Raxx · internal docs

internal · gated

#3149 — Attorney-Drafted Privacy Policy + Terms of Service

Requirements Document for getraxx.com

Purpose: Requirements document for the attorney who will draft or finalize the Privacy Policy and Terms of Service for getraxx.com / raxx.app. Tells the attorney exactly what Raxx collects and processes, what data-subject rights infrastructure already exists, and what specific items the current placeholder pages still need. This document is NOT legal advice. Before deploying any attorney-finalized document, confirm the final text with licensed privacy counsel.

Last updated: 2026-06-29. Prior research: docs/business/privacy-policy-attorney-review-2026-05-27.md (detailed findings on the current draft PP). Verify live page state at getraxx.com/legal/ before the attorney meeting.

Drive filing required: Per feedback_human_to_human_drive.md, upload to MooseQuest Legal / Attorney Meetings before the privacy attorney call.

TL;DR

Raxx's current getraxx.com Privacy Policy is a good-faith draft with attorney sign-off still pending. PR #3868 cleaned the legal pages of internal scaffolding references, but the substantive content has not been finalized by counsel. The Terms of Service is a placeholder. The attorney's task is: (1) finalize the Privacy Policy against the full data-inventory below; (2) draft the Terms of Service from scratch against the product description and liability-posture facts below; (3) confirm the three open HIGH-severity findings from the May 2026 review. The attorney is a privacy specialist — a different engagement from Matthew Crosby (trademark/IP) and from the securities attorney (§ 202(a)(11)).

Entity Facts (for attorney intake)

Section 1 — What Raxx Collects and Processes

The attorney must draft the PP against this definitive data inventory. Every data type listed here must appear in the PP; any type in the PP that is not listed here should be flagged for removal or clarification.

1A. Waitlist / Pre-account

Data type Purpose Retention
Email address Waitlist enrollment; launch-notification email via Postmark Until account created or user requests deletion
Signup timestamp Rate limiting; launch analytics Same as email

Vendor: Postmark (email delivery). Postmark DPA on file per worktree DPA acknowledgements.

1B. Account and Authentication

Data type Purpose Retention
Email address Account identifier; 2FA communications; transactional email For life of account; deleted on account deletion
WebAuthn / passkey credential (public-key half only — private key never leaves user device) Passwordless authentication (RP ID: raxx.app) For life of account; deleted on account deletion
TOTP shared secret (if user enrolls TOTP as second factor) Two-factor authentication For life of account; deleted on account deletion
Account creation timestamp Security audit log Minimum 1 year post-account-deletion per security posture
Session tokens Authenticated session management Session-length TTL; cleared on logout
IP address (login events) Security / anomaly detection 90 days rolling (confirm with engineering)

Authentication mechanism: WebAuthn / passkeys (RP ID raxx.app) + TOTP as backup. No passwords stored. Hardware security keys supported. Source on RP ID: project_webauthn_rp_id_raxx_app.md

1C. Broker Connection and Trade Data

Data type Purpose Retention
Broker aggregator OAuth token (SnapTrade) API access to user's connected broker account Until user disconnects broker
Trade history (from connected broker) Structure-enforcement analysis; retrospective result display For life of account; user-controlled deletion
Options positions and fills (paper-trading engine — MBT) Paper-trading simulation For life of account; user-controlled deletion
Broker account metadata (account number suffix — NOT full account number) Account identification in UI For life of account

Critical framing requirement: The PP must NOT name the specific broker aggregator (SnapTrade) or any specific broker (Alpaca, IBKR, etc.) in customer-facing copy. Reference as "a regulated broker aggregator" or "your connected broker accessed via a regulated aggregator." Source: feedback_no_backend_branding.md; confirmed in existing PP cross-check (PASS).

1D. Shape Sentiment Journal

Data type Purpose Retention
User-asserted emotional labels (pre-trade and post-trade; e.g., Bullish / Bearish / Disciplined / Panicked) Personal sentiment journaling; filtered retrospective result display Subject to 24-hour lock window (user cannot edit labels for 24h after trade close); user can delete journal entries at any time after lock period
Journal entry timestamps Journal ordering; correlation with trade timestamps Same as labels

CPRA Sensitive PI flag: User-asserted emotion labels may constitute "psychological trends" Sensitive Personal Information under CPRA § 1798.140(ae). Attorney must confirm classification and advise on right-to-limit-use obligations (§ 1798.121) if Sensitive PI. Source: docs/business/questions-for-attorney.md §Q7 Source: docs/legal/research/shape-1-personal-sentiment-journal-compliance-2026-06-05.md

CPRA threshold status: MooseQuest LLC is a pre-revenue startup. As of 2026-06-29, Raxx does not meet CCPA/CPRA mandatory applicability thresholds (100k consumers or 25k consumers with 50% revenue from data sale). The PP voluntarily extends CPRA-style rights. The attorney should advise whether voluntary extension of CPRA rights carries the same Sensitive PI obligations.

