Privacy Policy

MarketCatalyx ("we", "our", "us") is committed to protecting your privacy. This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights regarding that data.

We collect only the data necessary to operate and improve the Service. We do not sell, rent, or trade your personal information to any third party for advertising or commercial profiling purposes.

We collect the following categories of data:

• Email address — provided at registration via Supabase Auth
• Watchlist tickers and alert preferences — set by you in the watchlist feature
• Payment information — handled entirely by our payment processor; we do not store card numbers
• IP address and browser type — collected automatically by our hosting infrastructure
• Usage count and search queries — used for rate limiting and service improvement

Data storage summary

We use the data we collect solely for the following purposes:

• Operating and delivering the Service to you
• Enforcing rate limits (5 free analyses per day for free-tier users)
• Security — detecting and preventing abuse, fraud, and unauthorised access
• Service improvement — understanding aggregate usage patterns
• Billing — processing subscription payments via our payment processor
• Legal compliance — responding to lawful requests from authorities

We do not use your data for advertising, behavioural profiling, or third-party marketing.

We do not sell your data. We share your data only with the following sub-processors, who are contractually bound by Data Processing Agreements (DPAs):

• Supabase — database and authentication (user records, watchlist, analysis cache)
• Vercel — application hosting (server logs, IP addresses)
• Resend — transactional email delivery (alert digests, account emails)
• Payment processor — billing only; receives only the data required to process your subscription

We may disclose your data if required to do so by law or in response to a valid legal process, or to protect the rights, property, or safety of MarketCatalyx, our users, or the public.

We retain your data only as long as necessary:

• Account data — retained until you delete your account
• Alert history — 12 months rolling
• Analysis cache — 24 hours TTL, then automatically purged
• Server logs — 30 days (Vercel infrastructure)
• Billing records — 7 years, as required by financial regulations

Upon account deletion, we will remove your personal data within 30 days, except where retention is required by law (e.g., billing records).

We use a minimal set of storage mechanisms:

• Supabase auth cookies — essential session cookies required to keep you logged in. These cannot be disabled without losing access to authenticated features.
• localStorage (logged-out users) — we store your watchlist and daily usage count in your browser's localStorage when you are not signed in. This data never leaves your device.

We do not use advertising cookies, Google Analytics, or Facebook Pixel. No third-party tracking scripts are loaded on any page.

We implement the following security measures:

• All data in transit is encrypted via HTTPS / TLS
• API keys and service credentials are stored as server-side environment variables and are never exposed to the browser
• Database access is protected by Supabase Row Level Security (RLS) — users can only access their own data
• The Supabase service-role key is used exclusively in server-side code and is never sent to the client

No security measure is perfect. If you discover a vulnerability, please report it responsibly to stockmoveai@gmail.com.

Depending on your location, you may have the following rights regarding your personal data:

• Access — request a copy of the data we hold about you
• Rectification — correct inaccurate or incomplete data
• Erasure — request deletion of your data (right to be forgotten)
• Portability — receive your data in a machine-readable format
• Objection & restriction — object to or restrict certain processing activities
• Withdraw consent — opt out of alert emails at any time via the watchlist toggle, without contacting us

To exercise any of these rights, email stockmoveai@gmail.com. We will respond within 30 days.

EU and UK users have the right to lodge a complaint with their local supervisory authority (e.g., the ICO in the UK) if they believe their data has been processed unlawfully.

MarketCatalyx is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data, please contact us at stockmoveai@gmail.com and we will take steps to delete the data promptly.

Your data may be processed in the United States and other countries where our sub-processors (Supabase, Vercel, Resend) operate. These countries may have different data protection laws than your own jurisdiction.

For transfers of personal data from the European Economic Area (EEA) or the United Kingdom to third countries, we rely on Standard Contractual Clauses (SCCs) or equivalent mechanisms approved by the relevant supervisory authorities, as provided by our sub-processors' DPAs.

We may update this Privacy Policy from time to time. For material changes, we will provide at least 14 days' notice via email or an in-app banner before the changes take effect.

The "Last updated" date at the top of this page always reflects the most recent revision. Your continued use of the Service after the effective date constitutes your acceptance of the updated Policy.

For privacy-related enquiries or to exercise your data rights, contact us at:

stockmoveai@gmail.com

We aim to respond within 30 days. To unsubscribe from alert digest emails, use the alert toggle on your watchlist page — you do not need to contact us.

Also see our Terms of Service.