Privacy Policy

Last updated: June 16, 2026

⚠ This policy is accurate to the system as of the date above but has not yet been reviewed by qualified counsel. A pre-launch legal review is in progress — material changes will be reflected here with an updated date.

Summary in one paragraph

We collect the minimum personal data needed to run the product: your email and password for the account; your name, watchlist, alerts and subscription state for the features that need them; plus contextual identifiers when you opt in to extras like Telegram or SMS alerts. We do not store IP addresses or browser fingerprints to the database, do not run third-party tracking pixels, do not sell or share data with advertisers, and do not see your payment-card details (Stripe handles them).

What we collect at signup

  • Email address — required. Used for authentication, transactional email (welcome, trial reminders, alerts you've opted into), and account recovery.
  • Password — required, minimum 8 characters. We never store the raw password; only a one-way bcrypt hash that cannot be reversed back to your password.
  • Name — optional. Used only to personalise the welcome email and the dashboard greeting.
  • Referral code — optional. If you signed up via someone else's referral link, we record which user referred you so we can credit them the referral bonus.
  • Cloudflare Turnstile token — bot-challenge response. Verified server-side and immediately discarded after the check.
  • Device fingerprint & IP address — used only to rate-limit signups against trial-farming bots. Held in volatile worker memory, never written to the database, and evicted on every backend restart.

What we store while you use the product

  • Your tier (Free / Pro / Premium / Lifetime) and trial-end date.
  • Your watchlist tickers, alert rules, and any settings you configure.
  • Your Stripe customer ID — linked on first checkout. We never receive or store card numbers; Stripe handles all payment data directly.
  • Your referral code (your own shareable code) and the count of unused referral credits you've earned.
  • Your Telegram chat ID — only if you opt in to Telegram alerts.
  • Your phone number in E.164 format — only if you opt in to Premium SMS alerts.
  • Your Discord webhook URL — only if you opt in to Discord delivery on Pro+.
  • An internal drip-email state token list — a comma-separated string like "3,7,end" that records which lifecycle emails we've already sent so we don't double-send.
  • Account created_at and updated_at timestamps for audit.

What we explicitly do not collect or store

  • Payment card numbers — Stripe handles these directly. We only see a stripe_customer_id.
  • Bank account details, SSN, passport, or other government IDs.
  • Your brokerage credentials or actual portfolio holdings. Tapeline scans the public market — it does not connect to your broker.
  • IP addresses in the database. We use them transiently in memory for rate limiting, but we don't persist them.
  • Browser fingerprints in the database. Same as IPs — used for in-memory anti-abuse checks, never written down.
  • Location or geolocation data.
  • Cookies for third-party trackers or advertising networks. We set exactly one cookie — a same-site session token. No ad cookies, no analytics cookies.
  • Behavioural analytics beyond Vercel's privacy-respecting Web Analytics (cookieless, IP-anonymised, no per-user dossier).
  • Any data for the purpose of selling or sharing with advertisers. We don't sell data. We don't share data with ad networks. We never will.

Sub-processors

These are the third parties whose systems may touch your data when you use Tapeline. Each one is listed with what they see.

  • Stripe — payment processing (PCI DSS Level 1). Sees your email and any billing data you provide directly to Stripe.
  • Resend — transactional email delivery. Sees your email, your name (if set), and the message content of emails we send you.
  • Cloudflare — DNS, Turnstile bot challenges, and Email Routing for inbound mail to @tapeline.io. Sees email metadata and the bot-challenge interaction.
  • Vercel — frontend hosting and privacy-friendly Web Analytics (no cookies, no per-user identifiers, anonymised IPs).
  • Fly.io — backend hosting in Sydney. Sees the full database state since they host the database.
  • Sentry — error tracking. May capture stack traces with limited non-PII context when something breaks.
  • Telegram — only if you connect your Telegram for alerts. Sees the chat ID you provided and the alert content.
  • Twilio — only if you enable SMS alerts on Premium. Sees your phone number and the alert content.
  • Third-party market-data feeds — power the scanner with prices, fundamentals, macro indicators, SEC filings, and news. No user data is sent to any of them. They power the scanner; they never see you.

Cookies

Tapeline sets exactly one cookie: an HTTP-only, secure, same-site session JWT with a 30-day expiry. That's it. There are no analytics cookies, advertising cookies, or third-party trackers.

Data retention

Active accounts: data retained as long as the account is open. Cancelled or deleted accounts: 30 days, then permanent deletion from primary stores; backup snapshots roll off within 90 days. Stripe-side data follows Stripe's own retention policy (typically 7 years for tax purposes).

Your rights

You can request, at any time:

  • A full export of every field we hold on you (CSV or JSON).
  • Correction of any inaccurate field.
  • Permanent deletion of your account and all linked data.
  • A list of which sub-processors received what data.

Email privacy@tapeline.io with your account email in the subject line. We respond within 7 days and fulfil the request within 30 days.

GDPR (EU) and CCPA (California)

Residents of the EU, UK, and California have additional rights under local law — access, correction, deletion, data portability, and the right to opt out of any data sale. We do not sell data, so the "opt-out of sale" right is moot but still respected. To exercise any of these rights, email the privacy address above; we'll confirm your identity via the same email used for the account and respond within the statutory deadline.

Tapeline is operated from Australia. We transfer your data to processors in the United States, the European Union, and Singapore as listed in the Sub-processors section above. We rely on Standard Contractual Clauses where required.

Children

Tapeline is not directed at users under 18 and we do not knowingly collect data from minors. If we learn we have, we delete it.

Changes to this policy

We log every change with a date stamp at the top of this page. Material changes (new sub-processors, new categories of data collected, changes to how long we keep things) get a heads-up email to all account holders 14 days before the change takes effect.

Contact

privacy@tapeline.io