Privacy Policy
Effective date: 11 May 2026 Version: 2.0
This Privacy Policy explains what personal data Global Live Tracker ("the Service", "we") collects, why, how we use it, and the rights you have. This policy is written to comply with the EU General Data Protection Regulation (GDPR) and the UK GDPR.
1. Data controller
Global Live Tracker is the controller of your personal data. Contact: privacy@globaltrackers.app.
2. What we collect
Account & profile
- email address, display name, language preference, plan tier
- authentication identifiers from your sign-in provider (Supabase Auth)
Usage & telemetry (only with consent)
- analytics events (page views, feature usage)
- aggregated performance metrics (no IP address, no precise location)
Trading data (only if you opt in to live trading)
- exchange API credentials, encrypted at rest with libsodium via Supabase pgsodium
- order audit trail (
live_trading_audit), reconciliation drift events - risk-disclosure acceptance log (timestamp, hashed IP, country, user agent fragments)
Support correspondence
- emails you send us and our replies
Cookies
- a strictly necessary session cookie (Supabase auth)
- optional analytics and functional cookies — only set after you accept them in the cookie banner
We do not sell personal data. We do not use it for cross-context behavioural advertising.
3. Why we process it (legal bases)
| Purpose | Legal basis |
|---|---|
| Provide the Service, fulfil your account | Contract (Art. 6(1)(b) GDPR) |
| Process payments | Contract + legal obligation |
| Send transactional emails (security, billing) | Contract |
| Send marketing emails | Consent (you can revoke any time at /settings/privacy) |
| Analytics & product improvement | Consent |
| Fraud prevention, abuse detection, kill-switch | Legitimate interest |
| Comply with finance, AML, KYC and tax law | Legal obligation |
4. Third-party processors
We share the minimum personal data needed with:
- Supabase — database, authentication, storage (EU region where available)
- OpenRouter — AI inference (prompts may include the symbol or topic you asked about; never raw credentials)
- Resend — transactional and (with consent) marketing email
- Stripe — payment processing (we never see your full card number)
- Cloudflare — edge delivery and DDoS protection
- the brokerage / exchange API you choose to connect (Alpaca, Saxo, KuCoin, Polymarket, etc.) — only the credentials you supply, used solely to route your own orders
Each processor is bound by a Data Processing Agreement.
5. International transfers
Where data is transferred outside the EEA / UK we rely on Standard Contractual Clauses or an adequacy decision.
6. Retention
| Data | Retention |
|---|---|
| Account profile | until account deletion + 30-day grace |
| Authentication logs | 90 days |
live_trading_audit | 7 years (financial record obligation) |
risk_disclosure_acceptance_log | 10 years (regulatory) |
credential_access_log | 2 years |
| AI usage logs | 13 months |
| Marketing consent log | 3 years after withdrawal |
| Cookies (analytics) | 13 months max |
When you delete your account we revoke exchange credentials immediately, then purge personal data after the 30-day grace period and issue a deletion_certificates record.
7. Your rights (GDPR Articles 15–22)
You have the right to:
- access a copy of your data — request from
/settings/privacy - rectify inaccurate data — edit profile or contact us
- erase your data —
/settings/privacy→ Delete account (30-day grace) - restrict or object to processing
- portability — JSON export from
/settings/privacy - withdraw consent at any time without affecting prior lawful processing
- lodge a complaint with your supervisory authority (e.g. CNIL in France, AP in the Netherlands, ICO in the UK)
We respond to requests within 30 days.
8. Security
- credentials encrypted at rest with libsodium (pgsodium)
- TLS 1.2+ in transit
- row-level security on every personal table
- per-user credential decryptors with full access logging
- secrets isolated to server runtime; never bundled to the browser (
scripts/check-secrets.tsenforces this on every build)
No system is perfect. If you discover a vulnerability, please email security@globaltrackers.app.
9. Children
The Service is not intended for users under 18 for any feature involving live trading or paid plans. Do not provide personal data if you are under that age.
10. Geographic restrictions
Live trading is geo-blocked from certain jurisdictions per regulatory requirements (see country_venue_blocklist). Read-only public surfaces remain accessible.
11. Changes to this policy
We will notify you in-product and by email of material changes and will re-prompt consent where required. The version number and effective date at the top of this page always reflect the current revision.
12. Contact
- General privacy questions: privacy@globaltrackers.app
- Data Protection Officer: dpo@globaltrackers.app
- Postal: as listed on the imprint page
This is version 2.0. Older versions are kept in the privacy_policy_versions table and available on request.