Privacy Policy + Terms of Service — Attorney Engagement Brief
GitHub Issue: #3149
PREPARATION MATERIAL — NOT LEGAL ADVICE. This document is a research and briefing packet prepared for the operator to hand to a licensed privacy/technology-transactions attorney. Nothing here constitutes legal advice, legal opinion, or a legal conclusion. Before drafting, filing, or publishing any policy or terms document, consult a privacy attorney licensed in Pennsylvania and familiar with US internet commerce law and applicable data-protection frameworks.
Last updated: 2026-07-01. Verify freshness of all regulatory citations before use.
TL;DR (3 sentences)
MooseQuest LLC (PA single-member, dba Raxx) needs attorney-drafted Privacy Policy and Terms of Service live on getraxx.com before public launch. CCPA/CPRA is the primary US data-privacy regime in scope; GDPR posture must be resolved based on whether EU beta users will be served at launch. The operator has nine operator-decision items — retention windows, DSR SLA, sub-processor list, cookie/consent posture, arbitration, limitation-of-liability cap, governing law, age restriction floor, and GDPR EU representative appointment — that the attorney needs answered to draft.
1. Company and Product Facts (Attorney Reference Sheet)
Legal Entity
| Field | Value |
|---|---|
| Legal name | MooseQuest LLC |
| Type | Single-member LLC |
| State of formation | Pennsylvania |
| Trade name / DBA | Raxx |
| Consumer-facing domain | getraxx.com |
| App domain | raxx.app |
| Operator / sole member | Kristerpher Henderson |
| Registered address | Northwest Registered Agent, 502 W 7th St Ste 100, Erie PA 16502-1333 |
Product Description
Raxx is a retrospective trading-structure and journaling SaaS. Users connect their own brokerage account (via their own credentials / OAuth with their own broker), enter trades and structure rules (entry price, credit target, exit trigger), and Raxx surfaces retrospective analysis of whether the user followed their own pre-defined rules. Raxx does not execute trades autonomously. Raxx does not provide forward-looking investment recommendations. All analysis is of the user's own historical trade data.
Pricing Tiers
| Tier | Price | Notes |
|---|---|---|
| Free | $0 | Limited features |
| Pro | $39/mo | Full feature set |
| Pro+ | $79/mo | Full feature set + advanced analytics |
| Founders | $29/mo for 6 mo, then $79/mo | Intro cohort; same features as Pro+ |
Payments processed via Stripe (web) and Apple IAP / StoreKit 2 (iOS).
2. Data Inventory (What the Policy Must Describe)
Data Categories Collected
| Category | Source | Notes for Attorney |
|---|---|---|
| Account identity | User registration | Name, email address |
| Authentication credentials | User creation | Passkeys (WebAuthn); RP ID is raxx.app |
| Brokerage connection data | User-initiated OAuth with user's own broker | Trade history, positions, account info — user owns this data; Raxx receives it as a service processor |
| User-entered trade structure | App input forms | Entry price, credit target, exit rules, strike, expiration — all user-defined |
| Sentiment + journal entries | App input forms (Shape 1 feature) | See Section 3 below |
| Payment data | Stripe (web) / Apple IAP (iOS) | Raxx does not store card data; PCI handled by Stripe / Apple |
| Email communications | Postmark | Transactional only (receipts, confirmations, feature comms) |
| Web analytics | Microsoft Clarity on getraxx.com |
Heatmaps, session recordings, click analytics — marketing/pre-login surface only |
| Support tickets | FreeScout (self-hosted) | Inbound from support@raxx.app |
| App analytics | TBD (see open questions) | In-app behavioral analytics vendor not yet selected |
Data Raxx Does NOT Collect or Sell
- Raxx does not sell or share personal data with third parties for advertising or cross-context behavioral advertising purposes.
- Raxx does not make investment decisions on behalf of users.
- Raxx does not collect Social Security numbers, government IDs, or biometric data.
- Raxx does not aggregate or sell user trading behavior to third parties.
