Legal · Privacy
Privacy Policy
Effective July 2, 2026
This policy explains what information lvls(“lvls,” “we,” or “us”) collects when you visit composite.fyi or interact with the service through Discord or email, what we do with it, who else may process it, and the choices you have. It applies to all visitors, waitlist members, and subscribers.
1. Who we are
lvls is an independent alert publisher operated by an individual, not a registered business entity, and it maintains no physical office address. It publishes mechanical trading alerts — impersonal publications generated by pre-registered hard boolean gates, delivered to all subscribers identically and simultaneously — for MNQ futures and single-name stocks. The contact for privacy questions, data requests, or anything else is hey@composite.fyi.
2. The short version
We collect the minimum the service needs to run. Today, while checkout is closed, that is usually one thing: the email address you submit to the waitlist. Subscribers who sign in with Discord add a Discord identity and a webhook URL; billing information goes to Stripe if and when checkout opens. We run no analytics of any kind — see section 4. We do not sell, rent, or trade personal information, and we do not run advertising.
3. What we collect
Information you provide directly:
- Waitlist email — submitted when you join the waitlist to lock the founding rate.
- Optional waitlist note — a short free-text field on the waitlist form. Leaving it blank is fine; whatever you write is stored alongside your email.
- Discord identity — if you sign in with Discord as a subscriber, we receive what Discord shares through its OAuth flow: your Discord username, user ID, avatar, and the email on your Discord account.
- Discord webhook URL — each subscriber pastes a webhook URL from a Discord server they control. We store it so the engine can post alerts to that channel.
Billing information (when checkout opens): Checkout is currently closed, so no billing information is collected today — the waitlist takes no card. When checkout opens, payment is processed by Stripe on its hosted checkout page. Stripe receives the payment details you enter there; we never see, store, or have access to your card number or security code. Stripe shares with us only what subscription upkeep requires: a customer ID, a subscription ID, the email on file, subscription status, and the billing-period end date.
Collected automatically:
- Server logs — our hosting provider (Vercel) records standard request metadata: IP address, user agent, the page or endpoint requested, and the time of the request. Used for security, debugging, and operating the service.
- Strictly necessary authentication cookies — if you sign in, our authentication provider (Supabase) sets a session cookie that keeps you signed in. That is the only class of cookie on this site. Blocking it prevents sign-in; nothing else breaks.
4. No analytics — none
This site runs no analytics of any kind, first-party or third-party. No page-view counters, no session recording, no heatmaps, no advertising pixels, no fingerprinting, no A/B testing frameworks, no advertising identifiers, no cross-site tracking of any sort.
You do not have to take our word for it: the page source contains no tracking scripts. View source on any page of composite.fyi and look — there is no analytics snippet to find. The same claim is stated on the site as an engineering commitment and is verifiable in the repository.
There is no cookie banner because there is nothing a banner would ask consent for: the only cookies that exist are the strictly necessary authentication cookies described in section 3, which consent rules do not require a banner for.
This is a standing commitment of the brand, not a snapshot of the current build. If it ever changed, this policy would change first and the effective date at the top would move.
5. How we use information
We use the information described above only to:
- Operate the service — post alerts to the webhook URL you provided, and serve the journal and stand-down feed.
- Set up and maintain your account and subscription.
- Process payments through Stripe, when checkout opens.
- Communicate with you about the service — for example, contacting the waitlist if a lane graduates and checkout opens, replying to support email sent to hey@composite.fyi, or notifying you of material changes to a policy or your subscription.
- Notify the operator internally when someone new joins the waitlist: the email address and any note are posted to a private Discord channel that only the operator can read.
- Maintain security, prevent abuse, debug issues, and protect the integrity of the service.
- Comply with legal obligations.
We do not sell or rent personal information, do not use it for advertising, and do not share it with anyone for their independent marketing purposes.
6. Legal bases for processing (EU/UK)
If the GDPR or UK GDPR applies to you, the legal bases we rely on are: contract (delivering the service and administering your waitlist position or subscription), legitimate interests (running a secure service, preventing abuse, communicating about the product), consent (the optional free-text note you choose to submit), and legal obligation (where we must retain or disclose information to comply with law).
7. Processors
We share information only with the small set of processors that operate the service. Each receives only what it needs:
- Supabase — authentication (Discord OAuth) and database storage for waitlist entries, subscriber records, and webhook URLs. Supabase privacy policy.
- Stripe — payments, subscription billing, and the billing portal, when checkout opens. Stripe privacy policy.
- Discord — alert delivery to the webhook URL you provide, sign-in via OAuth, and the internal waitlist notification described in section 5. Discord privacy policy.
- Vercel — hosting, serverless functions, and standard server-side request logs. Vercel privacy policy.
- Apple / iCloud — the inbox behind hey@composite.fyi is hosted on Apple iCloud Mail using the custom email domain feature. Apple privacy policy.
We may also disclose information if legally required to do so (for example, by valid legal process), or to protect the rights, safety, or property of lvls, our members, or others. We will push back on overbroad requests where we can.
8. How long we keep information
We keep information only as long as the service needs it, plus a reasonable period for legal, accounting, and security purposes. In practice:
- Waitlist entries — kept until you ask us to delete yours, or until the waitlist is retired and no longer needed.
- Subscriber records — kept while your subscription is active and for a reasonable period afterward for billing, tax, and dispute-resolution purposes.
- Server logs— retained per our hosting provider’s standard rotation.
- Stripe and Discord records — retained per those providers’ own policies.
You can ask us to delete your information at any time — see “Your rights” below.
9. Security
Traffic is encrypted in transit with TLS. Database access is gated by row-level security policies in Supabase, so a signed-in subscriber can read only their own rows. Credentials and API keys live in environment variables on the hosting provider, not in source code. The web surface is read-only toward the engine: nothing on this site can write back to it. No system is perfectly secure, and we cannot guarantee that information will never be accessed by an unauthorized party. If a security incident affects you, we will notify you as required by law.
10. Your rights (GDPR / UK GDPR / CCPA)
Depending on where you live, you may have the right to:
- Access the personal information we hold about you.
- Correct information that is inaccurate or out of date.
- Delete your personal information (subject to limited exceptions, such as billing records we are required to keep).
- Export your information in a portable format.
- Restrict or object to certain processing.
- Withdraw consent where we relied on it.
- Not be discriminated against for exercising any of these rights.
EU and UK residents may also lodge a complaint with their local supervisory authority.
California residents (CCPA/CPRA): you have the right to know what personal information we collect, to delete it, to correct it, and to opt out of the “sale” or “sharing” of personal information. lvls does not sell or share personal information as those terms are defined under California law.
To exercise any of these rights, email hey@composite.fyi. We may need to verify your identity before acting on a request — typically by confirming the request from the email address on file.
11. International transfers
lvls is operated from the United States, and our processors operate in the United States and other countries. By using the service you understand that your information may be transferred to and processed in countries other than the one where you live, including the United States, which may have data-protection laws different from your own.
12. Children
The service is not directed at anyone under 18 and is not intended for use by minors. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided personal information to us, email hey@composite.fyi and we will delete it promptly.
13. Changes to this policy
We may update this policy from time to time. The effective date at the top reflects the most recent version. If we make material changes, we will note the change here and, where reasonable, give notice through the service or by email. Your continued use of the service after a change takes effect constitutes acceptance of the updated policy.
14. Contact
For any question about this policy or about how lvls handles your information — including data-rights requests — email hey@composite.fyi. See also the Terms of Service and the Risk Disclosure.