← Back to Dashboard

Privacy Policy

Last updated: [DATE]

This Privacy Policy explains how [OPERATOR_NAME] ("we", "us") collects, uses, and protects your personal data when you use ATH Scanner (the "Service"). It complies with the EU General Data Protection Regulation (GDPR), the UK GDPR, and is structured to address the California Consumer Privacy Act (CCPA) where applicable.

1. Data Controller

The data controller is:

[OPERATOR_NAME]

[OPERATOR_ADDRESS]

Email: [OPERATOR_EMAIL]

Tax ID: [TAX_ID]

2. What Data We Collect

Account data

  • Email address
  • Authentication credentials (hashed password, OAuth tokens)
  • Timestamp of registration and last login
  • IP address at registration

Subscription data (for paid users)

  • Subscription tier and status
  • Billing email (handled by Stripe; we do not store card details)
  • Stripe customer ID
  • Billing history (invoice references)

Usage data

  • Pages visited and features used within the Service
  • Device and browser information (user-agent string)
  • IP address (truncated for analytics where possible)
  • Timestamps of activity

Communications

  • Emails or messages you send us
  • Support tickets

We do NOT collect:

  • Payment card numbers (handled directly by Stripe)
  • Bank account information
  • Financial portfolio or trading account data
  • Identification documents
  • Biometric data

3. Legal Bases for Processing (GDPR)

We process your data on the following legal bases:

  • Contractual necessity (Art. 6(1)(b) GDPR): to provide the Service you signed up for.
  • Legitimate interest (Art. 6(1)(f) GDPR): to operate, secure, and improve the Service; to detect fraud and abuse; to keep records.
  • Consent (Art. 6(1)(a) GDPR): for optional cookies, marketing emails, and any processing where consent is the appropriate basis. You can withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c) GDPR): to comply with tax, accounting, and other legal requirements.

4. How We Use Your Data

We use your data to:

  • Provide and operate the Service (account, dashboard, charts).
  • Process subscription payments through Stripe.
  • Send transactional emails (account verification, password resets, billing notifications, important service updates).
  • Respond to support requests.
  • Monitor, secure, and improve the Service.
  • Comply with legal obligations (e.g., issuing invoices for tax purposes).
  • Detect and prevent fraud, abuse, and security threats.

We do not sell your personal data. We do not use your data to make automated decisions with legal or similarly significant effects on you.

5. Sharing With Third Parties

We share data only with service providers that help us operate the Service:

ProviderPurposeData sharedLocation
SupabaseDatabase, authentication, hostingAccount data, usage dataEU/US (configurable)
VercelWeb hosting and CDNIP, user-agent, pages visitedGlobal CDN
StripePayment processingEmail, name, billing addressGlobal
Email providerTransactional emailsEmail, message content[Region]
[Optional: analytics provider]Aggregated usage analyticsTruncated IP, page views[Region]

These providers are contractually bound to protect your data and to use it only for the purposes we instruct.

We may disclose data when required by law, court order, or to protect our rights, property, or safety.

6. International Transfers

Some of our providers (Stripe, Vercel) may transfer data outside the EU/EEA, including to the United States. Where this is the case, transfers are protected by:

  • The EU-US Data Privacy Framework (where applicable).
  • Standard Contractual Clauses approved by the European Commission.
  • Other safeguards required by GDPR.

7. Data Retention

We retain your data for as long as your account is active and as needed to provide the Service.

After account deletion:

  • Account data is deleted within 30 days, except where retention is legally required.
  • Billing records are retained for the period required by tax law (typically 4–7 years depending on jurisdiction).
  • Anonymized usage data may be retained indefinitely.

8. Your Rights

If you are in the EU/EEA, UK, or another jurisdiction with similar laws, you have the right to:

  • Access your data and obtain a copy.
  • Rectify inaccurate or incomplete data.
  • Erase your data ("right to be forgotten") subject to legal retention obligations.
  • Restrict processing in certain circumstances.
  • Object to processing based on legitimate interest.
  • Data portability: receive your data in a structured, commonly used format.
  • Withdraw consent at any time for processing based on consent.
  • Lodge a complaint with your local data protection authority. In Spain, this is the Agencia Española de Protección de Datos (AEPD): https://www.aepd.es

For California residents (CCPA), you have similar rights, including the right to know what personal information we collect, the right to delete, and the right to opt out of sale (we do not sell personal data).

To exercise any of these rights, contact [OPERATOR_EMAIL]. We will respond within 30 days.

9. Security

We use industry-standard security measures, including:

  • HTTPS encryption for all traffic.
  • Hashed and salted passwords (managed by Supabase Auth).
  • Role-based access controls on the database.
  • Restricted access to production systems.
  • Regular software updates and security monitoring.

No system is completely secure. If we become aware of a personal data breach affecting your rights and freedoms, we will notify the relevant authority within 72 hours as required by GDPR, and we will notify you without undue delay where required.

10. Cookies and Similar Technologies

We use a minimal set of cookies:

  • Strictly necessary cookies: authentication session, security. These do not require consent.
  • Functional cookies: user preferences (e.g., dismissed banners).
  • Analytics cookies (if used): aggregated usage analytics. Subject to your consent where required.

You can manage cookies via your browser settings. Blocking strictly necessary cookies may prevent the Service from working.

11. Children

The Service is not directed at children under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or via a notice on the Service. The "Last updated" date at the top will always reflect the latest version.

13. Contact

For privacy-related questions or to exercise your rights:

[OPERATOR_NAME]

[OPERATOR_ADDRESS]

[OPERATOR_EMAIL]