Catalyst by ZISHI — Privacy Policy

1. Who this notice is for

Catalyst is a forward-looking trading simulator and education product. It is not investment advice, not a regulated brokerage, executes no real orders, and holds no client money (Build Spec §28, Appendix F.7). This notice explains what personal data we process when you use Catalyst, why, on what lawful basis, and the rights you have over it.

It covers two audiences: juniors / individual users — the people who play sessions and build a TPI; and managers / organisations (B2B) — heads of desk and training organisations who use the Manager View to read cohort readiness. For organisation-supplied cohort data we typically act as a processor on the organisation's instructions; the organisation is the controller of that data.

We treat all users as adults; Catalyst does not target minors.

2. What data we process

Data minimisation. Guest-first onboarding deliberately collects no PII until you claim an account. Each feature collects only what it needs (Appendix F.5).

3. How session data works (and why it is personal data)

Every Catalyst session is deterministic: given its random seed plus your action log, the exact market tape and your fills can be reconstructed bit-for-bit (Build Spec §12.6, Appendix D). This powers replay, replay-from-the-fork, and same-tape cohort comparison.

Because a session log can be tied to you and reconstructs your individual behaviour, a session log is personal data. Its retention and the way erasure interacts with the deterministic chain are described in §7.

4. The silent behavioural risk-profiler — disclosure (UK-GDPR Art. 13–14)

This section is the disclosure required by Build Spec Appendix F.5 and §28. We surface it here in full, and a discoverable pointer to it is carried on the Manager View and the Desk-Ready certificate (the honest boundary).

That profiling occurs. Alongside the visible game, Catalyst runs a second, quiet set of risk-profiler drills in the background of normal play (Build Spec §9). These are not labelled as tests and you are not told in the moment that a given decision is being profiled. This is automated behavioural profiling within the meaning of UK-GDPR.

Why we do it silently — and why that is disclosed here. People behave differently when they know they are being profiled, which would distort the very behaviour we are trying to measure. Not telling you in the moment is necessary for the integrity of the assessment. This is acceptable only because the practice is disclosed up front, here, in this policy (Appendix F.5). Silence in the moment is not silence overall.

Purpose. The purpose of the profiler is behavioural assessment that feeds the Trader Performance Index (TPI) — a process-first, ten-dimension behavioural fingerprint that measures how you think and behave under pressure, not whether you got lucky (Build Spec §13). The profile contributes to your TPI, your behavioural flags, and the readiness picture a manager sees.

The logic, in general terms. Scoring is deterministic and rule-based, computed in our engine from your structured action and fill log — not a black-box model and not an AI that decides your number. Calibrated bands define what good looks like per level and instrument; your behaviour is normalised against those bands, never against profit-and-loss. An AI model (Claude) is used only to narrate results in plain language and to grade your written Level-10 explanation against an explicit rubric whose aggregation is deterministic; the AI never computes or alters a TPI value or a gate decision (Build Spec §13, §14.2).

Lawful basis. We rely on legitimate interests for the risk-profiler and for product-integrity / anti-cheat processing, backed by a Legitimate Interests Assessment (docs/compliance/LIA.md). A Data Protection Impact Assessment has been carried out for the profiler (docs/compliance/DPIA.md).

• Categories of behavioural data used — Drawdown behaviour: how you act when a position moves against you (cut, hold, widen the stop, double down).
• Profit protection: whether you protect gains or give them back.
• Rule compliance: adherence to your own stated plan, bias and invalidation.
• Loss recovery: behaviour after a loss (e.g. revenge-sizing, tilt, overtrading).
• These map onto the TPI dimensions for position management, stops, sizing, risk-adjusted return, prep, and focus/discipline (Build Spec §13.1). We do not process special-category data, and we do not profile on the basis of any protected characteristic.

5. Automated decision-making and the Art. 22 position

The TPI ultimately feeds a B2B credential / readiness signal (the Desk-Ready certification and the Manager View) that could have a significant effect on a person — for example in a promotion or hiring conversation. We have assessed this against UK-GDPR Art. 22 (automated individual decision-making, including profiling) and have designed the product so that no decision producing legal or similarly significant effects is taken solely by automated means.

This human-in-the-loop design, and the up-front disclosure in §4, are the conditions under which profiling-without-in-the-moment-notice is lawful here.

• Meaningful human oversight is built in. A manager interprets the TPI; the system is a teaching and screening signal, not a verdict. The Manager View explicitly reminds managers that TPI requires human judgement, not an automated pass/fail (Appendix F.7).
• No automatic rejection. The system does not auto-reject, auto-fail, or auto-promote anyone. Gates are transparent thresholds that inform a human, who decides.
• Route to human review. You can request that a human review any assessment or decision that relies on your TPI, and you can contest it. Contact [dpo@…].

6. Lawful bases (summary)

7. Your rights, and how erasure interacts with determinism

You have the right to access, rectify, export (portability), object/restrict, and erase your personal data. We provide self-service access/export (a machine-readable export of your profile and session metadata) and erasure.

Retention. A session log is retained for the active life of the account plus a defined window (target: 24 months) for cohort/credential validity, then reviewed and anonymised. Risk-profiler signals are retained on a DPIA-bound schedule. Billing identifiers are retained per Stripe and applicable tax law.

To exercise any right, contact [dpo@…]. We respond within the statutory time limits.

• Anonymise rather than hard-delete where the record underpins integrity. On erasure we strip the user link and direct identifiers from session/action logs, retaining only de-identified, non-reversible behavioural features needed for aggregate integrity and the tamper-evident chain.
• Hard-delete free text and direct PII. Your L10 written explanations and any direct PII (e.g. email) are deleted, not anonymised.
• Cohort aggregates are retained only in non-re-identifiable form.
• We document, per field, which data is anonymised versus deleted (maintained alongside the DPIA).

8. Data residency and international transfers

• India (DPDP Act). For India-resident users we account for DPDP localisation / transfer expectations: we prefer regional storage for India-resident users where feasible, document the cross-border transfer mechanism, and keep the residency decision recorded in the DPIA (Appendix F.5).
• EU / UK. Transfers to sub-processors are covered by SCCs / UK IDTA / adequacy as applicable.
• Encryption. All data is in transit over TLS 1.2+ (we prefer 1.3) and encrypted at rest (Postgres/TimescaleDB, Redis, backups, secrets store).

9. Sub-processors

We use the sub-processors below. We maintain a current public sub-processor list and notify organisations of changes per the relevant DPA. In-session price paths are synthetic (Build Spec §15.4); we do not redistribute live exchange data to users.

10. Complaints

You can complain to your supervisory authority — in the UK, the Information Commissioner's Office (ICO); in the EU, your local DPA; in India, the Data Protection Board under the DPDP Act. We would appreciate the chance to address your concern first via [dpo@…].

11. Changes to this notice

We keep this policy under version control as a living compliance artefact and review it at each major release (Appendix F.7). Material changes will be notified in-product and to organisations per their DPA.

Catalyst measures the teachable layer — decision quality, discipline, sizing, process — under simulation. It does not predict how a person behaves with real money on the line. Only the live market teaches that.