CopyGrade
Effective 2026-07-13

Privacy Policy

This policy describes what Blueteem LLC d/b/a CopyGrade (“CopyGrade”, “we”) collects when you use the CopyGrade product, how we use it, the legal bases we rely on, and the rights you have. It applies to the website, the web application, and any related APIs.

01Summary in plain English

We collect what we need to run the service: an account identifier, your subscription state, the wallets you choose to watch, and standard server logs. With your consent, we also use a third-party analytics provider to measure how the site is used. We do not collect your trading credentials, your private keys, or advertising data, and we do not track you across other websites. We do not sell or share your personal information. Your data sits in our cloud database and is handed only to the categories of providers listed below.

02Information we collect

Account.Your email address and a password hash, or — if you sign in through an external provider — the identifier that provider returns. Optionally a display name and a Polymarket wallet address that you choose to associate with your account. We also derive and store a normalised form of your email address (for example, ignoring “+tag” suffixes) solely to detect duplicate accounts for the same mailbox; it is never used for anything else.

Subscription. A customer identifier from our payment processor, your subscription tier, and your subscription status. We do not store your card number — that lives only with the payment processor.

Product activity.The wallets you have pinned to your watchlist and any private notes you add to them, any wallet baskets you create, the screening filters you save, the wallets you spend free verdict unlocks on, your alert and notification preferences (including whether you receive the weekly watchlist digest and the account emails described in section 5), the read/unread state of alerts we have sent you, and — if you create an API key — the key's name and usage counters (we store only a one-way hash of the key itself). We also keep a small log of which service emails we have sent you, so we never send the same one-off email twice.

Notification delivery. If you choose to route alerts to your own server, we store the webhook URL you provide so we can deliver a small alert payload to it. That endpoint is one you control — sending data to it happens at your direction, and clearing the field turns it off. It is deleted when you delete your account.

Sign-in security log. Each time you sign in — or confirm your email — we record the time, the IP address the request came from, and your browser and user-agent string, keyed to your account. We keep this in our own database as a security record so unauthorised access can be detected and investigated; it is never sold or used for advertising, and it is deleted when you delete your account.

Signup attribution. When you create an account we store, on your profile, the IP address you signed up from and — when present — the referring URL and the campaign/source tag from the link you arrived through, so we can understand which channels bring people to CopyGrade. This too is deleted when you delete your account.

Diagnostic. Standard server logs — IP address, user agent, request path, response code, timestamp — kept for security and abuse detection. We also use IP addresses — and, on the sign-in, password-reset, and confirmation-resend endpoints, a one-way hash of the targeted email address — transiently as rate-limit counters to protect the service and individual accounts from abuse; these counters hold no other personal data and expire on their own within an hour at most.

Error telemetry. When the app throws an error at runtime, our error-monitoring provider captures the stack trace and a small set of contextual fields. We do not intentionally include personal information in these reports, and the client IP address is not collected.

Aggregate analytics (cookieless). We use a privacy-first, cookieless analytics provider to measure overall site traffic — counts of page views, referrers, and the country and device type derived from your request. It sets no cookies, stores no cross-site or cross-session identifier, and builds no profile of you; the data is aggregated and anonymised. Because it reads nothing from and stores nothing on your device, it runs without a consent banner, on the basis of our legitimate interest in understanding how the service is used.

Consent-based analytics. If you also consent via our cookie banner, a separate third-party analytics provider records pseudonymous usage events — which pages you visit, how you navigate, and coarse device, browser, and approximate-location signals. That provider anonymises and does not store your IP address, and we do not use it for advertising. If you decline, no analytics cookies are set and that provider collects nothing.

First-party usage analytics. We also record a small set of in-product usage events — such as pages and wallet verdicts viewed, simulator runs, and searches — in our own database to understand and improve the service. These events store no third-party identifier, no raw IP address, and no message content, and they set no cookie and store nothing on your device. For a signed-in user they are keyed to your pseudonymous account identifier (and removed or de-identified when you delete your account); for a logged-out visitor they are recorded with no identifier at all— as aggregate counts that do not single you out. We rely on our legitimate interest in measuring and improving the product; for logged-out visitors we honour a Global Privacy Control signal as an opt-out (see “Cookies and tracking” below).

Waitlist. If you add your email to a product waitlist — for example, to be notified when the public API opens — we store that email address and any optional note you include, in our own database, so we can tell you when the feature is available. We do not use it for unrelated marketing, and we delete it on request.

