PremiumGuardHQ reads from your broker. It cannot write back. This page is the disclosure: every scope, every vendor, every byte we keep, every byte we delete. On the record, dated, and updated when the answer changes.
Your capital never leaves your broker. We can read your trade history; we cannot place a single trade. Here is exactly what we do, what we can’t do, and how to delete your data when you’re done.
The only Schwab API scopes we requested are account & transaction reads. Trading endpoints are not in our OAuth grant, so even our own backend can’t place an order on your behalf.
scopes · accounts:read · transactions:read You generate the token in IBKR Account Management and paste it into PremiumGuard. We never see your IBKR username, password, or 2FA. Revoke it from IBKR any time.
scope · flex report read-only Your data is encrypted at rest. Application queries are row-level scoped to your account; one user’s data is never accessible to another, even through internal tools.
postgres · per-user RLS policies · AES-256 Settings → Delete account. No retention “just in case” once the account is deleted. The exact deletion path depends on your subscription state. Full details on the security page.
retention · 0 days after account deletion All application servers and databases are hosted in US data centers. No off-shore data processing. SOC 2 audit in progress with our hosting provider.
region · us-east-1 · cloudflare wrapped Questions about how we handle your data? Email support@premiumguardhq.com. A real engineer will answer.
For each broker connection, here is what PremiumGuardHQ can read and what it can never do. The allow list is what the broker actually granted us. The deny list is everything else.
Scopes are listed as we requested them from each broker. They are not interpretive. If a verb is not in the allow list, the platform has no code path to execute it.
PremiumGuardHQ is the analytics layer. The infrastructure underneath is a stack of named vendors. Each one is listed below with the data they receive and the jurisdiction they operate in. Material changes to this list will be announced before they take effect.
Trade-level data only reaches Supabase (the database) and the broker APIs themselves. Analytics and marketing vendors receive product-usage events with no transaction content.
Account deletion follows one of two paths, depending on whether you have an active paid subscription. Both paths end with a hard delete: the auth record and every row tied to it are removed. The handful of exceptions are listed by name below.
Schwab OAuth tokens and IBKR Flex tokens. Removed when the hard-delete runs.
Every cycle, scorecard row, position record, and computed metric tied to your account.
Name, target equity, withdrawal preferences, broker preferences, UI state.
Source files plus every parsed transaction derived from them.
Invoices and payment records remain in Stripe for as long as Stripe’s own legal retention policy requires. PremiumGuardHQ does not control this window.
Your email is added to an internal list that prevents the same address from claiming a second free trial. This is the only persistent record we keep about a deleted account.
Product usage events with no user identifier. Cannot be looked up or attributed back to you after deletion.
PremiumGuardHQ does not hold its own SOC 2 report. The infrastructure it runs on does. Every vendor that touches your data, from the database to the hosting layer to payments and email, is SOC 2 Type II certified. The stack is listed below by layer.
Vulnerability reports, scope-of-access questions, audit requests, anything security-adjacent. The address below is monitored by an engineer, not a ticketing queue. No bounty program yet; full credit and acknowledgment for anything material.
support@premiumguardhq.com subject: SecurityThe data flow is one-directional, the scopes are verbatim, and the deletion window is documented. Start the trial and verify it against your own dashboard.
Start free trial