Privacy Policy

Effective date: March 27, 2026 · Last updated: March 27, 2026

This Privacy Policy explains how ChartMatch collects, uses, stores, and protects your personal information when you use our Service. We are committed to handling your data responsibly and transparently.

1. Information We Collect

1.1 Information You Provide Directly

Data	When collected	Purpose
Email address	Account registration	Authentication, account recovery, service communications
Name	Account registration (optional)	Personalization (dashboard greeting)
Password	Email registration	Authentication — stored as a salted, cryptographic hash (PBKDF2-HMAC-SHA256 with 260,000 iterations), never in plaintext

1.2 Information from Third-Party Authentication

If you sign up or log in using Google, we receive the following from Google:

Email address (verified by Google)
Display name
Google account identifier (a unique ID used to link your Google account)

We do not receive or store your Google password, contacts, calendar data, or any other Google account information beyond the items listed above.

1.3 Information Generated by Your Use of the Service

Data	Details	Purpose
API usage counts	Number of API calls per key per calendar month	Rate limiting and plan enforcement
API keys	Keys you create (prefixed `cm_`), key names, creation dates	API authentication
Subscription tier	Your current plan (Free, Pro, or Builder)	Feature access and billing
Account timestamps	Account creation date and last login date	Account management

1.4 Information We Do NOT Collect

We want to be explicit about what we do not collect:

IP addresses — we do not log or store your IP address
Browser fingerprints or User-Agent strings — not collected
Cookies — we do not use cookies of any kind (no tracking cookies, no analytics cookies, no session cookies)
API query content — the symbols you search, parameters you use, and results you receive are not logged or stored by us
Location data — not collected
Device information — not collected
Third-party analytics or tracking — we do not use Google Analytics, Facebook Pixel, or any other tracking tools

1.5 Browser Local Storage

We use your browser's localStorage (not cookies) to store a single authentication token (cm_token). This token:

Is stored only in your browser, not sent to third parties
Is used to keep you logged in across page loads
Expires after 72 hours and must be renewed by logging in again
Is deleted when you log out
Can be manually removed by clearing your browser's site data

2. How We Use Your Information

We use the information we collect for the following purposes:

Provide and operate the Service — authenticating your identity, processing API requests, enforcing rate limits
Process payments — managing subscriptions and billing through Paddle (our Merchant of Record)
Communicate with you — sending email verification links, and essential service notifications (e.g., plan changes, security alerts)
Enforce our Terms — detecting abuse, preventing unauthorized access
Improve the Service — understanding aggregate usage patterns (e.g., total API calls across all users) to inform capacity planning

We do not use your information for advertising, marketing profiling, or selling to third parties.

3. Third-Party Services and Data Sharing

We share your personal information only with the following third-party services, and only to the extent necessary to operate the Service:

3.1 Paddle (Payment Processing — Merchant of Record)

Data shared: Email address, subscription tier, Paddle customer ID
Purpose: Processing subscription payments, invoicing, tax compliance, and billing management
Their policy: Paddle Privacy Policy

Paddle acts as our Merchant of Record and is the entity that processes your payment. Payment card details (card number, CVV, expiration date) are entered directly on Paddle's hosted checkout page. We never see, receive, or store your payment card information. Paddle handles all sales tax and VAT compliance. Paddle will appear as the charge merchant on your bank/card statement.

3.2 Google (Authentication)

Data shared: Only the authentication token exchanged during the OAuth flow
Data received: Email, name, Google account ID
Purpose: Optional login/signup method
Their policy: Google Privacy Policy

3.3 SMTP Email Provider

Data shared: Your email address and name (for sending verification emails)
Purpose: Delivering email verification messages

3.4 AI Analysis Providers (Optional Feature)

When you use the AI analysis feature, pattern match data (not your personal information) may be sent to one of the following AI providers for generating analysis:

Google Vertex AI / Gemini
DeepSeek
Anthropic (Claude)

The data sent to AI providers consists of pattern match results (symbols, similarity scores, outcomes) and does not include your name, email, account information, or any personally identifiable information.

3.5 Market Data Sources

ChartMatch retrieves publicly available market data from Binance and Yahoo Finance to power its pattern-matching engine. No user data is shared with these providers. These are one-way data feeds — we retrieve market data from them; we do not send them any user information.