03What we do not collect

  • Your Polymarket login, exchange credentials, or any other trading-account password.
  • Private keys, seed phrases, or any custody material. CopyGrade is analysis-only — it never executes trades or holds funds.
  • Any on-chain identity beyond the public wallet address you choose to associate with your account.
  • Advertising identifiers, ad-targeting pixels, or cookies that follow you across other websites. Our analytics sets first-party cookies only after you consent — see Cookies below.
  • A cross-site advertising profile of you. We do not share data with ad networks, and our analytics runs with advertising features turned off, so it is never used to build an ad profile or follow you around the web.

04Legal bases for processing

If you are in the European Economic Area or the United Kingdom, we process your personal data only where we have a lawful basis to do so under the GDPR / UK GDPR:

  • Performance of a contract. Creating and running your account, keeping you signed in, processing your subscription, and delivering the alerts and features you ask for.
  • Legitimate interests.Securing the service, preventing fraud and abuse (including rate limiting by IP and by hashed email address), fixing the errors our monitoring surfaces, measuring aggregate site traffic with a privacy-friendly cookieless analytics provider, measuring first-party in-product usage in our own database (without cookies, device storage, or any identifier for logged-out visitors), sending existing account holders occasional emails about their own use of the service (the account emails in section 5 — each with a one-click unsubscribe and an account-settings toggle, and stopped the moment you opt out), and analysing public Polymarket wallet data to produce Copy Scores. We balance these interests against your rights and you can object at any time (see Your rights).
  • Consent.Setting analytics cookies, and any promotional email beyond the account emails described in section 5. You can withdraw consent at any time, as easily as you gave it.
  • Legal obligation. Meeting tax, accounting, and other legal requirements, and responding to lawful requests.

05How we use your information

  • To operate the service and keep you signed in.
  • To process subscription payments and to grant the Pro features your subscription entitles you to.
  • To send you service email — the alerts you have configured, a weekly watchlist digest (on by default, with a one-click unsubscribe in every digest and a toggle in your account settings), billing receipts, and account notices.
  • To send you occasional account emails about your own use of CopyGrade — getting-started tips, reminders about unused free unlocks, a note when alerts fired on wallets you track, and suggestions to upgrade or return. These relate to the account you hold with us, are sent at most once a week, and every one carries a one-click unsubscribe (there is also a toggle in your account settings). Beyond these, we do not send promotional email without your explicit opt-in, and we never share your address for anyone else's marketing.
  • To detect and respond to abuse, fraud, and security incidents.
  • To improve the product — fixing the errors our monitoring surfaces and studying anonymised, aggregated usage patterns to make the next version better.

06Who we share data with

We hand off specific data to the categories of providers below so they can do their part of the job. Each is bound by its own data-processing terms and acts only on our instructions. We describe the category rather than naming each provider; we will tell you the specific identity of any provider on request — email privacy@copygrade.com.

Recipient categoryPurposeData shared
Cloud database, authentication & storageStores your account and product data; manages sign-in sessionsAccount identifier, email (and its normalised duplicate-detection form), optional display name and wallet address, watchlist and wallet baskets, saved screens, free-unlock history, alert and notification preferences, any alert webhook URL you configure, subscription state, a log of service emails sent to you, a sign-in security log (IP, browser/user-agent, time), signup attribution (IP, referring URL, source), and any product-waitlist email you submit
Payment processingProcesses subscription payments and manages billingEmail, a customer and subscription identifier, payment-card data (held only by the processor — never by us)
Transactional email deliveryDelivers the alert, digest, billing, account, and account-tips emails you receiveYour email address and the contents of those messages
Abuse-prevention rate-limit storeHolds short-lived counters so sign-in, search, and similar endpoints can be rate-limited consistentlyIP addresses and one-way hashes of targeted email addresses, held transiently as counters; no other personal data
Cloud application hosting & edge networkServes the website and applicationStandard server logs — IP address, user agent, request path, timestamp
Application error monitoringCaptures runtime errors so we can find and fix themError messages and stack traces; no personal data is intentionally included and the client IP is not collected
Aggregate analytics (cookieless)Measures overall site traffic without cookies or consent; sets no cross-site identifier and builds no profileAnonymised, aggregated page-view counts, referrer, and the country / device type derived from the request
Product analytics (consent-gated)Measures site usage — loaded only after you consent; the specific provider is named in our cookie bannerPseudonymous usage events (pages viewed, navigation); no advertising data
Single sign-on / OAuth identity providerAuthenticates you, only if you choose to sign in through an external providerThe standard identity scopes you authorise (typically your email and a stable user identifier)

Primary data processing happens in United States regions. We may also disclose personal data where required by law, to enforce our terms, or in connection with a merger or acquisition (in which case we will notify you). We do not sell your personal information and we do not share it for cross-context behavioural advertising. If we add or change a category of recipient, we will update this page.

