Services.
11. International Data Transfers
The Services are operated from Canada. Your personal information will be transferred to and processed in Canada, and may be processed by our sub-processors in other countries (including the United States and other jurisdictions where our cloud and SaaS providers operate). Privacy laws in those countries may differ from those in your country of residence.
Where we transfer personal information out of the EEA, the United Kingdom, or Switzerland to a country that has not been recognised as providing an adequate level of data protection, we rely on appropriate safeguards, such as:
- The European Commission's adequacy decision in respect of Canada for commercial organisations subject to PIPEDA;
- The European Commission's Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum (IDTA), supplemented by appropriate technical and organisational measures;
- Other lawful transfer mechanisms recognised under applicable law.
You may request a copy of the safeguards we use by contacting us using the details in Section 17.
12. Your Privacy Rights
Depending on where you live, you may have some or all of the following rights in relation to the personal information we hold about you:
- Access — receive a copy of the personal information we hold about you and information about how we process it;
- Rectification / correction — ask us to correct inaccurate or incomplete information;
- Deletion / erasure — ask us to delete personal information about you (subject to certain legal exceptions);
- Restriction or objection — ask us to restrict our processing or object to certain processing activities, including processing based on legitimate interests and direct marketing;
- Portability — receive certain personal information in a structured, commonly used, machine-readable format and ask us to transmit it to another controller (where technically feasible). The Harbor also provides in-app CSV export of much of your data;
- Withdrawal of consent — where we rely on your consent, withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal;
- Automated decision-making — not be subject to a decision based solely on automated processing that produces legal or similarly significant effects (we do not currently make any such decisions about you, see Section 13);
- Complaint — lodge a complaint with your local data-protection or privacy authority. EU/EEA users may complain to their national supervisory authority; UK users may complain to the Information Commissioner's Office (ICO); Canadian users may complain to the Office of the Privacy Commissioner of Canada or to the relevant provincial regulator (e.g., Quebec's Commission d'accès à l'information).
Region-specific notes.
- United States — California, Virginia, Colorado, Connecticut, Utah, Texas, and similar laws. Residents of these states have rights to know, access, correct, delete, and (where applicable) limit the use of sensitive personal information and opt out of "sale" or "sharing" of personal information. Claro does not sell or share personal information for cross-context behavioural advertising. Trading Data is treated as sensitive personal information for purposes of these laws and is used only as described in Sections 2 and 5;
- Brazil (LGPD). You have rights to confirmation, access, correction, anonymisation, blocking or deletion of unnecessary or excessive data, portability, information about data sharing, and review of automated decisions, exercisable through the contact details in Section 17;
- Australia, Singapore, Japan, and other APAC jurisdictions. We honour the rights granted by the Privacy Act 1988 (Cth), PDPA, APPI, and similar laws as applicable.
To exercise any of these rights, contact us at admin@clarofoundry.com. We may need to verify your identity before fulfilling a request, particularly for access or deletion requests. We will respond within the timeframe required by applicable law (typically thirty (30) days, extendable where permitted). You may use an authorised agent where local law allows; we may ask the agent to demonstrate their authority.
We will not discriminate against you for exercising your privacy rights.
13. Automated Decision-Making and Profiling
We do not use your personal information to make decisions based solely on automated processing that produce legal effects concerning you or similarly significantly affect you. Analytics and simulations within The Harbor are tools that you direct and interpret; they do not make binding decisions about you.
14. Children's Privacy
The Services are intended for users who are at least 18 years old, or the age of legal majority in their jurisdiction (whichever is greater). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at admin@clarofoundry.com and we will take appropriate steps to delete that information.
15. Third-Party Links and Services
The Services may contain links to, or integrations with, third-party websites and services (including brokers, social login providers, and payment providers). This Privacy Policy does not apply to those third parties; their own privacy practices are governed by their own policies. We encourage you to review them before using those services.
16. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in the Services, our practices, or applicable law. The current version is always available at this URL, with the "Last Updated" date at the top. If we make material changes, we will notify you by email or through the Services before the changes take effect, where required by law. Your continued use of the Services after the effective date of an updated Policy constitutes your acceptance of the changes.
17. Contact Us
If you have questions or concerns about this Privacy Policy, our data practices, or wish to exercise any of your privacy rights, please contact us at:
Claro Foundry Inc.
Alberta, Canada
admin@clarofoundry.com
For privacy-specific requests, please include enough information for us to identify you and your account, and a clear description of your request. We may need to ask you for additional information to verify your identity before responding.