chartgrade

Privacy Policy

Last updated: 26 May 2026

1. Controller

The data controller for personal data processed via chartgrade is [Your Legal Entity Name], [Address]. Contact: privacy@chartgrade.app.

2. What we collect

Account data

  • Email address (for login + transactional email)
  • Display name (optional, you choose)
  • Authentication tokens (managed by Supabase)

Subscription data

  • Subscription tier (free / pro / trader)
  • Stripe customer ID and subscription ID (no card details — those live with Stripe only)
  • Billing status (active / past_due / canceled)

Usage data you create

  • Trades + positions you manually log
  • Notes, tags, comments
  • Account-equity preference (stored in your browser, also synced to your profile)

Technical data

  • IP address (logged briefly for security; auto-purged after 30 days)
  • Browser type, OS, referrer (anonymized analytics)
  • Error logs (for debugging — no personal data attached)

What we do NOT collect

  • We do not collect or store your credit-card details (Stripe does, on PCI-DSS infrastructure)
  • We do not collect broker credentials or live account balances unless you explicitly connect them (Trader tier opt-in)
  • We do not sell your data to third parties
  • We do not use behavioral advertising trackers

3. Legal basis (GDPR Art. 6)

  • Contract — providing the Service you signed up for
  • Legitimate interest — fraud prevention, platform security, basic analytics
  • Consent — non-essential cookies, marketing email (separate opt-in)
  • Legal obligation — tax / VAT records (kept for 7 years per EU law)

4. Who we share data with

  • Supabase (EU-hosted) — database + auth provider
  • Stripe (US, with EU SCCs) — payment processing
  • Resend (EU + US) — transactional email
  • Vercel (US, with EU SCCs) — hosting
  • Anthropic (US, with EU SCCs) — generates written market commentary, NEVER personal trading data

All processors are bound by Data Processing Agreements (DPAs) and, where data leaves the EU, by Standard Contractual Clauses (SCCs).

5. International transfers

Some processors (Stripe, Vercel, Anthropic) are based in the United States. Transfers to the US rely on EU-approved SCCs and supplementary measures (encryption at rest and in transit). You can request the SCC text at privacy@chartgrade.app.

6. Retention

  • Account data: while your account is active + 30 days after deletion request
  • Trading journal: until you delete it (you control this)
  • Billing records: 7 years (EU tax law requires)
  • Server logs: 30 days

7. Your rights under GDPR

You have the right to:

  • Access — request a copy of all data we hold about you
  • Rectification — correct inaccurate data
  • Erasure — "right to be forgotten"
  • Restriction — pause processing while you challenge accuracy
  • Portability — export your data in a machine-readable format
  • Object — opt out of legitimate-interest processing
  • Withdraw consent — for any processing based on consent
  • Lodge a complaint — with your local Data Protection Authority

To exercise any right, email privacy@chartgrade.app. We respond within 30 days.

8. Security

All data is encrypted in transit (TLS 1.3) and at rest. Supabase enforces Row-Level Security so users can only access their own data. We follow OWASP best practices. In the event of a personal data breach affecting your rights, we will notify you and the relevant supervisory authority within 72 hours per GDPR Art. 33.

9. Children

The Service is not directed at children under 18. We do not knowingly process data from anyone under 18. If you believe a child has provided us data, contact us and we will delete it.

10. Changes to this Policy

We will notify you of material changes via email at least 14 days before they take effect.

11. Contact

Privacy questions: privacy@chartgrade.app
Data Protection Authority (NL): autoriteitpersoonsgegevens.nl

⚠ Replace bracketed placeholders with your actual entity details before launch. Have a qualified data-protection lawyer review.