Privacy Policy

1. Introduction

MoneyAlert (moneyalert.app) respects your privacy. This Privacy Policy explains what personal data we collect, how we use it, who we share it with, and your rights regarding your personal information. By using our Service, you consent to the practices described in this policy.

2. Data We Collect

We collect information you provide directly and information collected automatically:

• Account information: email address, display name, hashed password (or Google OAuth token)
• Telegram data: chat ID, username (when you connect Telegram for notifications)
• Telegram client session: phone number, encrypted session data (when you connect for channel monitoring)
• Phone number (when you add SMS, phone call, or WhatsApp notification channels)
• Alert configurations: exchange, symbol, price targets, notification preferences
• Usage data: alert trigger history, login timestamps, feature usage
• Payment information: processed entirely by our payment provider (Paddle); we do not store or have access to your credit card details
• Automatically collected: IP address, browser type, device information, and general location data (country/region level) from server logs

3. Legal Bases for Processing

We process your personal data based on the following legal grounds:

• Consent: When you create an account, connect notification channels, or opt in to communications
• Contract performance: To provide the Service you signed up for, including delivering alerts and managing your subscription
• Legitimate interests: To improve our Service, prevent fraud, and ensure security
• Legal obligations: To comply with applicable laws and regulations

4. How We Use Your Data

• To deliver price alerts and notifications through your chosen channels
• To manage your account and subscription
• To monitor Telegram channels for keywords on your behalf
• To analyze usage patterns and improve the Service
• To detect and prevent fraud, abuse, and security incidents
• To provide customer support
• To comply with legal obligations

5. Third-Party Services

We share your data with the following third-party service providers who process data on our behalf:

• Supabase (US): database hosting and authentication
• Telegram Bot API & Client API: notification delivery and channel monitoring
• Twilio (US): SMS, phone call, and WhatsApp notifications
• Railway (US): application hosting
• Cloudflare (Global): DNS, CDN, and security
• Paddle (UK): payment and subscription processing
• Google OAuth: third-party login authentication

6. International Data Transfers

Your data may be transferred to and processed in countries other than your own, including the United States, where our hosting providers (Supabase, Railway, Twilio) are located. By using the Service, you consent to such transfers. We ensure that appropriate safeguards are in place to protect your data in accordance with this Privacy Policy.

7. Data Retention

We retain your data for as long as your account is active or as needed to provide the Service. Alert trigger history is retained for 90 days. When you delete your account, all associated personal data is permanently removed within 30 days. Some data may be retained longer if required by law or for legitimate business purposes (e.g., resolving disputes, enforcing agreements).

8. Your Rights

Depending on your jurisdiction, you may have the following rights:

• Access: View and obtain a copy of your personal data
• Correction: Update inaccurate or incomplete personal data
• Deletion: Request deletion of your personal data
• Portability: Request a machine-readable copy of your data
• Restriction: Request that we limit processing of your data
• Objection: Object to processing based on legitimate interests
• Withdraw consent: Revoke previously given consent at any time

9. Cookies & Tracking

We use essential cookies for authentication and session management only. We do NOT use: tracking cookies, third-party advertising cookies, analytics cookies (e.g., Google Analytics), or social media pixels. Because we only use strictly necessary cookies, no cookie consent banner is required. We do not currently respond to Do-Not-Track (DNT) browser signals, as there is no uniform technical standard for recognizing such signals.

10. Social Logins

You may register or log in using your Google account. When you do so, we receive your email address and profile name from Google. We do not receive or store your Google password. Google's use of your information is governed by Google's own privacy policy.

11. Security

We implement industry-standard security measures including: encrypted connections (TLS/HTTPS), Row Level Security (RLS) on our database, secure password hashing, rate limiting on sensitive endpoints, and security headers (HSTS, CSP). Telegram session data is stored in encrypted form. However, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security and are not responsible for unauthorized access resulting from factors beyond our reasonable control.

12. Data Breach Notification

In the event of a data breach that affects your personal data, we will notify affected users via email within 72 hours of becoming aware of the breach, where feasible. We will also notify relevant supervisory authorities as required by applicable law.

13. Children

The Service is not intended for users under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a person under 18, we will take steps to delete that information promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification. The "Last updated" date at the top indicates the most recent revision. Continued use after changes constitutes acceptance.

15. Contact

For privacy-related inquiries, data access requests, or complaints, please contact us at support@moneyalert.app.