How we handle your data
Security
Last updated July 2026
We only ever read. Realize uses your Kalshi and Polymarket US API key to read your trades, settlements, and balance. Nothing else. The code that talks to each venue is read-only by construction. It implements no trading endpoint at all: we cannot place trades, move funds, or withdraw, we never take custody of your money, and we never ask for your venue password. You create the key yourself in the venue’s own developer settings, we walk you through it step by step on the connect screen, and disconnecting deletes it.
How locked-down the key is, the honest version.Neither venue hands you a key that is restricted to reading by default, so we won’t tell you yours is. Kalshi keys default to full access (read and write) unless you narrow them, but Kalshi does support a read scope, so the connect screen tells you to select it and leave write / trade / transfer off. Polymarket US offers no such scope today; there, the only things standing between your key and a trade are that our code never calls a trading endpoint and that you can disconnect at any time. We would rather say that plainly than let you assume a guarantee the venue never gave.
Encryption. Your venue API secret is encrypted at rest with AES-256-GCM and is only ever decrypted to sign a read request to that venue. Traffic runs over TLS. Our own service keys live in Google Cloud Secret Manager.
Infrastructure. All compute and storage runs on Google Cloud in US regions. The database is not exposed to the public internet, and production access is limited to the founding team.
Disconnect and delete.Disconnecting a venue deletes the stored API key and the trade history we synced from it. We don’t have a self-serve “delete my account” button yet, until we do, email support@realize.tax and we’ll erase your data.
The third-party tools we run, plainly.We would rather tell you than have you find them in your browser’s devtools:
- Amplitude (product analytics). Page views and named product events (which steps you reach, which buttons you click) so we can see where the product breaks. Events are tied to your account ID and email. Dollar figures are sent only as coarse ranges, never exact amounts and never individual trades.
- Sentry (error monitoring). Crashes and performance traces, plus session replay on a sample of sessions and on sessions where something goes wrong. Replays have all text and inputs masked. We see layout and clicks, not your numbers. Error events carry your account ID, email, and IP address. We never attach your API keys or trade data to them.
- Google (sign-in) and Stripe (payments). Firebase Authentication and Google Sign-In handle your login, and Stripe handles checkout if you subscribe. Neither is a tracker, and we never see or store your card details.
What we don’t run, and don’t do.No ad networks, no advertising pixels, no data resellers. We don’t sell your data, and we don’t share your trade history with anyone.
Found a vulnerability? Email security@realize.tax. We’re a small team, so we won’t promise a response window we can’t keep, but security reports go to the front of the queue, and we’ll tell you what we found.