Legal

Privacy Policy

Last updated: April 2026

1. Information We Collect

We collect the following categories of information when you use Invariant Markets:

  • Account information — name (optional), email address, and a salted password hash. We never store passwords in plain text.
  • Payment information — processed by our payment processor. Card numbers never reach our servers; we hold only the references and status needed to operate your subscription.
  • Subscription data — your current plan status and billing period.
  • Anti-abuse signal — the IP address used at signup, retained alongside the account to prevent abuse of the free preview.
  • Audit log — a record of sensitive actions on your account, retained to support security review and customer support.
  • Product configuration — the alert preferences you have enabled.
  • Support messages — when you contact us through the support form, we store your name, email, message, and triage status.
  • Session data — short-lived authentication tokens needed to keep you logged in.

2. How We Use Your Information

  • To provide and maintain your account and subscription, including billing reconciliation with Stripe
  • To send transactional emails: account verification, welcome, password reset, trial-ending reminder, condition alerts you've subscribed to, support replies
  • To prevent abuse: one free trial per person/email/network; rate limits on signup, login, password reset, and contact-form submissions
  • To authenticate you and protect your session
  • To investigate and respond to security incidents and customer-support requests
  • To meet legal obligations (tax records, dispute resolution, regulatory requests)

3. What We Do Not Do

  • We do not sell your personal data to any third party
  • We do not share your information with advertisers
  • We do not run advertising or third-party tracking cookies
  • We do not store credit-card details — Stripe is the system of record for payment data
  • We do not track your activity on other websites
  • We do not use your data to train machine-learning models

4. Third-Party Service Providers

We use a small set of vetted service providers for payment processing, hosting, transactional email, and security. Each is bound by data-processing terms at least as restrictive as our own privacy commitments. The current list is available on request from [email protected].

5. Data Retention

We retain customer data only for as long as necessary to operate the service, satisfy legal and accounting obligations, or fulfill a specific request. Account records are deleted on request. Categories required by law or for dispute resolution (e.g., billing history) are retained for the shortest period the applicable obligation requires. A specific retention schedule is available on request from [email protected].

6. Security

Passwords are stored using industry-standard salted hashing. All connections use HTTPS. We take reasonable technical and organizational measures to protect your data, but no system is completely secure.

7. Your Rights

You have the right to:

  • Access — download a JSON copy of every record tied to your account from Account → Your Data
  • Rectification — update name and email from your account page; reply to any of our emails for other corrections
  • Erasure — delete your account from Account → Delete account. Active subscriptions are canceled at Stripe; account data is removed from our database immediately. Audit-log entries referencing the deleted user remain for the audit retention window with personally identifying fields blanked
  • Object — opt out of any non-essential email by replying with "unsubscribe." Transactional emails (password reset, billing notices, security alerts) cannot be unsubscribed while your account is active
  • Cancel — cancel your subscription anytime from Account → Manage Billing

For requests not exposed in-product, contact [email protected]. We respond within 30 days; complex requests may take up to 60 days, in which case we'll tell you why.

8. Cookies

We use only the cookies strictly necessary to operate the service: a session cookie that keeps you signed in, and a CSRF token that protects sign-in from forgery. We do not set advertising cookies and do not track you across other websites. Disabling cookies in your browser will prevent you from staying signed in.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a notice on the platform. Continued use of the Service after changes constitutes acceptance.

10. Data Processing Agreement

A Data Processing Agreement (DPA) is available on request for customers subject to GDPR, UK GDPR, or CCPA. Email [email protected] with your company name and we will send a counter-signable PDF.

11. Contact

For privacy questions or data requests, contact us at [email protected].