Sub-Processor Preliminary List (Operator Must Finalize)
The attorney will need a complete sub-processor list. Confirmed processors:
| Sub-processor | Role | Data received |
|---|---|---|
| Heroku (Salesforce) | Application hosting + compute | All application data at rest/in transit |
| Cloudflare | CDN, WAF, Zero Trust Access | Request metadata, IP addresses |
| Stripe | Web payment processing | Payment card data, billing identity |
| Apple (IAP) | iOS subscription billing | iOS user payment data |
| Microsoft Clarity | Marketing site analytics | IP, session recordings, click data on getraxx.com |
| Postmark (Wildbit/ActiveCampaign) | Transactional email | Email address, message content |
| FreeScout | Support ticketing (self-hosted on operator infrastructure) | Support correspondence |
Sources:
https://www.heroku.com/policy/privacy
https://www.cloudflare.com/privacypolicy/
https://stripe.com/privacy
https://www.apple.com/legal/privacy/
https://privacy.microsoft.com/en-us/privacystatement
https://postmarkapp.com/privacy-policy
3. Sentiment + Journal Data (Shape 1) — Special Disclosure Section
The attorney must draft accurate, precise language for this data category. Key facts:
- What is collected: User-entered text notes and structured tags about their own trades (e.g., "I followed my exit rule," "I deviated because of fear"). These are self-reported by the user to Raxx.
- Retrospective only: All sentiment data describes past trades. Raxx does not use this data to generate forward-looking recommendations.
- No emotion-labeling of users: Raxx does not classify, diagnose, or label users' emotional states. The user enters their own characterization of their own behavior.
- Use: Displayed back to the user in their own journal. Not surfaced to third parties. Not used for advertising targeting. Not used for AI model training on user-identifiable data (confirm with attorney if this must be explicit).
- Policy requirement: The Privacy Policy must describe this category accurately — not as "sensitive health data" or "mental health data" (it is not), but as user-entered trade-behavior notes that are personal to the user.
- Retention: Operator must decide retention window (see Section 5 decision list).
4. Privacy Regimes in Scope
4a. CCPA / CPRA (California)
Threshold analysis: CCPA/CPRA applies to for-profit businesses operating in California meeting any one of: 1. Annual gross revenue > $26.6M (2025-2026 adjusted threshold) 2. Buy, sell, or share personal information of 100,000+ California residents/households annually 3. Derive 50%+ of annual revenue from selling California residents' personal information
At launch, Raxx likely does not meet threshold (1) or (3). Whether threshold (2) is met depends on user scale. The attorney should draft a CCPA-compliant policy from day one regardless — the cost of retrofitting after crossing the threshold exceeds the cost of building it correctly from the start.
CPRA updates effective 2026: - Automated Decision-Making Technology (ADMT) requirements take effect 2027; attorney should assess whether Raxx's rule-based automation constitutes ADMT under CPPA's definition (it likely does not, given user-defined rules only, but attorney must confirm). - New regulations finalized September 2025 clarify risk-assessment requirements.
Required policy elements (CCPA §1798.100 et seq.): - Categories of personal information collected + purposes - How consumers can exercise rights (Know, Delete, Correct, Opt-Out of sale/sharing, Limit sensitive data use) - "Do Not Sell or Share My Personal Information" mechanism (or statement that Raxx does not sell/share — operator claims this is the case; attorney must verify no sharing arrangements qualify as "sale") - DSR contact method
Sources:
https://oag.ca.gov/privacy/ccpa
https://cppa.ca.gov/regulations/
https://www.jacksonlewis.com/insights/navigating-california-consumer-privacy-act-30-essential-faqs-covered-businesses-including-clarifying-regulations-effective-1126
4b. GDPR (EU/EEA)
Threshold question for attorney: GDPR applies to controllers/processors not established in the EU when they offer goods or services to EU data subjects (Article 3(2)(a)) or monitor their behavior. If Raxx has EU-based beta users at launch — even one — the targeting prong is engaged.