1E. Analytics

Data type Purpose Retention
Microsoft Clarity session recordings and heatmaps Product analytics; UX improvement Per Microsoft Clarity data retention policy (confirm with attorney)
Page-view events, click events, session metadata Aggregate product analytics Per Microsoft Clarity policy

No Google Analytics. Microsoft Clarity is the sole analytics vendor. Clarity does NOT offer an EU-compliant DPA on the free tier; EU users are geo-blocked so this is not a current compliance gap. Confirm with attorney whether any US-state privacy law (California CPRA once thresholds are met) requires disclosure of Clarity session recordings as a form of behavioral tracking. Microsoft Clarity privacy info: https://learn.microsoft.com/en-us/clarity/faq

Cookie / tracking status: Clarity sets cookies and collects behavioral data. The current PP discloses this but notes a "cookie consent banner in development." The attorney should advise whether the current email-based opt-out (contact privacy@raxx.app) is sufficient for US-only users at Raxx's current threshold status, and whether the "in development" forward-looking language should be removed. Prior finding (HIGH severity): docs/business/privacy-policy-attorney-review-2026-05-27.md Finding 2 — "cookie banner in development" language.

1F. Support / Ticketing

Data type Purpose Retention
Inbound support email content (customer-provided) Support ticket handling via FreeScout Per FreeScout ticket retention policy; user can request deletion
Support ticket metadata (timestamps, thread ID) Ticket tracking; audit Retain for support SLA purposes
Automated-reply metadata Delivery confirmation 90 days

Vendor: FreeScout (self-hosted ticketing) + Postmark (email delivery). Support queue: support@raxx.app. Privacy inquiries: privacy@raxx.app. Source: project_freescout_api_key.md; project_email_addresses.md

1G. Transactional Email

Data type Purpose Retention
Email address (used in Postmark sends) Transactional delivery (waitlist confirmation, account emails, policy-change notice) Per Postmark data retention; unsubscribes honored per Postmark suppression list

Vendor: Postmark (approved out of sandbox 2026-05-09). No marketing email via Postmark. No third-party ESP (Mailchimp, Klaviyo, etc.). Source: project_postmark_approved.md

1H. Billing

Data type Purpose Retention
Stripe customer record (email, billing address, last-4 of card) Subscription billing; refund processing Per Stripe data retention; Stripe holds payment card data as PCI-DSS processor; MooseQuest LLC is not a card data custodian
Subscription tier, billing dates, invoice history Account entitlement; billing history For life of subscription + 7 years (tax record retention; confirm with CPA)
Apple IAP receipt / transaction ID iOS in-app subscription management; entitlement verification For life of subscription; Apple holds payment card data

Dual billing track: Web/desktop subscribers via Stripe; iOS subscribers via Apple StoreKit 2 / IAP. Both are disclosed in the PP. Source: project_ios_billing_iap.md

MooseQuest LLC does NOT hold raw payment card data. Stripe and Apple are the card processors. The PP should make this clear (MooseQuest LLC is "data controller" for account data; Stripe/Apple are "data processors" for payment data in their capacity as PCI-DSS-compliant processors).

Section 2 — Data Retention Posture

Data category Retention period Deletion mechanism
Waitlist email (pre-account) Until account created or DSR deletion request Manual process via support@raxx.app; self-service tool on roadmap
Account / auth credentials For life of account; deleted within 30 days of account deletion DSR process (issue #1686)
Trade data (from connected broker) For life of account; user-controlled connection removal Broker disconnect removes API token; trade history retained until account deletion
Shape sentiment journal labels 24-hour lock window after trade close; user can delete after lock; full deletion on account deletion In-product deletion (post lock-window) + DSR
Support tickets 2 years from last activity (confirm with attorney) On written DSR request
Analytics (Clarity) Per Microsoft Clarity policy Contact privacy@raxx.app to opt out of Clarity data collection
Billing records Life of subscription + 7 years Tax record retention; cannot be deleted on DSR during legal-hold period

DSR infrastructure note: The account-merge and DSR cascade feature (#3253, closed) handles account deletion cascades. The self-service deletion tool is on the product roadmap but not yet shipped; the PP should not commit to a specific date for it. Prior finding (HIGH severity — "2026-Q3 deletion tool" date commitment): docs/business/privacy-policy-attorney-review-2026-05-27.md Finding 1

