This Privacy Policy applies to Kalmari ("Kalmari," "we," "us") and the Kalmari Service, including the Telegram bot, the Mini App, the website at kalmari.app, and any other interface we provide. It does not apply to Kalshi, Telegram, or any other third-party service you connect to — please read their respective privacy policies.
Your Kalshi API Credentials (key ID + RSA private key) are Sensitive Personal Information ("SPI") under California Civil Code §1798.140(ae) because they grant access to your financial account.
We use SPI only for the purposes you authorized in our BYOK terms — to read your Kalshi account state and place/amend/cancel orders on your behalf. We do not use SPI for advertising, profiling, cross-context behavioral marketing, or to train any AI model.
Where required by California, Colorado, Connecticut, Texas, or Virginia law, you have the right to limit our use of SPI to the purposes described above. We already operate at that limit by default; you may verify this at any time and revoke your credentials in the Service's settings. See §08.
We use the information described in §02 for the following business purposes:
We do not sell your personal information, and we do not "share" it for cross-context behavioral advertising as those terms are defined under California law.
We work with the following categories of subprocessors. Each is bound by a written data-protection agreement (where the vendor signs one) and processes personal information only to provide its service to Kalmari.
| Vendor | Purpose | Data categories |
|---|---|---|
| Anthropic | AI inference (Claude) | Chat prompts and metadata; no API Credentials. |
| OpenAI | AI inference (GPT, Whisper, TTS) | Chat prompts, voice audio for transcription; no API Credentials. |
| Optional AI inference (Gemini) and fonts | Chat prompts where Gemini is selected; user-agent for fonts. | |
| Telegram | Message delivery + Login Widget | Telegram-account data, message content. Telegram does not sign a data-processing agreement; you are bound by Telegram's own privacy terms. |
| Kalshi | Event-contract trading | Order, position, and settlement data tied to your Kalshi account. |
| Stripe | Payment processing | Payment-method information, billing metadata. Stripe is the data controller for card-network data. |
| Cloud / hosting providers | Compute, storage, CDN | All categories at rest and in transit, encrypted. |
We will publish a more detailed and continuously updated list at kalmari.app/subprocessors as additional vendors are added.
| Category | Retention |
|---|---|
| Account & authentication data | Life of the account, plus up to 30 days after closure. |
| Kalshi API Credentials | Deleted within 30 days of account closure or credential removal; cryptographically purged. |
| Trade history & settlement records | Up to 7 years (useful for your own tax and audit records). |
| Chat content (bot & Mini App) | Rolling window for in-context reasoning; older messages are summarized or pruned. |
| AI inference logs | Minimum required for debugging and billing reconciliation; honor provider zero-data-retention settings where enabled. |
| Operational telemetry & error logs | Up to 180 days. |
| Billing records | As required by tax and accounting law (typically 7 years). |
| Encrypted backups | 30–90 days, with cryptographic erasure. |
When a retention period ends or a deletion right is exercised, we delete or de-identify the information so that it can no longer be linked to you.
Depending on the state you live in, you may have the following rights:
To exercise any of these rights, contact us at [email protected]. We will verify your identity (typically by confirming control of the Telegram account or the email tied to your billing) and respond within the timeframes required by your state's law (45 days under CCPA/CPRA, extendable by another 45 days where reasonably necessary).
We recognize and honor the Global Privacy Control (GPC) browser signal as a universal opt-out mechanism, as required by the California Privacy Protection Agency's regulations and the Colorado Attorney General's rules. If you visit our website with a browser that transmits a GPC signal, we treat it as an opt-out of sale and of cross-context behavioral advertising — even though we do not currently engage in either.
We take reasonable and appropriate technical and organizational measures to protect personal information. These include:
No security system is impenetrable. You can help by keeping your Telegram account secure (enable two-factor authentication), revoking your Kalshi API key on Kalshi if a device is lost, and contacting us promptly if you suspect anything is wrong.
If we confirm a security incident that has compromised your personal information, we will notify you within 72 hours of confirmation via Telegram and (where we have it) email, and we will notify regulators on the timelines required by applicable state law — including New York SHIELD Act (within 30 days of discovery), Texas Business & Commerce Code §521.053 (within 60 days for consumers and 30 days for the Attorney General when ≥250 Texas residents are affected), Colorado §6-1-716 (within 30 days), Massachusetts 201 CMR 17 / Chapter 93H, and California Civil Code §1798.82.
The Service is for adults. We do not knowingly collect personal information from anyone under 18 years of age. If you believe a child has provided us with personal information, contact us at [email protected] and we will delete it.
Kalmari is offered to residents of the United States only. We do not knowingly collect personal information from residents of the European Union, the United Kingdom, or any other jurisdiction outside the United States, and we have not appointed an EU or UK representative. If you are outside the United States, please do not use the Service.
We may update this Privacy Policy from time to time. If we make a material change, we will notify you through the Service or by email and update the "Effective" date above. Your continued use of the Service after the change takes effect means you accept the updated policy.
Questions or requests about your personal information? Reach our privacy team at [email protected]. For all other matters, see the contact section of our Terms of Service.