Privacy Policy

Last updated: February 2026

1. Data Controller

The Data Controller for Your personal data is:

  • Name: [OWNER_NAME]
  • Business name: BullAlert (Jednoosobowa Działalność Gospodarcza)
  • Registered address: [BUSINESS_ADDRESS]
  • NIP: [NIP]
  • REGON: [REGON]
  • Contact: adrian@bullalert.ai

2. What Data We Collect

  • Account data: Email address (used for authentication via magic link)
  • Subscription data: Stripe customer ID, subscription status (we never store card numbers)
  • Preferences: Notification settings, theme preference, minimum alert tier
  • Usage data: Pages visited, features used (anonymous analytics only)
  • Push notification data: Browser push subscription endpoints (if you enable browser notifications)
  • Consent records: Timestamps and versions of Terms of Service, Privacy Policy, and Investment Disclaimer consents

3. Legal Basis for Processing (GDPR Article 6)

We process Your personal data on the following legal bases:

  • Contract performance (Art. 6(1)(b)): Account creation, authentication, subscription management, service delivery, and sending transactional communications necessary for the Service
  • Legitimate interest (Art. 6(1)(f)): Security and fraud prevention, service improvement, anonymous usage analytics
  • Consent (Art. 6(1)(a)): Marketing communications (where applicable) — You may withdraw consent at any time
  • Legal obligation (Art. 6(1)(c)): Tax and accounting record retention as required by Polish law (5-year retention period under Ordynacja podatkowa)

4. How We Use Your Data

  • To provide and maintain the Service
  • To authenticate you via magic link emails
  • To manage your subscription through Stripe
  • To send notifications based on your preferences
  • To improve the Service

5. Marketing vs Transactional Communications

We distinguish between two types of communications:

Transactional (no separate opt-in required): Magic link authentication emails, subscription confirmations, payment receipts, trial expiration reminders, service notifications, and daily alert summaries. These are essential for service operation.

Marketing (explicit opt-in required): Promotional content, feature announcements, and re-engagement campaigns. Marketing emails require explicit opt-in consent and include an unsubscribe link in every message. You can manage your communication preferences in Settings or by contacting adrian@bullalert.ai.

6. Data Storage & Security

Your data is stored securely via Supabase (PostgreSQL) with encryption at rest. Authentication is handled by Supabase Auth. Payment processing is handled by Stripe — we never store, process, or have access to your full card details.

7. Sub-processors

We use the following third-party sub-processors to deliver the Service:

  • Supabase (Supabase Inc., USA): Database, authentication, and serverless functions. Data shared: email, account data, preferences.
  • Stripe (Stripe Inc., USA): Payment processing. Data shared: email, Stripe customer ID, payment metadata. We never store full card details.
  • Vercel (Vercel Inc., USA): Website hosting and CDN. Data shared: IP addresses, access logs.
  • Reddit (Reddit Inc., USA): Public API access for stock mention scanning. Data shared: none — we only read publicly available posts. No user personal data is sent to Reddit.
  • OpenAI (OpenAI LLC, USA): AI analysis generation for stock alerts. Data shared: stock ticker symbols and publicly available Reddit post content. No user personal data is sent to OpenAI.
  • Resend (Resend Inc., USA): Transactional email delivery. Data shared: email address, email content.

8. International Data Transfers

Your personal data may be transferred to and processed in the United States by our sub-processors listed above. These transfers are made pursuant to: (a) European Commission Standard Contractual Clauses (SCCs); (b) the sub-processor's certification under relevant data protection frameworks. By using the Service, You acknowledge these transfers. The Data Controller ensures that appropriate safeguards are in place in accordance with GDPR Chapter V requirements.

9. Cookies & Local Storage

We use:

  • Authentication cookies (required for login sessions)
  • localStorage for theme preference, notification settings, and consent records
  • Consent records stored in localStorage are synced to Your server-side profile upon authentication
  • No third-party tracking cookies

10. Your Rights (GDPR & CCPA)

You have the right to:

  • Access: Request a copy of your personal data
  • Rectification: Request corrections to your data
  • Deletion: Delete your account and all associated data
  • Export: Export your data in a portable format
  • Objection: Object to processing based on legitimate interest
  • Restriction: Request restriction of processing in certain circumstances
  • Opt-out: Disable notifications and marketing communications at any time
  • Complaint: Lodge a complaint with the Polish supervisory authority: Prezes Urzędu Ochrony Danych Osobowych (PUODO), ul. Stawki 2, 00-193 Warszawa, uodo.gov.pl

To exercise these rights, use the Settings page or contact adrian@bullalert.ai. We will respond to data rights requests within 30 days. To verify Your identity, we may request additional information.

11. Data Retention

  • Account data: Retained while your account is active. Upon deletion, we remove all personal data within 30 days.
  • Financial/billing records: Retained for 5 years per Polish tax law (Ordynacja podatkowa).
  • Consent records: Retained for the duration of the account plus 3 years after deletion.
  • Anonymous data: Aggregated alert performance data may be retained indefinitely for historical records.

12. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from minors. If we become aware that we have collected personal data from a minor, we will take steps to delete that information promptly.

13. Changes to This Policy

We may update this Privacy Policy periodically. Material changes will be communicated via email. The "Last updated" date at the top of this page will be revised accordingly. Continued use of the Service after changes constitutes acceptance of the updated policy.

14. Contact

For privacy inquiries, data access requests, or complaints, contact:

  • Email: adrian@bullalert.ai
  • Postal address: [OWNER_NAME], [BUSINESS_ADDRESS]