Raxx · internal docs

internal · gated

Privacy Policy + Terms of Service — Attorney Engagement Brief

GitHub Issue: #3149

PREPARATION MATERIAL — NOT LEGAL ADVICE. This document is a research and briefing packet prepared for the operator to hand to a licensed privacy/technology-transactions attorney. Nothing here constitutes legal advice, legal opinion, or a legal conclusion. Before drafting, filing, or publishing any policy or terms document, consult a privacy attorney licensed in Pennsylvania and familiar with US internet commerce law and applicable data-protection frameworks.

Last updated: 2026-07-01. Verify freshness of all regulatory citations before use.


TL;DR (3 sentences)

MooseQuest LLC (PA single-member, dba Raxx) needs attorney-drafted Privacy Policy and Terms of Service live on getraxx.com before public launch. CCPA/CPRA is the primary US data-privacy regime in scope; GDPR posture must be resolved based on whether EU beta users will be served at launch. The operator has nine operator-decision items — retention windows, DSR SLA, sub-processor list, cookie/consent posture, arbitration, limitation-of-liability cap, governing law, age restriction floor, and GDPR EU representative appointment — that the attorney needs answered to draft.


1. Company and Product Facts (Attorney Reference Sheet)

Field Value
Legal name MooseQuest LLC
Type Single-member LLC
State of formation Pennsylvania
Trade name / DBA Raxx
Consumer-facing domain getraxx.com
App domain raxx.app
Operator / sole member Kristerpher Henderson
Registered address Northwest Registered Agent, 502 W 7th St Ste 100, Erie PA 16502-1333

Product Description

Raxx is a retrospective trading-structure and journaling SaaS. Users connect their own brokerage account (via their own credentials / OAuth with their own broker), enter trades and structure rules (entry price, credit target, exit trigger), and Raxx surfaces retrospective analysis of whether the user followed their own pre-defined rules. Raxx does not execute trades autonomously. Raxx does not provide forward-looking investment recommendations. All analysis is of the user's own historical trade data.

Pricing Tiers

Tier Price Notes
Free $0 Limited features
Pro $39/mo Full feature set
Pro+ $79/mo Full feature set + advanced analytics
Founders $29/mo for 6 mo, then $79/mo Intro cohort; same features as Pro+

Payments processed via Stripe (web) and Apple IAP / StoreKit 2 (iOS).


2. Data Inventory (What the Policy Must Describe)

Data Categories Collected

Category Source Notes for Attorney
Account identity User registration Name, email address
Authentication credentials User creation Passkeys (WebAuthn); RP ID is raxx.app
Brokerage connection data User-initiated OAuth with user's own broker Trade history, positions, account info — user owns this data; Raxx receives it as a service processor
User-entered trade structure App input forms Entry price, credit target, exit rules, strike, expiration — all user-defined
Sentiment + journal entries App input forms (Shape 1 feature) See Section 3 below
Payment data Stripe (web) / Apple IAP (iOS) Raxx does not store card data; PCI handled by Stripe / Apple
Email communications Postmark Transactional only (receipts, confirmations, feature comms)
Web analytics Microsoft Clarity on getraxx.com Heatmaps, session recordings, click analytics — marketing/pre-login surface only
Support tickets FreeScout (self-hosted) Inbound from support@raxx.app
App analytics TBD (see open questions) In-app behavioral analytics vendor not yet selected

Data Raxx Does NOT Collect or Sell

Sub-Processor Preliminary List (Operator Must Finalize)

The attorney will need a complete sub-processor list. Confirmed processors:

Sub-processor Role Data received
Heroku (Salesforce) Application hosting + compute All application data at rest/in transit
Cloudflare CDN, WAF, Zero Trust Access Request metadata, IP addresses
Stripe Web payment processing Payment card data, billing identity
Apple (IAP) iOS subscription billing iOS user payment data
Microsoft Clarity Marketing site analytics IP, session recordings, click data on getraxx.com
Postmark (Wildbit/ActiveCampaign) Transactional email Email address, message content
FreeScout Support ticketing (self-hosted on operator infrastructure) Support correspondence

Sources:

https://www.heroku.com/policy/privacy
https://www.cloudflare.com/privacypolicy/
https://stripe.com/privacy
https://www.apple.com/legal/privacy/
https://privacy.microsoft.com/en-us/privacystatement
https://postmarkapp.com/privacy-policy

3. Sentiment + Journal Data (Shape 1) — Special Disclosure Section

The attorney must draft accurate, precise language for this data category. Key facts:


4. Privacy Regimes in Scope

4a. CCPA / CPRA (California)

Threshold analysis: CCPA/CPRA applies to for-profit businesses operating in California meeting any one of: 1. Annual gross revenue > $26.6M (2025-2026 adjusted threshold) 2. Buy, sell, or share personal information of 100,000+ California residents/households annually 3. Derive 50%+ of annual revenue from selling California residents' personal information

At launch, Raxx likely does not meet threshold (1) or (3). Whether threshold (2) is met depends on user scale. The attorney should draft a CCPA-compliant policy from day one regardless — the cost of retrofitting after crossing the threshold exceeds the cost of building it correctly from the start.

