Privacy Policy

Table of Contents

1. Information We Collect
2. How We Use Your Information
3. Legal Basis for Processing (GDPR)
4. Data Sharing and Disclosure
5. Advertising and Analytics Partners
6. Cookies and Tracking Technologies
7. Data Security
8. Data Retention
9. International Data Transfers
10. Your Rights and Choices
11. GDPR Rights (EU/EEA/UK Users)
12. CCPA/CPRA Rights (California Residents)
13. Other US State Privacy Rights
14. Automated Decision-Making
15. Data Breach Notification
16. Children's Privacy
17. Third-Party Links and Services
18. Changes to This Policy
19. Contact Us

1. Information We Collect

We are committed to data minimization and only collect information necessary to provide and improve our Service. Below is a comprehensive list of the categories of information we collect:

1.1 Information You Provide Directly

• Account Information: Email address, username/display name, password (stored using industry-standard encryption)
• Profile Information: Preferences, timezone, notification settings, language preferences
• Payment Information: Credit/debit card details, billing address (processed securely by third-party payment processors; we do NOT store full card numbers)
• Communication Data: Support requests, feedback, emails, chat messages, and other correspondence you send to us
• User Content: Watchlists, saved searches, analysis configurations, and any other content you create within the Service

1.2 Information Collected Automatically

• Usage Data: Pages visited, features used, time spent on pages, click patterns, search queries, referring/exit pages
• Device Information: Browser type and version, operating system, device type (desktop/mobile/tablet), screen resolution, device identifiers
• Log Data: IP address, access times, referring URLs, error logs, request identifiers, server logs
• Location Data: Approximate geographic location based on IP address (country/region level only; we do NOT collect precise GPS location)
• Cookie Data: Information from cookies, pixels, and similar tracking technologies (see Section 6)

1.3 Sensitive Personal Information

Under the California Privacy Rights Act (CPRA), certain categories of personal information are considered "Sensitive Personal Information." We collect the following sensitive information:

• Account Login Credentials: Email/username and password combinations
• Financial Account Information: Payment card details (processed by third-party processors)
• Precise Geolocation: We do NOT collect precise geolocation data

We use sensitive personal information only for purposes permitted under CPRA, such as providing the Service, processing payments, and fraud prevention. You have the right to limit the use of your sensitive personal information (see Section 12).

1.4 Information from Third Parties

• Authentication Providers: If you sign in via third-party services (e.g., Google OAuth), we receive basic profile information (email, name) as authorized by you
• Payment Processors: Transaction confirmation, subscription status, and fraud prevention data
• Analytics Providers: Aggregated usage statistics and audience insights
• Advertising Partners: Conversion data and audience matching (with your consent where required)

1.5 Information We Do NOT Collect

We do NOT knowingly collect:

• Social Security numbers or government-issued ID numbers
• Health or medical information
• Racial or ethnic origin, religious beliefs, or political opinions
• Biometric data
• Information from children under 18
• Precise GPS location data

2. How We Use Your Information

We use the collected information for the following purposes:

2.1 Service Delivery

• Providing, maintaining, and operating the Service
• Processing your account registration and authentication
• Processing payments and managing subscriptions
• Delivering personalized analysis, recommendations, and opportunity alerts
• Providing customer support and responding to inquiries

2.2 Communication

• Sending service-related notifications (account updates, security alerts, subscription changes)
• Responding to your inquiries and support requests
• Sending marketing communications and promotional offers (with your consent where required; you can opt out at any time)
• Providing opportunity alerts and notifications you've subscribed to

2.3 Improvement and Analytics

• Analyzing usage patterns to improve features and user experience
• Conducting research and analysis to enhance our services
• Debugging and troubleshooting technical issues
• Developing new features and products
• Measuring advertising effectiveness

2.4 Security and Compliance

• Detecting and preventing fraud, abuse, and security threats
• Enforcing our Terms of Service and other policies
• Complying with legal obligations and responding to legal requests
• Protecting our rights, property, and safety, and that of our users
• Conducting risk assessments as required by law

2.5 Advertising

• Measuring the effectiveness of our advertising campaigns
• Creating audiences for targeted advertising (with consent where required)
• Retargeting users who have visited our Service
• Attributing conversions to advertising campaigns

3. Legal Basis for Processing (GDPR)

If you are in the EU, EEA, or UK, we process your personal data based on one or more of the following legal bases under Article 6 of the GDPR:

3.1 Consent

Where we rely on consent, you have the right to withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal. You can withdraw consent by:

• Adjusting your account settings
• Clicking "unsubscribe" in marketing emails
• Adjusting cookie preferences in our cookie banner
• Contacting us at [email protected]

3.2 Legitimate Interests

Where we rely on legitimate interests, we have conducted balancing tests to ensure our interests do not override your fundamental rights. Our legitimate interests include:

• Operating and improving our Service
• Preventing fraud and ensuring security
• Understanding how users interact with our Service
• Communicating about our Service

4. Data Sharing and Disclosure

We may share your information with the following categories of recipients:

4.1 Service Providers (Processors)

We use third-party service providers who process data on our behalf under contractual Data Processing Agreements (DPAs):

• Cloud Infrastructure: Cloudflare (CDN, security), Vercel (hosting)
• Database Services: Supabase (PostgreSQL database, authentication)
• Payment Processing: Stripe, FrogDrip (PCI-DSS compliant payment handling)
• Email Services: Transactional email providers for notifications
• Customer Support: Help desk and support ticket systems

These providers are contractually bound to protect your data, process it only as instructed, and delete it upon termination of services.

4.2 Analytics and Advertising Partners (Controllers/Joint Controllers)

We share data with analytics and advertising partners who may act as independent or joint controllers:

• Google Analytics: Website analytics and audience insights
• Meta (Facebook) Pixel: Advertising measurement and conversion tracking
• TikTok Pixel: Advertising measurement
• Google Ads: Advertising and remarketing

See Section 5 for more details on advertising partners and how to opt out.

4.3 Legal Requirements

We may disclose your information when required or permitted by law to:

• Comply with applicable laws, regulations, or legal processes (e.g., subpoenas, court orders)
• Respond to valid legal requests from government authorities
• Protect and defend our legal rights, property, or safety
• Prevent fraud, abuse, or illegal activities
• Enforce our Terms of Service

4.4 Business Transfers

If we are involved in a merger, acquisition, bankruptcy, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will:

• Provide notice before your information becomes subject to a different privacy policy
• Require the acquiring entity to honor the commitments in this Privacy Policy
• Give you the opportunity to opt out where required by law

4.5 With Your Consent

We may share your information with third parties when you explicitly consent to such sharing.

4.6 Aggregated or De-Identified Data

We may share aggregated or de-identified information that cannot reasonably be used to identify you. This data is not subject to the restrictions in this Privacy Policy.

5. Advertising and Analytics Partners

We use the following advertising and analytics technologies. These partners may collect information about your online activities over time and across different websites:

5.1 Google Analytics

• Purpose: Website analytics, audience insights, user behavior analysis
• Data Collected: Page views, session duration, device info, approximate location
• Data Controller: Google LLC acts as a data processor; we are the controller
• Opt Out: Google Analytics Opt-out Browser Add-on

5.2 Meta (Facebook/Instagram) Pixel

• Purpose: Advertising measurement, conversion tracking, audience creation for ads
• Data Collected: Page visits, events (e.g., sign-ups), device info, IP address
• Data Controller: Meta Platforms, Inc. acts as a joint controller for certain processing
• Opt Out: Facebook Ad Preferences

5.3 TikTok Pixel

• Purpose: Advertising measurement and conversion tracking
• Data Collected: Page visits, events, device info
• Data Controller: TikTok acts as an independent controller
• Opt Out: TikTok Privacy Settings

5.4 Google Ads

• Purpose: Advertising, remarketing, conversion tracking
• Data Collected: Interactions with ads, conversion events
• Data Controller: Google LLC acts as an independent controller under Controller-Controller terms
• Opt Out: Google Ads Settings

5.5 Opting Out of Targeted Advertising

You can opt out of targeted advertising through:

• Industry Opt-Out Tools: Digital Advertising Alliance, Network Advertising Initiative
• Platform Settings: Use the opt-out links above for each platform
• Browser Settings: Enable "Do Not Track" or use privacy-focused browsers
• Global Privacy Control (GPC): We honor GPC signals (see Section 12.6)
• Contact Us: Email [email protected]

6. Cookies and Tracking Technologies

We use cookies and similar technologies (pixels, web beacons, local storage) to operate and improve our Service. This section explains what these technologies are and how we use them.

6.1 What Are Cookies?

Cookies are small text files placed on your device when you visit a website. They help the website remember your preferences and understand how you interact with it.