Operator must decide: Will Raxx explicitly block EU users at launch, or allow them? This is the single most important GDPR scoping decision. Options: - Block EU users at launch (geolocation gate + Terms "not available in EU") — avoids full GDPR obligations for now - Serve EU users — requires: lawful basis for processing (contract, consent), privacy notice per Article 13/14, data subject rights process, DPA/SCCs for US-based processors, and EU Representative appointment under Article 27
EU Representative requirement: If EU users are served, Article 27 GDPR requires designation of an EU Representative in writing. Failure is itself a violation (Article 83(4); up to €10M or 2% global turnover). Third-party EU Rep services cost ~$300-800/year.
Sub-processor chain: Heroku + Cloudflare + Stripe + Postmark all process EU personal data if EU users are served. Standard Contractual Clauses (SCCs) or adequacy-mechanism coverage must be confirmed for each.
Sources:
https://commission.europa.eu/law/law-topic/data-protection/rules-business-and-organisations/application-regulation/who-does-data-protection-law-apply_en
https://gdpr.eu/companies-outside-of-europe/
https://gdpr-info.eu/art-27-gdpr/
4c. Other State Privacy Laws
Several US states have enacted privacy laws materially similar to CCPA. At launch, the attorney should assess Virginia (VCDPA), Colorado (CPA), and Texas (TDPSA) as the most consequential beyond California. An attorney-drafted policy built to CCPA standard with GDPR awareness is generally a sufficient baseline for most state laws; the attorney can advise on any state-specific carve-outs needed.
5. Operator Decision List (Attorney Needs Answers to These Before Drafting)
The attorney cannot finalize the policy without the operator's answers to the following. Bring these decisions to the first engagement meeting.
| # | Decision | Why the attorney needs it | Notes |
|---|---|---|---|
| D-1 | Data retention windows | Policy must state how long each data category is kept | Typical SaaS: account data retained for life of account + 30-90 days post-deletion; logs shorter. Operator must decide. |
| D-2 | DSR response SLA | CCPA: 45 days (extendable 45); GDPR: 30 days (extendable 30). Policy must commit to a window | Recommend 30 days to satisfy both CCPA and GDPR |
| D-3 | Complete sub-processor list | Privacy Policy typically discloses categories of processors; GDPR requires more granularity | Operator to finalize and verify Section 2 list above |
| D-4 | Cookie + consent posture | Microsoft Clarity on getraxx.com drops cookies; cookie consent banner required if EU users served or if targeting CCPA "opt-out of sharing" | Operator must decide: geo-gate EU or implement consent management |
| D-5 | EU user policy | Are EU users allowed to sign up at launch? This determines GDPR applicability scope | Operator decision; has major cost/complexity implications |
| D-6 | Arbitration clause | ToS — operator must decide: binding arbitration + class-action waiver, or not? CA has specific rules on enforceability of consumer arbitration clauses | Attorney advises; operator decides governing approach |
| D-7 | Limitation-of-liability cap | ToS — typical SaaS: 12 months of fees paid. Must be set explicitly | Operator decides cap amount |
| D-8 | Governing law + venue | Operator preference is PA; attorney must confirm PA courts are appropriate and draft choice-of-law clause | Note: CA residents may have additional rights regardless of governing law clause |
| D-9 | Age restriction floor | COPPA applies to users under 13; some states extend protections to under 16. Is Raxx 18+ only? | If 18+ only, policy must state it and ToS must have age-gate acknowledgment; COPPA obligations significantly reduced |
6. Terms of Service — Securities-Sensitive Caveat Requirements
The ToS must include securities-adjacent disclaimers. This brief is prepared in
coordination with the securities attorney engagement (see companion document:
docs/business/legal/2026-07-01-securities-attorney-question-list.md and GitHub
issue #3141). Key ToS requirements the privacy/tech-transactions attorney must
coordinate with the securities attorney on:
- Not-investment-advice disclaimer: Raxx does not provide investment advice. Nothing on the platform constitutes a recommendation to buy, sell, or hold any security. Users make their own investment decisions.