CPRA updates effective 2026: - Automated Decision-Making Technology (ADMT) requirements take effect 2027; attorney should assess whether Raxx's rule-based automation constitutes ADMT under CPPA's definition (it likely does not, given user-defined rules only, but attorney must confirm). - New regulations finalized September 2025 clarify risk-assessment requirements.

Required policy elements (CCPA §1798.100 et seq.): - Categories of personal information collected + purposes - How consumers can exercise rights (Know, Delete, Correct, Opt-Out of sale/sharing, Limit sensitive data use) - "Do Not Sell or Share My Personal Information" mechanism (or statement that Raxx does not sell/share — operator claims this is the case; attorney must verify no sharing arrangements qualify as "sale") - DSR contact method

Sources:

https://oag.ca.gov/privacy/ccpa
https://cppa.ca.gov/regulations/
https://www.jacksonlewis.com/insights/navigating-california-consumer-privacy-act-30-essential-faqs-covered-businesses-including-clarifying-regulations-effective-1126

4b. GDPR (EU/EEA)

Threshold question for attorney: GDPR applies to controllers/processors not established in the EU when they offer goods or services to EU data subjects (Article 3(2)(a)) or monitor their behavior. If Raxx has EU-based beta users at launch — even one — the targeting prong is engaged.

Operator must decide: Will Raxx explicitly block EU users at launch, or allow them? This is the single most important GDPR scoping decision. Options: - Block EU users at launch (geolocation gate + Terms "not available in EU") — avoids full GDPR obligations for now - Serve EU users — requires: lawful basis for processing (contract, consent), privacy notice per Article 13/14, data subject rights process, DPA/SCCs for US-based processors, and EU Representative appointment under Article 27

EU Representative requirement: If EU users are served, Article 27 GDPR requires designation of an EU Representative in writing. Failure is itself a violation (Article 83(4); up to €10M or 2% global turnover). Third-party EU Rep services cost ~$300-800/year.

Sub-processor chain: Heroku + Cloudflare + Stripe + Postmark all process EU personal data if EU users are served. Standard Contractual Clauses (SCCs) or adequacy-mechanism coverage must be confirmed for each.

Sources:

https://commission.europa.eu/law/law-topic/data-protection/rules-business-and-organisations/application-regulation/who-does-data-protection-law-apply_en
https://gdpr.eu/companies-outside-of-europe/
https://gdpr-info.eu/art-27-gdpr/

4c. Other State Privacy Laws

Several US states have enacted privacy laws materially similar to CCPA. At launch, the attorney should assess Virginia (VCDPA), Colorado (CPA), and Texas (TDPSA) as the most consequential beyond California. An attorney-drafted policy built to CCPA standard with GDPR awareness is generally a sufficient baseline for most state laws; the attorney can advise on any state-specific carve-outs needed.


5. Operator Decision List (Attorney Needs Answers to These Before Drafting)

The attorney cannot finalize the policy without the operator's answers to the following. Bring these decisions to the first engagement meeting.

# Decision Why the attorney needs it Notes
D-1 Data retention windows Policy must state how long each data category is kept Typical SaaS: account data retained for life of account + 30-90 days post-deletion; logs shorter. Operator must decide.
D-2 DSR response SLA CCPA: 45 days (extendable 45); GDPR: 30 days (extendable 30). Policy must commit to a window Recommend 30 days to satisfy both CCPA and GDPR
D-3 Complete sub-processor list Privacy Policy typically discloses categories of processors; GDPR requires more granularity Operator to finalize and verify Section 2 list above
D-4 Cookie + consent posture Microsoft Clarity on getraxx.com drops cookies; cookie consent banner required if EU users served or if targeting CCPA "opt-out of sharing" Operator must decide: geo-gate EU or implement consent management
D-5 EU user policy Are EU users allowed to sign up at launch? This determines GDPR applicability scope Operator decision; has major cost/complexity implications
D-6 Arbitration clause ToS — operator must decide: binding arbitration + class-action waiver, or not? CA has specific rules on enforceability of consumer arbitration clauses Attorney advises; operator decides governing approach
D-7 Limitation-of-liability cap ToS — typical SaaS: 12 months of fees paid. Must be set explicitly Operator decides cap amount
D-8 Governing law + venue Operator preference is PA; attorney must confirm PA courts are appropriate and draft choice-of-law clause Note: CA residents may have additional rights regardless of governing law clause
D-9 Age restriction floor COPPA applies to users under 13; some states extend protections to under 16. Is Raxx 18+ only? If 18+ only, policy must state it and ToS must have age-gate acknowledgment; COPPA obligations significantly reduced