6.2 Types of Cookies We Use

• Strictly Necessary Cookies: Essential for authentication, security, and basic functionality. These cannot be disabled as the Service cannot function without them.
  • Session cookies for authentication
  • Security cookies (CSRF protection)
  • Load balancing cookies
• Functional/Preference Cookies: Store your preferences like language, theme, timezone, and display settings.
• Analytics Cookies: Help us understand how visitors use our Service through aggregated data (Google Analytics).
• Advertising/Marketing Cookies: Used to measure advertising effectiveness and deliver relevant ads (Meta Pixel, TikTok Pixel, Google Ads). Require consent in EU/EEA/UK.

6.3 First-Party vs. Third-Party Cookies

• First-Party Cookies: Set by marketodds.ai for authentication and preferences
• Third-Party Cookies: Set by our partners (Google, Meta, TikTok) for analytics and advertising

6.4 Cookie Consent (EU/EEA/UK)

If you are in the EU, EEA, or UK, we obtain your consent before placing non-essential cookies on your device, in compliance with the ePrivacy Directive and GDPR. You can:

• Accept or reject non-essential cookies via our cookie banner
• Change your preferences at any time by clearing cookies and revisiting the site
• Use browser settings to block or delete cookies

6.5 Managing Cookies

You can control cookies through your browser settings. Most browsers allow you to:

• View what cookies are stored on your device
• Delete all or specific cookies
• Block third-party cookies
• Block all cookies (note: this will affect functionality)

6.6 Other Tracking Technologies

• Pixels/Web Beacons: Small images that track page visits and conversions (used by Meta Pixel, TikTok Pixel)
• Local Storage: Browser storage used for preferences and caching
• Device Fingerprinting: We may use limited device fingerprinting for fraud prevention and security purposes

6.7 Do Not Track (DNT)

Some browsers offer "Do Not Track" (DNT) signals. There is currently no industry standard for DNT compliance, so we do not respond to DNT signals specifically. However, we DO honor Global Privacy Control (GPC) signals as required by California law.

7. Data Security

We implement industry-standard technical and organizational security measures to protect your personal information:

7.1 Technical Measures

• Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher
• Encryption at Rest: Sensitive data is encrypted using AES-256 encryption
• Password Security: Passwords are hashed using bcrypt with appropriate cost factors; we never store plaintext passwords
• Secure Authentication: Session management with secure tokens; optional two-factor authentication
• Network Security: Web Application Firewall (WAF), DDoS protection, intrusion detection

7.2 Organizational Measures

• Access Control: Role-based access control; principle of least privilege
• Employee Access: Limited to those with a legitimate business need
• Vendor Management: Security assessments of third-party providers
• Incident Response: Documented procedures for security incidents

7.3 Payment Security

• Payment processing handled by PCI-DSS Level 1 compliant processors (Stripe)
• We never store, process, or transmit full credit card numbers on our servers
• Tokenization used for recurring payments

8. Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required or permitted by law.

8.1 Retention Periods

8.2 Account Deletion

When you delete your account or request deletion:

• Personal data is deleted or anonymized within 30 days
• Data in backups is deleted within 90 days
• Certain data may be retained for legal compliance (e.g., transaction records for tax purposes)
• Anonymized or aggregated data may be retained indefinitely for analytics

9. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States. These countries may have different data protection laws than your country.

9.1 Safeguards for EU/EEA/UK Data

When we transfer personal data outside the EU/EEA/UK, we ensure appropriate safeguards are in place:

• EU-US Data Privacy Framework: Transfers to US organizations certified under the framework
• Standard Contractual Clauses (SCCs): EU Commission-approved data transfer agreements with our service providers
• UK Addendum: UK-specific addendum to SCCs for UK data
• Adequacy Decisions: Transfers to countries deemed adequate by the European Commission or UK government
• Supplementary Measures: Additional technical and organizational measures where necessary

9.2 Transfer Impact Assessments

We conduct transfer impact assessments to evaluate the level of protection in destination countries and implement supplementary measures where needed.

10. Your Rights and Choices

Depending on your location and applicable law, you may have the following rights regarding your personal information:

• Right to Access: Request a copy of the personal data we hold about you
• Right to Correction: Request correction of inaccurate or incomplete data
• Right to Deletion: Request deletion of your personal data (subject to exceptions)
• Right to Portability: Receive your data in a structured, machine-readable format
• Right to Object: Object to processing based on legitimate interests or for direct marketing
• Right to Restrict: Request restriction of processing in certain circumstances
• Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
• Right to Opt Out: Opt out of the sale or sharing of your personal information

10.1 How to Exercise Your Rights

You can exercise your rights by:

• Account Settings: Access, correct, or delete much of your data directly in your account settings
• Email: Submit a request to [email protected]
• Unsubscribe: Click "unsubscribe" in any marketing email

10.2 Verification

To protect your privacy, we will verify your identity before processing requests. Verification may include:

• Confirming the email address associated with your account
• Matching information you provide with information we have on file
• Additional verification for sensitive requests

10.3 Response Timeframes

• GDPR Requests: Within 30 days (extendable by 60 days for complex requests)
• CCPA/CPRA Requests: Within 45 days (extendable by 45 days)
• Other Requests: Within a reasonable timeframe, typically 30 days

10.4 Appeals

If we deny your request, you have the right to appeal. Contact us at [email protected] with "Appeal" in the subject line.