- Not a registered investment adviser: MooseQuest LLC / Raxx is not registered as an investment adviser with the SEC or any state securities regulator.
- No fiduciary relationship: No use of Raxx creates a fiduciary relationship between the user and MooseQuest LLC.
- Past performance caveat: Retrospective analysis of a user's own trade history does not predict future results. No guarantee of investment return is made.
- User-entered data is user's responsibility: The accuracy of trade data, structure rules, and journal entries is the user's responsibility. Raxx displays what the user inputs.
The securities attorney (engagement: #3141) should review and approve this disclaimer language before the privacy/tech-transactions attorney finalizes the ToS. Recommend a single joint review meeting with both attorneys.
7. DSR Intake Path
Intake path being stood up: - Email: privacy@raxx.app - Ticket system: FreeScout (self-hosted) - Workflow: Inbound privacy@ email → FreeScout ticket → manual fulfillment
Attorney should assess: - Whether a webform (in addition to email) is required under any applicable law - Whether automated verification of requestor identity is needed - Whether the FreeScout stack constitutes a "verifiable consumer request" mechanism under CCPA (generally yes for email-based verification)
8. Timing
No regulatory hard deadline for a privacy policy as a matter of law — but: - CCPA + GDPR require a policy to be in place and accessible before personal data is collected from users in those jurisdictions - "Before launch" is effectively the deadline for getraxx.com policy publication - The operator has indicated launch is imminent; attorney engagement should be prioritized immediately
9. Questions for the Privacy / Tech-Transactions Attorney
Bring these to the first engagement:
- Given Raxx's current user scale (pre-launch), are we below all CCPA thresholds — and should we nonetheless publish a CCPA-compliant policy from day one?
- If EU beta users exist before the full GDPR posture decision is made, what is the minimum-viable GDPR posture to avoid Article 83 exposure?
- Does Microsoft Clarity on getraxx.com (before login) constitute "sharing" personal information under CCPA §1798.140(ah)?
- Does Apple IAP data flow (where Apple controls the user relationship) create any CCPA or GDPR obligations for MooseQuest LLC as a controller?
- What is the enforceability posture of a mandatory arbitration / class-action waiver for California residents under current CA law?
- Can the limitation-of-liability clause disclaim liability for trading losses specifically, or will a court in PA / CA strike that?
- Does the user-entered brokerage OAuth connection make Raxx a "data broker" under any applicable state law (CA Data Broker Registration, e.g.)?
- How should the sentiment/journal data category (Section 3) be characterized in the policy — is it "sensitive personal information" under CCPA or GDPR?
- What is the recommended update/versioning mechanism for the policy (material change notice window, consent re-gate, etc.)?
- Should the attorney coordinate directly with the securities attorney on the investment-adviser disclaimer language in the ToS?
Sources
https://oag.ca.gov/privacy/ccpa
https://cppa.ca.gov/regulations/
https://cppa.ca.gov/faq.html
https://www.jacksonlewis.com/insights/navigating-california-consumer-privacy-act-30-essential-faqs-covered-businesses-including-clarifying-regulations-effective-1126
https://commission.europa.eu/law/law-topic/data-protection/rules-business-and-organisations/application-regulation/who-does-data-protection-law-apply_en
https://gdpr.eu/companies-outside-of-europe/
https://gdpr-info.eu/art-27-gdpr/
https://iapp.org/news/a/territorial-scope-of-the-gdpr-from-a-us-perspective
https://www.heroku.com/policy/privacy
https://www.cloudflare.com/privacypolicy/
https://stripe.com/privacy
https://www.apple.com/legal/privacy/
https://privacy.microsoft.com/en-us/privacystatement
https://postmarkapp.com/privacy-policy
Before acting on any item in this document, consult a privacy attorney and/or technology-transactions attorney licensed in Pennsylvania and familiar with US internet commerce, CCPA/CPRA, and GDPR.
Human-to-human deliverable: this document should also be saved to the operator's Google Drive legal folder for easy retrieval at attorney meetings.