Privacy Policy

• Account: your email address, an optional display name, and (if you sign up with a password) a one-way bcrypt hash of your password. We never see or store the plaintext password.
• Consent record: the timestamp, IP address, and browser user-agent at the moment you accepted our Disclaimer, Terms, and Privacy Policy. This is our proof that you opted in.
• Alert configuration: the screeners you save, the alert rules you create, the email destinations you configure, and the tickers on your watchlist.
• Billing: if you subscribe, a Stripe customer ID and the subscription state Stripe sends us via webhook. We do not see or store your card details.
• Session cookie: a first-party JWT cookie issued by Auth.js that keeps you signed in. No third-party tracking cookies are set.
• Operational logs: server-side request logs and error traces containing IP, user-agent, request path, and (when relevant) user ID. Retained for 30 days for debugging and abuse investigation.

We do not ask for and do not store: government IDs, social security numbers, bank account numbers, brokerage credentials, or any non-public investment positions.

• To run your account, deliver alerts, and process payments.
• To prove that you accepted our legal documents at a specific version.
• To debug problems, investigate abuse, and improve the Service.
• To send transactional email (sign-in links, alerts, billing receipts). We do not send marketing email without a separate opt-in.

The Service relies on a small number of third-party processors:

• Microsoft Azure — application hosting and the SQL database holding your account, screeners, and alerts.
• Stripe — payment processing for paid plans. Stripe receives your email and card details directly; we receive only Stripe’s tokenised customer/subscription IDs.
• Resend — outbound email delivery for sign-in links, alerts, and password resets.
• eodhd.com — third-party price feed used to enrich alerts. We send tickers, not user identity.

We do not sell your personal data and we do not share it with advertisers.

Account data is kept for as long as your account exists. After you request deletion (see below), we remove your account record and associated screeners, alert rules, watchlists, and consent records within 30 days. Anonymised aggregate statistics (e.g. “number of alerts sent in May 2026”) may be retained indefinitely. Operational logs are rotated out after 30 days.

You can view your basic account data on the account page. To export, correct, or delete your data, email pbednarski@gmail.com from the address on your account. We will respond within 30 days.

Passwords are stored as bcrypt hashes. All traffic to the site is over HTTPS. Application secrets are stored in Azure Key Vault with managed-identity access. We make no guarantee that any system is fully secure; if we become aware of a breach affecting your data, we will notify you without undue delay.

We may update this Policy. When we do, we will bump the version number above and require you to re-accept on your next sign-in to a protected page.

Privacy questions or requests: pbednarski@gmail.com.