Delivery you direct. If you configure an alert webhook, we also send alert payloads to the endpoint you specify (for example, a Discord or Slack server). That recipient is chosen and controlled by you, not by us; we deliver only a small alert payload, and you can stop it at any time by clearing the webhook in your account.

07Cookies and tracking

Essential cookies.We use first-party session cookies issued by our authentication provider so you can stay signed in across page loads. During signup we also set one short-lived, HTTP-only cookie holding the email address you registered with, purely so the “check your email” confirmation screen can display it; it is not readable by scripts and expires on its own. These are strictly necessary — the application does not function without them — and they are not used for tracking.

No cookies for aggregate analytics. Our cookieless analytics provider (see Information we collect) sets no cookies and reads nothing from your device, so it is not part of the consent choice below.

No storage for first-party usage analytics. Our own in-product usage analytics likewise set no cookie and store nothing on your device — no cookie, no local or session storage. For logged-out visitors they record no identifier at all, and we treat a Global Privacy Control signal as an opt-out, so this is not part of the consent choice below either.

Remembering your choice.The only thing we keep in your browser's local storage is your cookie-consent choice itself, so we can honour it on your next visit — storing that preference is strictly necessary to respect it and is not used for tracking.

Analytics cookies (with your consent). We use a third-party analytics provider — named in our cookie banner before any analytics cookie is set — to understand how the site is used. It runs under consent defaulted to denied, so its cookies are set only afteryou choose “Accept” in our banner. Decline and none are set. You can change or withdraw your choice at any time via “Cookie preferences” in the footer.

The analytics provider anonymises IP addresses and does not store them; we set a 14-month data-retention window and keep advertising features off, so analytics data is never shared with an ad network. If your browser sends a Global Privacy Control (GPC) or other recognised opt-out signal, we treat it as a decline and set no analytics cookies. Beyond the banner, you can opt out in your browser's cookie settings. We do not embed advertising pixels.

08Data retention

  • Active accounts. We keep your account data for as long as your account is active.
  • Fixed windows we enforce ourselves. The sign-in security log is deleted after 180 days; first-party in-product usage events after 365 days; the free-tier “alerts fired” counters after 35 days; and the weekly-digest send log after 70 days. The record of which one-off service emails we have sent you is kept for the life of your account (it is what prevents repeats), and a waitlist email is kept until the feature launches or you ask us to remove it. When you delete your account, all of these are deleted with it — except in-product usage events, which are de-identified instead (the link to your account is severed and cannot be restored).
  • Deleted accounts. When you delete your account we remove it from production promptly; copies may persist in encrypted backups for up to 30 days before the backup window rotates.
  • Aggregated data. Anonymised, aggregated metrics that no longer identify you (counts, distributions, performance benchmarks) may be retained indefinitely for product analytics and research.
  • Logs and telemetry.Server logs and error events roll off on their providers' default retention schedules.

09Your rights

Wherever you live, you can ask us to:

  • show you (access) the personal data we hold about you;
  • correct anything that is wrong;
  • delete your account and the data tied to it;
  • export your data in a portable format;
  • restrict or object to certain processing;
  • withdraw any consent you have given, without affecting prior processing.

For residents of the EU and UK, these are formal rights under the GDPR and UK GDPR. You also have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects on you (see Automated decisions below), and the right to lodge a complaint with your local supervisory authority — in the UK, the Information Commissioner's Office (ICO); in the EEA, your national data-protection authority. We would appreciate the chance to address your concern first.

To exercise any right, email privacy@copygrade.com. We verify requests against your account and respond within the timeframe the applicable law requires (generally 30–45 days). Using these rights is free in normal cases, and we will not deny you service, charge you a different price, or otherwise retaliate for exercising a privacy right.

10California privacy rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended, gives you specific rights. In the past 12 months we have collected the following categories of personal information:

  • Identifiers — email, account identifier, IP address, and any Polymarket wallet address you provide.
  • Customer records / commercial information — your subscription tier and billing status.
  • Internet or network activity — server logs, cookieless aggregate analytics (page-view counts, referrer, country/device type), first-party in-product usage events (pages and features used, keyed to your account identifier when signed in), and, only with your consent, pseudonymous cookie-based analytics about pages viewed and navigation.
  • Sensitive personal information — your account log-in credentials. We use these solely to provide the service and to secure your account; we do not use sensitive personal information to infer characteristics, so the right to limit its use does not apply.