Section 3 — Geographic Posture

Region Status PP treatment
United States Open (all states) PP governs; US-state privacy laws (CCPA/CPRA voluntary extension, PA UTPCPL) apply
EU / EEA Geo-blocked at account creation PP states Raxx does not knowingly accept EU/EEA users; geo-block is the mechanism; Art. 27 EU representative not required while geo-block is enforced
Quebec, Canada Geo-blocked at account creation PP states Raxx does not knowingly accept Quebec residents; geo-block is the mechanism; Bill 96 / Law 14 French-language obligation does not apply while geo-blocked
Rest of Canada Open — not geo-blocked (non-Quebec) US-law posture; no Canadian provincial privacy law specific treatment in current draft — attorney should advise on PIPEDA exposure
United Kingdom Not geo-blocked Attorney should advise on UK GDPR / FSMA 2000 § 21 financial promotion exposure for UK retail users
Other international Not geo-blocked Attorney should flag any jurisdiction where retrospective options-trading software creates a specific disclosure or registration obligation

Section 4 — Open HIGH-Severity Findings from Prior Review

The following three items from docs/business/privacy-policy-attorney-review-2026-05-27.md (findings dated 2026-05-27) remain open and must be resolved by attorney sign-off:

Finding 1 (HIGH) — "2026-Q3" deletion tool date commitment

Location: Section 8 of the current live PP. Risk: FTC § 5 (15 U.S.C. § 45) — a specific forward-looking date commitment in a published PP is an enforceable promise. If the Q3 self-service deletion tool slips (a realistic outcome for a pre-revenue startup), this is a documented broken promise. Required action: Remove the date. Replace with capability-based language (no timeline). Proposed rewrite options: See docs/business/privacy-policy-attorney-review-2026-05-27.md Finding 1, Options A / B / C. Attorney question: Which rewrite option minimizes enforcement risk while preserving good-faith consumer disclosure at Raxx's current (voluntary, non-CPRA-mandatory) posture?

Location: Section 6 cookie table + Section 6 body paragraph of current live PP. Risk: Same FTC § 5 "in development" broken-promise risk. Additionally, referencing GitHub issue #590 publicly in the PP creates a discovery artifact. Required action: Remove "in development" language. Remove all GitHub issue references from the live PP. Replace with current functional capability only (email opt-out only). Attorney question: Does the email-based opt-out mechanism satisfy any applicable opt-out standard for analytics cookies under current US law at Raxx's threshold status?

Finding 3 (HIGH) — 30-day material-change notification commitment

Location: Section 13 of current live PP. Risk: Operational: can Raxx actually fire a policy-change email to all registered users on a 30-day advance-notice cadence? The commitment must be operationally achievable. Required action: Retain "and/or prominent notice on the platform" language as a fallback; do NOT rewrite to "email only." Attorney question: Does voluntary CPRA extension bind Raxx to the 30-day standard? Can this be shortened to 15 days without affecting compliance posture? Primary source (CPRA § 1798.135): https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.135.

Section 5 — What the Terms of Service Must Cover

The ToS is currently a placeholder on getraxx.com/legal/terms. The attorney will draft it from scratch. The following are the minimum required clauses; the attorney should identify any gaps.

5A. Subscription terms

5B. Investment-advice disclaimer

Attorney must finalize this language — the above is a draft. The same language should appear in the getraxx.com footer (see Packet 2, Section D).

5C. Limitation of liability

Standard SaaS limitation-of-liability clause. For a trading-tools platform, the attorney should advise whether the limitation should specifically address: - Trading losses incurred by users acting on their own rules enforced by Raxx - Data accuracy limitations (broker feed latency, fill-price approximations in paper trading) - Outage-period trading decisions (if Raxx is unavailable, user decisions are their own)

5D. Acceptable use / prohibited conduct

5E. IP and content license

5F. Governing law and dispute resolution

Source: PA UTPCPL (73 P.S. § 201-9.2 — private right of action): https://www.attorneygeneral.gov/wp-content/uploads/2018/02/Unfair_Trade_Practices_Consumer_Protection_Law.pdf

5G. Term and termination

5H. Changes to ToS

Section 6 — CCPA / CPRA Posture

Current threshold status: MooseQuest LLC does NOT meet CCPA/CPRA mandatory applicability thresholds as of 2026-06-29: - Annual gross revenue < $25M (pre-revenue startup) - Number of consumers whose PI is sold or shared for cross-context behavioral advertising annually: 0 (Raxx does not sell data) - Does not derive 50% or more of annual revenue from selling or sharing personal information

Source (CPRA thresholds): Cal. Civ. Code § 1798.140(d): https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.140.