6. Terms of Service — Securities-Sensitive Caveat Requirements

The ToS must include securities-adjacent disclaimers. This brief is prepared in coordination with the securities attorney engagement (see companion document: docs/business/legal/2026-07-01-securities-attorney-question-list.md and GitHub issue #3141). Key ToS requirements the privacy/tech-transactions attorney must coordinate with the securities attorney on:

The securities attorney (engagement: #3141) should review and approve this disclaimer language before the privacy/tech-transactions attorney finalizes the ToS. Recommend a single joint review meeting with both attorneys.


7. DSR Intake Path

Intake path being stood up: - Email: privacy@raxx.app - Ticket system: FreeScout (self-hosted) - Workflow: Inbound privacy@ email → FreeScout ticket → manual fulfillment

Attorney should assess: - Whether a webform (in addition to email) is required under any applicable law - Whether automated verification of requestor identity is needed - Whether the FreeScout stack constitutes a "verifiable consumer request" mechanism under CCPA (generally yes for email-based verification)


8. Timing

No regulatory hard deadline for a privacy policy as a matter of law — but: - CCPA + GDPR require a policy to be in place and accessible before personal data is collected from users in those jurisdictions - "Before launch" is effectively the deadline for getraxx.com policy publication - The operator has indicated launch is imminent; attorney engagement should be prioritized immediately


9. Questions for the Privacy / Tech-Transactions Attorney

Bring these to the first engagement:

  1. Given Raxx's current user scale (pre-launch), are we below all CCPA thresholds — and should we nonetheless publish a CCPA-compliant policy from day one?
  2. If EU beta users exist before the full GDPR posture decision is made, what is the minimum-viable GDPR posture to avoid Article 83 exposure?
  3. Does Microsoft Clarity on getraxx.com (before login) constitute "sharing" personal information under CCPA §1798.140(ah)?
  4. Does Apple IAP data flow (where Apple controls the user relationship) create any CCPA or GDPR obligations for MooseQuest LLC as a controller?
  5. What is the enforceability posture of a mandatory arbitration / class-action waiver for California residents under current CA law?
  6. Can the limitation-of-liability clause disclaim liability for trading losses specifically, or will a court in PA / CA strike that?
  7. Does the user-entered brokerage OAuth connection make Raxx a "data broker" under any applicable state law (CA Data Broker Registration, e.g.)?
  8. How should the sentiment/journal data category (Section 3) be characterized in the policy — is it "sensitive personal information" under CCPA or GDPR?
  9. What is the recommended update/versioning mechanism for the policy (material change notice window, consent re-gate, etc.)?
  10. Should the attorney coordinate directly with the securities attorney on the investment-adviser disclaimer language in the ToS?

Sources

https://oag.ca.gov/privacy/ccpa
https://cppa.ca.gov/regulations/
https://cppa.ca.gov/faq.html
https://www.jacksonlewis.com/insights/navigating-california-consumer-privacy-act-30-essential-faqs-covered-businesses-including-clarifying-regulations-effective-1126
https://commission.europa.eu/law/law-topic/data-protection/rules-business-and-organisations/application-regulation/who-does-data-protection-law-apply_en
https://gdpr.eu/companies-outside-of-europe/
https://gdpr-info.eu/art-27-gdpr/
https://iapp.org/news/a/territorial-scope-of-the-gdpr-from-a-us-perspective
https://www.heroku.com/policy/privacy
https://www.cloudflare.com/privacypolicy/
https://stripe.com/privacy
https://www.apple.com/legal/privacy/
https://privacy.microsoft.com/en-us/privacystatement
https://postmarkapp.com/privacy-policy

Before acting on any item in this document, consult a privacy attorney and/or technology-transactions attorney licensed in Pennsylvania and familiar with US internet commerce, CCPA/CPRA, and GDPR.

Human-to-human deliverable: this document should also be saved to the operator's Google Drive legal folder for easy retrieval at attorney meetings.