3.6 We Do Not Sell Your Data

We do not sell, rent, trade, or otherwise transfer your personal information to third parties for marketing, advertising, or any commercial purpose unrelated to operating the Service.

4. Data Storage and Security

4.1 Storage

Your account data is stored in a SQLite database on our servers. Market data (publicly available candlestick data) is stored separately.

4.2 Security Measures

We implement the following security measures to protect your data:

Password hashing: Passwords are hashed using PBKDF2-HMAC-SHA256 with 260,000 iterations and a unique random salt per user. Plaintext passwords are never stored or logged.
Token-based authentication: JWT tokens are signed with a server-side secret and expire after 72 hours.
API key generation: API keys are generated using cryptographically secure random number generators.
Payment security: All payment processing is handled by Paddle (our Merchant of Record), which is PCI DSS compliant. We never handle payment card data.

4.3 Limitations

While we take reasonable measures to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials and API keys.

5. Data Retention

Data type	Retention period
Account information (email, name)	Until you request deletion or account termination
Password hash	Until you change your password or request account deletion
API keys	Until you delete them or account termination
API usage counts	Retained for billing and rate-limiting purposes
Paddle customer/subscription IDs	Until account deletion (may be retained by Paddle independently per their policy)
Authentication tokens	Automatically expire after 72 hours

6. Your Rights

Depending on your jurisdiction, you may have some or all of the following rights regarding your personal data:

6.1 Right of Access

You have the right to request a copy of the personal data we hold about you. Your account information is visible on your dashboard at any time.

6.2 Right to Rectification

You have the right to request correction of any inaccurate personal data we hold about you.

6.3 Right to Deletion (Right to be Forgotten)

You have the right to request deletion of your personal data. Upon receiving a valid deletion request, we will:

Delete your account and all associated personal data (email, name, password hash, Google ID)
Revoke and delete all API keys
Delete API usage records linked to your account
Remove Paddle associations from our records (note: Paddle may retain records independently per their data retention policy)

To request account deletion, contact us at the email provided in Section 12.

6.4 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used, and machine-readable format. Contact us to request a data export.

6.5 Right to Object

You have the right to object to certain types of processing. Since we only process your data for the purposes described in this policy (operating the Service), objecting to processing may require you to close your account.

6.6 Right to Withdraw Consent

Where processing is based on consent, you have the right to withdraw consent at any time. This does not affect the lawfulness of processing based on consent before its withdrawal.

7. European Economic Area (EEA) and UK Users — GDPR

If you are located in the EEA or UK, the following additional provisions apply:

Legal basis for processing: We process your data based on (a) contract performance (providing the Service you signed up for), (b) legitimate interests (security, fraud prevention, service improvement), and (c) consent (where applicable, such as optional Google authentication).
International data transfers: Your data may be processed on servers located outside the EEA/UK. Where this occurs, we rely on appropriate safeguards as required by applicable law.
Supervisory authority: You have the right to lodge a complaint with your local data protection supervisory authority.

8. California Users — CCPA

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights:

Right to know: You may request that we disclose the categories and specific pieces of personal information we have collected about you.
Right to delete: You may request deletion of personal information we have collected (see Section 6.3).
Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.
No sale of personal information: We do not sell personal information as defined by the CCPA. We have not sold personal information in the preceding 12 months.

9. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal data from a child under 18, we will take steps to delete that information promptly. If you believe we have collected information from a child under 18, please contact us immediately.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by:

Posting the updated policy on this page with a new "Last updated" date
Sending an email notification to the address associated with your account (for material changes)

Your continued use of the Service after changes are posted constitutes your acceptance of the revised Privacy Policy. We encourage you to review this page periodically.

11. Legal Basis for Processing (Summary)

Processing activity	Legal basis
Account creation and authentication	Contract performance
Subscription billing	Contract performance
Email verification	Contract performance
API rate limiting and usage tracking	Contract performance / Legitimate interest
Security and fraud prevention	Legitimate interest
Google OAuth authentication	Consent
Service improvement (aggregate metrics)	Legitimate interest

12. Contact Us

If you have questions about this Privacy Policy, wish to exercise your data rights, or have concerns about how your data is handled, please contact us at:

Email: privacy@chartmatch.com

We will respond to all legitimate requests within 30 days. We may ask you to verify your identity before processing your request.