Voluntary extension: The current PP voluntarily extends certain CPRA-style rights (right to know, right to delete, right to correct) to all users. The attorney should advise whether this voluntary extension creates enforceable obligations identical to mandatory CPRA compliance, and whether it is advisable to: - Maintain the voluntary extension (user-trust benefit) - Narrow the voluntary extension language (reduces enforcement exposure) - Remove the voluntary extension and replace with a US-only general privacy commitment

Shape CPRA Sensitive PI question: Do user-asserted emotion labels fall within "psychological trends" Sensitive PI under CPRA § 1798.140(ae)? If yes, the right-to-limit-use obligation (§ 1798.121) applies once Raxx crosses CPRA thresholds. Source: Cal. Civ. Code § 1798.140(ae): https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.140. Source: Cal. Civ. Code § 1798.121: https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=CIV&sectionNum=1798.121.

Section 7 — GDPR / EU Posture

Raxx geo-blocks EU/EEA signups at account creation. This is the primary mechanism for avoiding GDPR data-controller obligations for EU residents.

Open questions for attorney:

  1. Art. 27 EU representative: The geo-block decision (locked per project memory) was predicated on "no EU users = no Art. 27 obligation." Confirm this remains the correct analysis and that the geo-block is sufficient to avoid the Art. 27 EU representative requirement.

  2. Relocating user scenario: If a US-enrolled user relocates to the EU after enrollment and has emotion labels / trade data stored in Raxx, does GDPR Art. 17 (right to erasure) apply to those labels upon relocation? Does the relocating-user scenario reopen the Art. 27 question? The existing DSR operating procedure (#1686) should explicitly include a "former US user now in EU" category. Source: GDPR Art. 17: https://gdpr-info.eu/art-17-gdpr/ Source: GDPR Art. 27: https://gdpr-info.eu/art-27-gdpr/

  3. Shape GDPR Art. 9 flag: User-asserted emotional labels may constitute "data concerning health" or "psychological data" within the scope of Art. 9 special categories. If a future EU user (e.g., a relocating user) has labels stored, does Art. 9 apply? Attorney should advise on whether the explicit-consent basis (Art. 9(2)(a)) would be required. Source: GDPR Art. 9: https://gdpr-info.eu/art-9-gdpr/

Section 8 — Specific Items Still Missing from the Placeholder Pages

After PR #3868 (internal scaffolding removal), the following items remain absent or incomplete on the live legal pages. The attorney must address each:

Item Location Status Required action
Privacy Policy — "2026-Q3 deletion tool" date commitment Section 8 Still present (HIGH) Remove date; attorney to choose rewrite option
Privacy Policy — "cookie banner in development" + issue #590 reference Section 6 Still present (HIGH) Remove "in development" + remove issue reference
Privacy Policy — operational 30-day email notice question Section 13 Needs attorney confirm Attorney to advise on period and fallback language
Privacy Policy — privacy@raxx.app operational confirmation Section 14 Unconfirmed Operator to confirm alias is provisioned + routed
Privacy Policy — Shape sentiment journal labels as CPRA Sensitive PI Not addressed Missing entirely Attorney to add Sensitive PI disclosure if required
Privacy Policy — effective date and last-updated date both need update Meta Stale (last updated 2026-05-13, effective 2026-05-23) Update to date of attorney-reviewed revision
Terms of Service — full draft getraxx.com/legal/terms Placeholder only Attorney to draft from scratch against Section 5 of this packet
Terms of Service — investment-advice disclaimer Embedded in ToS Missing Attorney to draft and confirm
Terms of Service — automatic-renewal disclosure Embedded in ToS Missing Required under FTC negative-option rule and CA Bus. & Prof. Code § 17600

Section 9 — Timing / Deadlines

Item Deadline Stakes
Privacy Policy attorney sign-off Before FLAG_WAITLIST_DATASTORE is flipped to collect live waitlist email Collecting email without an attorney-reviewed PP is an FTC § 5 / CPRA voluntary-extension exposure
ToS attorney draft complete Before first paid subscriber Subscription agreement must exist before Stripe or Apple IAP charges are accepted
Shape Sensitive PI addition to PP Before Shape ships to any paid user CPRA right-to-limit-use disclosure required if emotion labels are Sensitive PI
"2026-Q3" deletion tool language removed Before any public waitlist collection High-severity broken-promise risk in current draft
Footer disclaimer (from Packet 2 / securities attorney) Before getraxx.com public marketing Investment-advice disclaimer must be in ToS AND in footer

Questions for the Privacy / ToS Attorney

Must resolve before waitlist opens:

  1. Are the three HIGH-severity findings from the May 2026 review (Section 4 of this packet) resolved by the rewrite options proposed, or do you recommend different language?

