Legal

Privacy Policy

Last updated: May 13, 2026

1. Who we are

TradeUpTarget operates the website at tradeuptarget.com. For the purposes of GDPR and similar laws, we are the data controller for personal data collected through the Service.

2. What we collect

When you create an account or use the Service, we collect:

• Account info: email address (required), display name (optional), and a salted scrypt hash of your password. We do not store plaintext passwords.
• Session data: an HTTP-only authentication cookie (tut_token) so you stay logged in.
• Billing data: Stripe customer ID and subscription ID. Payment card details are handled entirely by Stripe; we never see them.
• API usage: if you generate an API key, we log request counts against it for rate-limiting.
• Optional settings: if you configure Discord webhook delivery, we store the webhook URL you provide.
• Server logs: standard HTTP server logs (IP address, user-agent, request path, response code, timestamp) retained for up to 30 days for security and debugging.
• Audit events: a record of security-relevant events (login, email change, plan change, etc.) tied to your profile ID.

3. How we use it

• To authenticate you and provide the Service.
• To process payments via Stripe and grant/remove access on subscription events.
• To send transactional emails: email verification, password resets, billing notifications, and important security alerts. We don’t send marketing emails without your opt-in.
• To enforce acceptable use, prevent fraud, and rate-limit API usage.

4. Third-party processors

We use the following service providers, each of whom processes data on our behalf under their own privacy and security commitments:

• Stripe — payment processing.
• Resend — sending transactional emails.
• Supabase — database and file storage (hosted in the US).
• Vercel — application hosting.
• GitHub Actions — running the daily scanner cron.

5. Cookies

We use a single first-party cookie, tut_token, set with HttpOnly, SameSite=Lax, and (in production) Secure flags. It contains a random session token tied to your account and is deleted on logout or expiry. We do not use third-party analytics or tracking cookies.

6. Data retention

• Account data is kept while your account is active.
• If you delete your account, we delete or anonymize your profile within 30 days. Some records may persist longer where required by law (e.g. tax records on Stripe’s side).
• Server logs are rotated within 30 days.

7. Your rights

Depending on your jurisdiction, you may have the right to access, correct, export, restrict processing of, or delete your personal data. To exercise these rights, email support@tradeuptarget.com. We will respond within 30 days.

EU/UK/EEA users have the right to lodge a complaint with their local data protection authority if they feel we have not adequately addressed their concerns.

8. Security

We use TLS (HTTPS) for all traffic, scrypt password hashing with per-user salts, Row Level Security on the Supabase database, and server-side-only access tokens for our backend services. No system is perfectly secure; we do our best.

9. Children

The Service is not directed at children under 13, and we do not knowingly collect data from anyone under that age. If you believe we have, please contact us so we can delete it.

10. International transfers

Our infrastructure is hosted primarily in the United States. By using the Service from outside the US, you consent to your data being transferred and processed there.

11. Changes

We may update this Privacy Policy from time to time. Material changes will be communicated by email or in-app notice. Continued use after the effective date constitutes acceptance.

12. Contact

Questions about this Privacy Policy or your data? Email support@tradeuptarget.com.