Security as a
first-class concern.
We never hold your money.
Tykhy is not a broker, not a money transmitter, not a custodian. For ten of the twelve venues (Kalshi, Gemini, opinion.trade, etc.) you keep trading on your own venue accounts — your funds live where you deposited them, your orders sign from your own credentials. For Polymarket, we offer an optional non-custodial execution path: your own Privy-managed embedded wallet signs every order, your USDC stays in that wallet, Tykhy only relays the signed order to the Polymarket CLOB. If Tykhy disappeared tomorrow, your wallet (and the funds in it) would be entirely under your control through any standard Privy recovery flow.
We never see your private keys.
Tykhy stores zero private keys, wallet seeds, or signing material — none of it sits on our servers, ever. Embedded wallets for Polymarket execution are provisioned by Privy and held in a hardware-isolated trusted execution environment that even Privy can't directly access; the wallet authenticates against your account, signs orders client-side, and Tykhy only sees the signed payload. The only other optional credential we touch is a public Polymarket wallet address you paste in for read-only on-chain position import — public data only, no signing.
Everything is authenticated.
No anonymous paths. Every action that touches your data or your exchanges requires a verified, signed-in session. Sensitive endpoints are rate-limited against abuse.
Stripe handles your card, not us.
Billing runs through Stripe Checkout. Your card number never touches Tykhy's servers, never lives in our logs, never sits in our database. We store a Stripe customer ID and a plan tier. That's the entire payment surface.
Minimal surface. Deletable on request.
We store what's necessary to operate the product — your account, your portfolios, your audit log, your AI usage counters. We don't sell data, we don't share with ad networks, we don't enrich with third parties. Email support to delete your account and we nuke the row.
Responsible disclosure welcome.
Found something? support@tykhy.com. We reply within 48 hours, we don't sue researchers, and we credit the find in the fix notes unless you'd rather we didn't. No bug bounty yet — it's coming once the revenue line supports it.
Found a hole?
Tell us.
support@tykhy.com. 48-hour reply SLA. Responsible disclosure is how trust gets earned.
support@tykhy.com