  2. Is the email-based opt-out for Microsoft Clarity analytics (contact privacy@raxx.app) sufficient for US-only users at Raxx's current pre-CPRA-threshold status? What is the minimum required opt-out mechanism under current US law?

  3. Does voluntary extension of CPRA-style rights bind MooseQuest LLC to the same enforcement standards as a mandatory CPRA-covered business? Is it advisable to maintain the voluntary extension, narrow it, or remove it at this stage?

  4. Do user-asserted emotion labels in Shape (before/after trade emotional state) constitute "psychological trends" Sensitive Personal Information under CPRA § 1798.140(ae)? What disclosure and right-to-limit-use obligations apply?

Must resolve before first paid subscriber:

  1. Draft the Terms of Service against the requirements in Section 5 of this packet. What is your flat-fee or hourly estimate for a ToS of this scope?

  2. For the subscription terms: what is the required disclosure format for the automatic-renewal clause under FTC Negative Option Rule and CA Bus. & Prof. Code § 17600 for a SaaS platform with US-national customers?

  3. For the governing-law / dispute-resolution section: should the ToS include an arbitration clause and class-action waiver? How does PA UTPCPL's private right of action (73 P.S. § 201-9.2) interact with a class-action waiver?

GDPR / international:

  1. Is the EU geo-block a sufficient mechanism to avoid GDPR data-controller obligations, including Art. 27 EU representative requirements?

  2. If a US-enrolled user relocates to the EU after enrollment, does GDPR Art. 17 (right to erasure) apply to their Shape sentiment labels stored in Raxx?

  3. Do user-asserted emotional labels constitute "data concerning health" under GDPR Art. 9 for any relocating EU user?

Attorney Profile Required

This engagement requires a privacy attorney with: - US state privacy law (CCPA / CPRA) experience - FTC Section 5 consumer-protection background - SaaS subscription agreement drafting experience - Familiarity with financial-services-adjacent products (not required to be a securities attorney — that is a separate engagement per Packet 2) - PA domicile or PA-admitted (preferred given PA UTPCPL exposure)

This is NOT Matthew Crosby (trademark/IP) and NOT the securities attorney (§ 202(a)(11)). Three separate attorney engagements are contemplated: 1. Adam Schwartz — IP Assignment (Packet 1) 2. Securities attorney (Lex Nova / Stark & Stark / Parker MacIntyre) — § 202(a)(11) (Packet 2) 3. Privacy attorney — PP + ToS (this packet)

Candidate firms (from prior research): - Eckert Seamans Cherin & Mellott LLC (Philadelphia/Pittsburgh) — documented PA UTPCPL strict-liability expertise; published directly on the 2021 Gregg v. Ameriprise shift Source: https://www.eckertseamans.com/legal-updates/consumer-protection-law-ruling-could-spell-big-trouble-for-pennsylvania-businesses - Ballard Spahr LLP (Philadelphia) — consumer financial services privacy practice - Duane Morris LLP (Philadelphia) — documented fintech + consumer protection

Estimated cost: - PP review + finalization: $1,500–$4,000 flat fee (unsourced — confirm at intake) - ToS drafting from scratch (SaaS subscription): $3,000–$8,000 (unsourced — confirm) - Combined PP + ToS engagement: $4,500–$12,000 (unsourced — confirm) Source: Prior cost estimate: docs/business/privacy-policy-attorney-review-2026-05-27.md LawPay attorney hourly rate survey: https://www.lawpay.com/about/blog/lawyer-hourly-rate-by-state/

Documents to Send at Engagement

  1. This packet (2026-06-29-privacy-policy-tos-attorney-requirements.md)
  2. docs/business/privacy-policy-attorney-review-2026-05-27.md — prior review findings
  3. Current live getraxx.com/legal/privacy (screenshot or PDF export — get current version)
  4. Current live getraxx.com/legal/terms (screenshot — placeholder state)
  5. docs/legal/research/shape-1-personal-sentiment-journal-compliance-2026-06-05.md — Shape CPRA Sensitive PI and in-flow consent analysis
  6. docs/business/questions-for-attorney.md §§ F, I, Q7–Q9 — relevant prior questions

Sources

Before deploying any Privacy Policy or Terms of Service, or relying on any regulatory characterization in this document, obtain final review and sign-off from a licensed privacy attorney with CCPA / CPRA and FTC § 5 experience. This document is requirements-and-prep material only. It does NOT constitute legal advice.