11. GDPR Rights (EU/EEA/UK Users)

If you are located in the European Union, European Economic Area, or United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR) and UK GDPR:

11.1 Your GDPR Rights

• Right of Access (Art. 15): Obtain confirmation of processing and access to your personal data, including a copy of the data
• Right to Rectification (Art. 16): Correct inaccurate personal data and complete incomplete data
• Right to Erasure (Art. 17): Request deletion ("right to be forgotten") when data is no longer necessary, consent is withdrawn, or processing is unlawful
• Right to Restriction (Art. 18): Restrict processing while accuracy is contested, processing is unlawful, or we no longer need the data but you need it for legal claims
• Right to Portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format and transmit it to another controller
• Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing (we will stop unless we have compelling grounds)
• Rights Related to Automated Decision-Making (Art. 22): Not be subject to decisions based solely on automated processing that produce legal or similarly significant effects

11.2 Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority in your country of residence if you believe our processing of your personal data violates GDPR. A list of EU supervisory authorities is available at edpb.europa.eu.

For UK residents, you may contact the Information Commissioner's Office (ICO) at ico.org.uk.

11.3 Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in high risk to individuals' rights and freedoms.

11.4 Contact for GDPR Matters

For GDPR-related inquiries: [email protected]

12. CCPA/CPRA Rights (California Residents)

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), effective January 1, 2023, with additional requirements effective January 1, 2026.

12.1 Your California Privacy Rights

• Right to Know: Request disclosure of the categories and specific pieces of personal information we collect, use, disclose, and sell/share
• Right to Delete: Request deletion of your personal information, subject to certain exceptions
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out of Sale/Sharing: Opt out of the "sale" or "sharing" of your personal information for cross-context behavioral advertising
• Right to Limit Use of Sensitive Personal Information: Limit use of sensitive personal information to purposes necessary for providing the Service
• Right to Non-Discrimination: Not receive discriminatory treatment for exercising your privacy rights

12.2 Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information:

12.3 Sale and Sharing Disclosure

However, we may "share" personal information (as defined under CPRA) with advertising partners for cross-context behavioral advertising. This includes sharing identifiers and internet activity with Meta, Google, and TikTok through tracking pixels. You have the right to opt out of this sharing.

12.4 Do Not Sell or Share My Personal Information

To opt out of the sale or sharing of your personal information:

• Email us at [email protected] with subject "Do Not Sell or Share My Personal Information"
• Enable Global Privacy Control (GPC) in your browser (see Section 12.6)

12.5 Sensitive Personal Information

We collect sensitive personal information (account login credentials) only for purposes necessary to provide the Service, specifically for authentication. We do not use sensitive personal information for purposes beyond what is necessary or permitted under CPRA.

12.6 Global Privacy Control (GPC)

We honor Global Privacy Control (GPC) signals. If you enable GPC in your browser, we will treat it as a valid opt-out request for the sale/sharing of personal information associated with that browser.

12.7 Exercising Your California Rights

To exercise your California privacy rights:

• Submit a Request: Email [email protected]
• Response Time: We will respond within 45 days (may be extended by an additional 45 days for complex requests)
• Verification: We will verify your identity by matching information you provide with our records

12.8 Authorized Agents

You may designate an authorized agent to make requests on your behalf. The agent must provide:

• Signed written authorization from you, OR
• Power of attorney under California Probate Code

We may still require you to verify your identity directly.

12.9 Financial Incentives

We do not currently offer financial incentives (discounts, rewards) in exchange for personal information. If we offer such programs in the future, we will provide the required disclosures.

12.10 California "Shine the Light" Law

Under California Civil Code Section 1798.83, California residents may request information about our disclosure of personal information to third parties for their direct marketing purposes. We do not disclose personal information to third parties for their own direct marketing purposes.

