Privacy Policy

We collect only what we need to operate the Service:

• Account information. Email address and password hash, created when you sign up via Supabase Auth.
• User-generated content. Watchlists, alert configurations, notes, and delivery channel webhooks (Discord, Slack) that you create within the app.
• Brokerage data (optional). If you connect a brokerage through Plaid, we receive account balances, holdings, and transaction history for the accounts you authorize. We do not receive your brokerage login credentials — those are held by Plaid.
• Billing information. If you subscribe to Pro, Stripe receives your card details and shares with us only the subscription status, customer ID, and last-four card digits. We never see or store your full card number.
• Usage data. Cloudflare logs request metadata (IP, path, status code, user agent) for every HTTP request. We use this for abuse prevention and reliability monitoring, not for advertising.
• Cookies. A single first-party session cookie set by Supabase Auth keeps you logged in. We do not use third-party advertising cookies or tracking pixels.

• To provide the core features of the Service — display data you requested, run alerts you configured, sync your linked brokerage.
• To send transactional emails (alert notifications, security notices, billing receipts) through Resend.
• To bill you and process refunds through Stripe, when you subscribe to a paid plan.
• To detect, investigate, and prevent abuse of the Service.
• To comply with legal obligations and respond to lawful requests.

Where applicable, we process personal information on the following legal bases:

• Contract. To deliver the Service you signed up for.
• Consent. Where you have explicitly opted in (e.g., connecting a brokerage, subscribing to a newsletter).
• Legitimate interests. To secure the Service, prevent fraud, and improve reliability.
• Legal obligation. Where required by Canadian, U.S., or other applicable law.

We rely on a small number of vendors to operate the Service. Each receives only the data needed for its specific function:

• Supabase — managed PostgreSQL, authentication, Edge Functions (data hosted on AWS us-east-1).
• Cloudflare — DNS, CDN, web application firewall, Pages hosting.
• Plaid — financial-account aggregation, only when you choose to connect a brokerage.
• Stripe — payment processing for paid subscriptions.
• Resend — transactional email delivery.
• Finnhub, FMP, Polygon, SEC EDGAR, Quiver Quant — upstream market-data providers. We send no personal information to these providers; they supply public market data only.

• Account and user-generated data are retained for as long as your account is active.
• Plaid-sourced brokerage data is retained while your linked institution remains connected. Disconnecting a brokerage from the in-app portfolio screen revokes the Plaid access token and stops further sync.
• Cloudflare and Supabase logs follow each provider's default retention windows (typically 7–30 days).
• You may request deletion of your account and all associated data at any time by emailing [email protected]. We will action the request within 30 days.

Depending on your jurisdiction, you may have rights including: access to your personal information, correction, deletion, restriction of processing, data portability, and objection to processing. To exercise any of these rights, email [email protected]. We respond within 30 days.

If you believe we have mishandled your information, you may file a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) or your local data-protection authority.

We protect your information with TLS 1.2+ in transit, AES-256 encryption at rest, role-based access control, row-level security in our database, and multi-factor authentication on all administrative accounts. Full controls are described in our Information Security Policy. No system is perfectly secure; in the event of a confirmed breach affecting your data, we will notify you by email within 72 hours.