Privacy Policy
Information We Collect
| Category | Data | Purpose |
|---|---|---|
| Account | Email address, hashed password | Authentication |
| Preferences | Watchlist tickers, direction filter, language | Personalized dashboard |
| Device | FCM push token, platform (iOS/Android) | Push notifications |
| Usage | Page visits, hashed IP address | Analytics, abuse prevention |
| Billing | Stripe customer ID, subscription status | Payments (Stripe handles card data) |
We do not collect location, contacts, camera, microphone, or any other device sensor data.
How We Use Your Information
- Authenticate your account and maintain your session
- Deliver personalized market signals and news for your watchlist
- Send push and email alerts when a watchlist ticker has a high-confidence signal
- Process subscription payments through Stripe
- Improve the service and prevent abuse
- Comply with legal obligations
App Permissions
| Permission | Why | Required? |
|---|---|---|
| Notifications | Send real-time market alerts for your watchlist tickers | Optional |
| Internet | Load market news, signals, dashboard data, and account sync | Required |
| Vibration | Haptic feedback when a notification arrives | Optional |
We never request access to location, camera, microphone, contacts, storage, or biometric data.
Data Sharing
We do not sell your personal data. We share data only with the following trusted sub-processors:
- Supabase / PostgreSQL — database hosting (EU/US servers)
- Vercel — application hosting and serverless functions
- Stripe — payment processing (PCI-DSS Level 1)
- Resend — transactional email delivery
- Firebase (Google) — push notification delivery
- OpenAI — AI analysis of news headlines (no personal data sent)
Data Retention
We retain your account data for as long as your account is active. You may request account deletion at any time by contacting support. Upon deletion, personal data is removed within 30 days. Anonymized analytics data may be retained indefinitely.
Security
- Passwords are hashed with bcrypt (never stored in plain text)
- All connections use HTTPS / TLS 1.2+
- Session tokens are signed with HMAC-SHA256
- API endpoints are protected with CSRF tokens and rate limiting
- IP addresses are stored as one-way hashes
Your Rights
Depending on your jurisdiction, you may have the following rights:
- Access — request a copy of your data
- Rectification — correct inaccurate data
- Erasure — request deletion of your account and data
- Portability — receive your data in a machine-readable format
- Opt-out — disable push and email notifications from settings
Cookies
We use only strictly necessary cookies:
session— authentication token (httpOnly, Secure)csrf_token— cross-site request forgery protectionlang— language preference (en/es)
We do not use advertising, analytics, or tracking cookies.
Children's Privacy
Profit Alerts is not intended for users under 18 years of age. We do not knowingly collect personal information from minors. If you believe we have inadvertently collected data from a minor, please contact us immediately.