13. Other US State Privacy Rights

In addition to California, several other US states have enacted comprehensive privacy laws. If you are a resident of these states, you may have similar rights:

13.1 Virginia (VCDPA)

Virginia residents have rights to access, correct, delete, obtain a copy of, and opt out of targeted advertising, sale, and profiling under the Virginia Consumer Data Protection Act.

13.2 Colorado (CPA)

Colorado residents have rights under the Colorado Privacy Act, including the right to opt out of targeted advertising and sales.

13.3 Connecticut (CTDPA)

Connecticut residents have rights under the Connecticut Data Privacy Act similar to Virginia and Colorado residents.

13.4 Utah (UCPA)

Utah residents have rights under the Utah Consumer Privacy Act, including the right to access, delete, and opt out of certain processing.

13.5 Nevada (SB 220)

Nevada residents may opt out of the sale of covered information. To exercise this right, email [email protected] with "Nevada Opt-Out" in the subject line.

13.6 Exercising Your Rights

Regardless of your state, you can exercise your privacy rights by contacting [email protected]. We will process your request in accordance with applicable state law.

14. Automated Decision-Making and Profiling

14.1 How We Use Automated Processing

We use automated processing in the following ways:

• Analysis Generation: Our algorithms analyze historical market data to generate probability scores and analysis. This is the core function of the Service.
• Personalization: We use automated systems to personalize your experience (e.g., recommended tickers, display preferences).
• Fraud Prevention: Automated systems help detect suspicious activity and potential fraud.
• Advertising: Third-party advertising partners may use automated systems to determine ad relevance.

14.2 Solely Automated Decisions

We do NOT make decisions based solely on automated processing that produce legal effects or similarly significant effects on you. All significant decisions (e.g., account termination, subscription changes) involve human review.

14.3 Your Rights Regarding Automated Processing

Under GDPR and certain US state laws, you have the right to:

• Receive information about the logic involved in automated processing
• Request human review of automated decisions
• Express your point of view and contest decisions

To exercise these rights, contact [email protected].

14.4 Profiling

We engage in limited profiling to improve your experience. This includes analyzing your usage patterns to recommend features and content. This profiling does NOT have legal or similarly significant effects on you. You can object to profiling for direct marketing purposes at any time.

15. Data Breach Notification

We have implemented procedures to detect, investigate, and respond to personal data breaches in accordance with applicable law.

15.1 Our Breach Response Procedures

• Detection: Continuous monitoring for security incidents
• Assessment: Rapid assessment of scope, affected data, and risk to individuals
• Containment: Immediate steps to contain the breach and prevent further access
• Notification: Timely notification to authorities and affected individuals as required

15.2 Notification to Authorities

If a breach is likely to result in a risk to individuals' rights and freedoms:

• GDPR: We will notify the relevant supervisory authority within 72 hours of becoming aware of the breach
• US State Laws: We will notify state attorneys general as required by applicable state breach notification laws

15.3 Notification to Affected Individuals

If a breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay. Notification will include:

• Description of the breach
• Types of data affected
• Likely consequences
• Steps we are taking to address the breach
• Recommendations for steps you can take to protect yourself

16. Children's Privacy

We do not knowingly collect personal information from children under 18. Our Service involves financial analysis and is designed for adult users only.

If you are a parent or guardian and believe your child has provided us with personal information:

• Contact us immediately at [email protected]
• We will promptly investigate and delete such information from our systems
• We will take steps to prevent future unauthorized use

Under CPRA (effective January 1, 2026), personal information of consumers under 16 is classified as sensitive personal information. Since we do not knowingly collect information from anyone under 18, this classification does not apply to our Service.

17. Third-Party Links and Services

Our Service may contain links to third-party websites, services, or applications that are not operated by us. This Privacy Policy does not apply to third-party services.

Third-party services may include:

• Financial data providers
• News and research websites
• Social media platforms
• Payment processors

We encourage you to review the privacy policies of any third-party services you access. We are not responsible for the privacy practices, content, or security of third-party services.

18. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:

• We will update the "Last updated" and "Effective Date" at the top of this Policy
• For material changes, we will notify you via email (to the address associated with your account) and/or a prominent notice on our Service at least 30 days before the changes take effect
• For minor changes (e.g., formatting, clarifications), we may update without advance notice

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Privacy Policy. If you do not agree with the changes, you should stop using the Service and delete your account.

We encourage you to review this Privacy Policy periodically to stay informed about our data practices.

19. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Response Times

• General inquiries: Within 5 business days
• Privacy rights requests: Within timeframes required by applicable law (30-45 days)
• Urgent security matters: Within 24-48 hours