Privacy Policy

Account data: when you create an account, we collect your email address and authentication credentials via our identity provider (Supabase Auth). Password hashes are managed by Supabase and are never visible to us in plain text.

Payment data: when you subscribe to a paid plan, our payment processor Creem.io collects your billing details (name, card information, billing address, country). We do not store card numbers on our servers; we only store a customer ID and a reference to your current subscription status.

Usage data: we log basic technical information (page views, IP address, user agent, referrer, timestamps) through Vercel Analytics to understand aggregate traffic and improve the Service. This data is de-identified where possible.

Cookies and local storage: we use essential cookies for authentication sessions and preference storage (locale, theme). We do not use third-party advertising or cross-site tracking cookies.

User-submitted content: if you upload files to the admin panel or submit feedback via email, we process that content solely to deliver the service you requested.

We use the information we collect to:

• Provide, maintain, and secure the Service;
• Process subscription payments, renewals, cancellations, and refunds;
• Send transactional emails (receipts, password resets, service notices);
• Generate AI commentary and translations via Google Gemini based on aggregate market data (no personal data is sent to Gemini);
• Detect abuse, fraud, or violations of our Terms of Service;
• Comply with legal obligations.

We do not sell your personal data. We do not use your data to train third-party machine-learning models.

To operate the Service we rely on the following sub-processors. Each is bound by its own privacy policy and contractual obligations.

• Supabase — database hosting and authentication. Stores account data and subscription state. Data region: Supabase-managed.
• Vercel — web hosting and analytics. Processes incoming HTTP requests and aggregate visitor metrics.
• Google Gemini (Google LLC) — AI model used to generate market commentary and translations. We send only aggregate, non-personal market data to this service.
• Creem.io — payment processor. Handles payment card data, billing addresses, and tax information in compliance with PCI-DSS.

We rely on the following legal bases under the GDPR:

• Contract: to create your account, deliver the Service, and process payments;
• Legitimate interest: to secure the Service, prevent abuse, and analyze aggregate usage;
• Legal obligation: to retain billing records and comply with tax law;
• Consent: for any optional processing where consent is requested.

We retain account data for as long as your account remains active. If you delete your account, we delete or anonymize your personal data within 30 days, except for records we are legally required to retain (for example, billing records for tax purposes — typically 7 years).

Server logs are retained for up to 90 days; aggregate analytics are retained without personal identifiers.

Depending on your jurisdiction (GDPR, CCPA, and similar frameworks), you may have the right to:

• Access the personal data we hold about you;
• Request correction of inaccurate data;
• Request deletion of your data ("right to be forgotten");
• Export your data in a portable format;
• Object to or restrict certain processing;
• Withdraw consent at any time, where processing is based on consent;
• Lodge a complaint with your local data protection authority.

To exercise any of these rights, email support@optionsdaily.app. We will respond within 30 days.

We use industry-standard security measures including encrypted connections (TLS), secure password hashing managed by Supabase, access controls, and environment-segregated production credentials. However, no method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

Our sub-processors may store and process data in the United States or other countries. Where data is transferred outside the EEA/UK, we rely on the sub-processor's Standard Contractual Clauses or equivalent safeguards.

The Service is not directed to individuals under 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us and we will promptly delete it.

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on the Service at least 14 days before taking effect. The "Effective date" at the top of this page reflects the latest revision.