Privacy Policy

Last updated: June 2026

// historical observations · same outputs for every subscriber · not investment advice

In one paragraph — what BullAlert processes and what it does NOT

BullAlert is an alternative data intelligence layer, not a market data redistributor. We process minimal personal data (email, subscription state, preferences) to operate the Service under GDPR. Market data we use is licensed for internal processing only and never redistributed; the raw data is used solely for internal pattern identification by our proprietary algorithm. We do not redistribute, display, or re-expose raw market data to subscribers. Every subscriber receives the same algorithmic outputs at the same time — there is no individualized profiling and no automated decision-making about you within the meaning of GDPR Article 22.

1. Data Controller

The Data Controller for Your personal data is:

  • Name: Adrian Bigaj, Firma informatyczna BigsonDev Adrian Bigaj
  • Business name: BullAlert (Jednoosobowa Działalność Gospodarcza)
  • Registered address: Karmelicka 5/5, 31-133 Kraków, Małopolskie
  • NIP: 9452234988
  • REGON: 385858724
  • Contact: adrian@bullalert.ai

2. What Data We Collect

// Personal data only (account/billing/preferences) · No exchange data category · Market data ingested separately is historical (T-1+) and never personal

  • Account data: Email address (used for authentication via magic link)
  • Subscription data: Stripe customer ID, subscription status (we never store card numbers)
  • Preferences: Notification settings, theme preference, minimum alert tier
  • Usage data: Pages visited, features used (anonymous analytics only)
  • Consent records: Timestamps and versions of Terms of Service, Privacy Policy, and Investment Disclaimer consents

3. Legal Basis for Processing (GDPR Article 6)

We process Your personal data on the following legal bases:

  • Contract performance (Art. 6(1)(b)): Account creation, authentication, subscription management, service delivery, and sending transactional communications necessary for the Service
  • Legitimate interest (Art. 6(1)(f)): Security and fraud prevention, service improvement, anonymous usage analytics
  • Consent (Art. 6(1)(a)): Marketing communications (where applicable) — You may withdraw consent at any time
  • Legal obligation (Art. 6(1)(c)): Tax and accounting record retention as required by Polish law (5-year retention period under Ordynacja podatkowa)

4. How We Use Your Data

  • To provide and maintain the Service
  • To authenticate you via magic link emails
  • To manage your subscription through Stripe
  • To send notifications based on your preferences
  • To improve the Service

5. Marketing vs Transactional Communications

We distinguish between two types of communications:

Transactional (no separate opt-in required): Magic link authentication emails, subscription confirmations, payment receipts, trial expiration reminders, service notifications, and daily alert summaries. These are essential for service operation.

Marketing (explicit opt-in required): Promotional content, feature announcements, and re-engagement campaigns. Marketing emails require explicit opt-in consent and include an unsubscribe link in every message. You can manage your communication preferences in Settings or by contacting adrian@bullalert.ai.

6. Data Storage & Security

Your data is stored securely via Supabase (PostgreSQL) with encryption at rest. Authentication is handled by Supabase Auth. Payment processing is handled by Stripe — we never store, process, or have access to your full card details.

7. AI Assistant & Automated Decision-Making

// Same outputs for every subscriber · No individualized profiling · Not advice

Our AI assistant features process user prompts through third-party large-language-model providers under contractual data-processing terms. Prompts and conversation context are transmitted to these processors solely to generate responses. Providers do not train models on this data. See Sub-processors below.

Automated decision-making (GDPR Article 22): BullAlert outputs are generated by an automated proprietary scoring algorithm. These outputs are NOT individualized decisions about you — the algorithm processes public market and news data, not your personal data, and produces the same output for all subscribers. You are not subject to automated decisions producing legal or significant effects within the meaning of Article 22 GDPR by virtue of using BullAlert.

8. Sub-processors

// Sub-processors listed for GDPR Art. 28 specificity · Market data infrastructure provider supplies historical (T-1+) bars only, no personal data

We use the following third-party sub-processors to deliver the Service:

  • Supabase (Supabase Inc., USA): Database, authentication, serverless functions. Data shared: email, account data, preferences.
  • Stripe (Stripe Inc., USA): Payment processing. Data shared: email, Stripe customer ID, payment metadata. We never store full card details.
  • Vercel (Vercel Inc., USA): Website hosting. Data shared: IP addresses, access logs.
  • Cloudflare (Cloudflare Inc., USA): CDN, DDoS protection, edge compute. Data shared: IP addresses, request metadata.
  • Resend (Resend Inc., USA): Transactional email delivery. Data shared: email address, email content.
  • OpenAI (OpenAI LLC, USA): Large-language-model inference for AI analysis features. Data shared: ticker symbols, public content, and where the AI assistant is used, user prompts.
  • Anthropic (Anthropic PBC, USA): Large-language-model inference for the AI assistant. Data shared: user prompts and conversation context.
  • Discord (Discord Inc., USA): Community integration for subscribers who link their Discord account. Data shared: Discord user ID, role membership.
  • Market data infrastructure provider: Historical daily market data and reference data for internal computation only. No personal data shared. Specific entities disclosed on request to adrian@bullalert.ai.
  • Social platforms: Public data aggregation only. No user personal data sent.

9. International Data Transfers

Your personal data may be transferred to and processed in the United States by our sub-processors listed above. These transfers are made pursuant to: (a) European Commission Standard Contractual Clauses (SCCs); (b) the sub-processor's certification under relevant data protection frameworks. By using the Service, You acknowledge these transfers. The Data Controller ensures that appropriate safeguards are in place in accordance with GDPR Chapter V requirements.

10. Cookies & Local Storage

We use:

  • Authentication cookies (required for login sessions)
  • localStorage for theme preference, notification settings, and consent records
  • Consent records stored in localStorage are synced to Your server-side profile upon authentication
  • No third-party tracking cookies

11. Your Rights (GDPR & CCPA)

You have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Request corrections to your data
  • Deletion: Delete your account and all associated data
  • Export: Export your data in a portable format
  • Objection: Object to processing based on legitimate interest
  • Restriction: Request restriction of processing in certain circumstances
  • Withdraw consent: Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal (GDPR Article 7(3))
  • Opt-out: Disable notifications and marketing communications at any time
  • Complaint: Lodge a complaint with the Polish supervisory authority: Prezes Urzędu Ochrony Danych Osobowych (PUODO), ul. Stawki 2, 00-193 Warszawa, uodo.gov.pl

To exercise these rights, use the Settings page or contact adrian@bullalert.ai. We will respond to data rights requests within 30 days. To verify Your identity, we may request additional information.

12. Data Retention

  • Account data: Retained while your account is active. Upon deletion, we remove all personal data within 30 days.
  • Financial/billing records: Retained for 5 years per Polish tax law (Ordynacja podatkowa).
  • Consent records: Retained for the duration of the account plus 3 years after deletion.
  • Anonymous data: Aggregated alert performance data may be retained indefinitely for historical records.

13. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that we have collected personal data from a minor, we will take steps to delete that information promptly.

14. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email. The "Last updated" date at the top of this page will be revised accordingly. Continued use of the Service after changes constitutes acceptance of the updated policy.

15. Contact

For privacy inquiries, data access requests, or complaints, contact:

  • Email: adrian@bullalert.ai
  • Postal address: Adrian Bigaj, Firma informatyczna BigsonDev Adrian Bigaj, Karmelicka 5/5, 31-133 Kraków, Małopolskie