We collect this information from you directly, automatically from your device, and from our service providers (for example, billing status from our payment processor). We use it for the business purposes described in this policy and disclose it only to the recipient categories in section 6, acting as our service providers under written contract.

We do not sell and do not share your personal information (including for cross-context behavioural advertising), and have not done so in the preceding 12 months. We do not knowingly sell or share the personal information of anyone under 16.

As a California resident you have the right to know, access, correct, and delete your personal information, the right to opt out of any sale or sharing (we do neither), the right to limit the use of sensitive personal information, and the right not to receive discriminatory treatment for exercising these rights. You may submit a request yourself or through an authorised agent (we will ask the agent for proof of authorisation) by emailing privacy@copygrade.com.

11Other U.S. state privacy rights

If you live in a U.S. state with a comprehensive privacy law — including Virginia, Colorado, Connecticut, Texas, Oregon, and others — you have rights to access, correct, delete, and obtain a portable copy of your personal data, and to opt out of targeted advertising, the sale of personal data, and certain profiling. We do not engage in targeted advertising, sell personal data, or profile you for decisions that produce legal or similarly significant effects, so there is nothing to opt out of, but you may still exercise your access, correction, deletion, and portability rights by emailing privacy@copygrade.com. Where our analytics is active, we honour recognised universal opt-out mechanisms such as Global Privacy Control.

Appeals. If we decline a privacy request, you may appeal by replying to our decision or emailing privacy@copygrade.comwith “Appeal” in the subject. We will respond within the period your state's law allows and, if we deny the appeal, tell you how to contact your state attorney general.

12Automated decisions and the Copy Score

CopyGrade's Copy Scores, sub-scores, and Farming Risk flags are produced by an algorithmic model. Those scores are about public Polymarket wallets— they are not decisions about you, our user, and they have no legal or similarly significant effect on you. We do not use automated processing to make decisions about you that would trigger the GDPR's automated-decision protections. If that ever changes, we will update this policy and provide the safeguards the law requires.

13Public wallet data we analyse

CopyGrade analyses publicPolymarket and on-chain data — wallet addresses, trade history, open positions, and market metadata — to compute Copy Scores. This data is published by Polymarket and the public blockchain; it concerns third-party wallets, not our subscribers, and we obtain it from public read-only sources without sending any of our users' personal data to those sources.

Where this public data relates to an identifiable person, we process it on the basis of our legitimate interest in providing due-diligence analysis of publicly observable market behaviour. If you are the holder of a wallet we analyse and wish to exercise a privacy right, email privacy@copygrade.com and we will respond as the applicable law requires.

14International transfers

Our infrastructure runs primarily in the United States. If you access CopyGrade from the European Economic Area, the United Kingdom, or another jurisdiction with data-export rules, your data is transferred to the US for processing. Where the law requires it, transfers rely on the European Commission's Standard Contractual Clauses (or the UK's equivalent mechanism, the International Data Transfer Agreement or Addendum) signed with the relevant provider, together with any additional safeguards needed.

15Children

CopyGrade is built for adult users of prediction-market products and is not intended for anyone under 18. We do not knowingly collect personal information from children. If you believe a child has signed up, email privacy@copygrade.com and we will delete the account.

16Security

We use TLS to protect data in transit. Data at rest is encrypted by our database and payment providers. Row-Level Security policies in our database isolate each user's data from every other user's. Sensitive operations — granting Pro access, writing subscription state — are restricted to a server-side service role that is never exposed to the browser.

No system is perfectly secure, and we cannot guarantee that data transmitted to or stored with us will never be intercepted or accessed without authorisation. We will notify affected users and any regulator, without undue delay and as the law requires, if a breach materially affects personal data.

17Changes to this policy

When we change this policy, we update the effective date at the top. For material changes — adding a new category of data, adding a new category of recipient, broadening how we use existing data — we notify active accounts by email before the change takes effect.

18Contact

Privacy questions, requests, and complaints go to privacy@copygrade.com.

Blueteem LLC d/b/a CopyGrade is the data controller for the information described in this policy. EU and UK users may also contact us at this address regarding their rights and may lodge a complaint with their local data-protection authority.