Privacy Policy

Last updated: June 19, 2026

limit.md ("we", "our", "us") is operated by limit.md, Inc., based in San Jose, California. This Privacy Policy explains what data we collect, how we use it, and your rights regarding it.

1. What we collect

  • Account data — your email address, name, and hashed password when you register.
  • Usage data — API requests your agents send to our policy engine: action type, asset, amount, timestamp, and the policy decision returned.
  • Agent & policy configuration — the rules you define (max trade size, allowed assets, etc.).
  • Activity logs — all decisions made by the policy engine, stored per your plan's retention window.
  • Technical data — IP addresses, browser type, and standard server logs collected automatically.

We do not collect or store your brokerage credentials, real portfolio positions, or live financial account data.

2. How we use your data

  • To provide and operate the limit.md policy engine and dashboard.
  • To enforce your defined policies and return correct decisions to your agents.
  • To send transactional emails (password resets, API usage alerts).
  • To improve the service — aggregate, anonymised usage patterns only.
  • To comply with legal obligations.

We do not sell your data. We do not use your data for advertising.

3. Data sharing

We share data only with service providers necessary to operate the platform:

  • Neon — PostgreSQL database hosting (US-East).
  • Vercel — application hosting and serverless compute.
  • Resend (if applicable) — transactional email delivery.

All sub-processors are bound by data processing agreements. We may disclose data if required by law or to protect the rights and safety of our users.

4. Data retention

  • Free plan — audit logs retained for 7 days.
  • Builder plan — audit logs retained for 90 days.
  • Enterprise — custom retention per agreement.

Account data is retained until you delete your account. You may request deletion at any time by emailing hello@limit.md.

5. Security

We use industry-standard practices: TLS in transit, bcrypt-hashed passwords, hashed API keys (we never store the raw key after issuance), and row-level access controls. No security measure is perfect — if you discover a vulnerability, please report it to hello@limit.md.

6. Your rights

Depending on your jurisdiction, you may have the right to access, correct, export, or delete your personal data. To exercise any of these rights, email hello@limit.md. We will respond within 30 days.

7. Cookies

We use one first-party session cookie (limit-session) to keep you logged in. We do not use third-party tracking or advertising cookies.

8. Children

limit.md is not directed at children under 13. We do not knowingly collect data from anyone under 13.

9. Changes

We may update this policy. Material changes will be communicated via email or a notice on the dashboard. Continued use after the effective date constitutes acceptance.

10. Contact

Questions about this policy? Email us at hello@limit.md or write to: limit.md, Inc., San Jose, CA, USA.