Privacy Policy
Last updated: February 2026
1. Information We Collect
Account Information
When you sign in, we collect your email address. We use passwordless authentication (magic links), so we do not store passwords.
Usage Data
We collect IP addresses and user agent strings when you sign in or verify your email. This data is used for rate limiting, security monitoring, and abuse prevention.
Portfolio Data
If you use personalized features, you may provide stock holdings (tickers, share counts, cost basis). This data is stored to generate personalized overlay suggestions.
Billing Data
Payment processing is handled by Stripe. We store your Stripe customer ID and subscription status. We do not store credit card numbers or payment details directly.
2. How We Use Your Information
- To authenticate your identity and manage your session
- To provide personalized portfolio analysis when you opt in
- To process subscription payments via Stripe
- To detect and prevent abuse (rate limiting, security monitoring)
- To improve the Service
3. Data Retention
- Sessions: Session data is retained for up to 30 days of inactivity, then automatically cleaned up.
- Authentication tokens: Magic link tokens expire after 20 minutes and are cleaned up daily.
- IP addresses: Stored in session and verification records; cleaned up with the associated records.
- Portfolio data: Retained as long as your account exists.
- Run history: Analysis run data is retained indefinitely for historical reference.
4. Data Sharing
We do not sell your personal information. We share data only with:
- Stripe: For payment processing
- Amazon SES: For sending verification emails
5. Your Rights
You have the right to:
- Access: View your account data on the Account page
- Delete: Delete your account and all associated data at any time via Account settings
- Portability: Export your portfolio and analysis data
- Correct: Update your holdings and preferences at any time
6. Security
We use industry-standard security measures including HTTPS encryption, hashed session tokens, CSRF protection, and rate limiting. Session cookies are set with HttpOnly and Secure flags.
7. Cookies
We use two essential cookies:
- es_session: HttpOnly session cookie for authentication (expires after 30 days)
- es_csrf: CSRF protection token (expires with session)
We do not use tracking cookies or third-party analytics.
8. Changes to This Policy
We may update this Privacy Policy from time to time. Continued use of the Service after changes constitutes acceptance.
9. Contact
For privacy-related questions, contact us at the email address associated with your Early Signal account.