Privacy policy
Last updated: 2026-05-24. Plain English. No dark patterns.
Who we are
Data controller: clairsites (Amir Zebib), Belgium. Contact: support@cloudtrades.net.
If you're in the EU, the GDPR applies to your data. We treat you as if you were.
What we collect
- Email + password hash. Required to log in. Password is hashed with Argon2 (we cannot recover it).
- Session cookies. HttpOnly, Secure, SameSite=Lax. Random 32-byte tokens, no personal data inside.
- Hashed IP. We hash your IP (SHA-256 truncated to 32 chars) for abuse rate-limiting. We never store raw IPs.
- User-agent string. Truncated to 200 chars, stored against session for security review.
- Watchlist + alerts. The ticker symbols you watch, the alert criteria you set. Owned by you, deletable any time.
- Audit log. Action records (login, page view) with timestamps. Used for security investigation.
We do NOT collect: payment info (no paid tier yet), names, addresses, phone numbers, browsing behavior on other sites, fingerprinting beyond standard request headers.
How long we keep it
- Account data: until you delete your account. Email-delete request to support@cloudtrades.net.
- Sessions: 30 days, then auto-expired.
- Audit log: 90 days, then auto-deleted.
- Market data (chains, GEX, flow): indefinite. This is public market data, not personal.
Third parties (processors)
| Service | What for | What they see |
|---|---|---|
| Hetzner Online GmbH (Germany) | Server hosting (dedi) | All requests at network level. EU-resident. |
| Cloudflare, Inc. (US) | DNS, CDN, DDoS shield | Requests metadata. Cloudflare adheres to EU SCC. |
| Yahoo Finance (US) | Options chain data source | Our scraper IP. They don't see you. |
| Resend (US/EU) | Email alerts (only if you create alerts) | Your email address + alert content. |
No analytics SDKs. No Google Analytics. No Facebook Pixel. No advertising trackers. No third-party JavaScript except for embedded fonts (Google Fonts can be self-hosted on request).
Your rights (GDPR)
- Access: request a full export of your data via email.
- Rectification: change your email or password from /dashboard.
- Erasure ("right to be forgotten"): delete your account, we wipe within 30 days.
- Portability: we export your watchlist + alerts as JSON on request.
- Object: opt out of any specific processing.
- Complaint: your national DPA. For Belgium: APD. For France: CNIL.
Cookies
We use ONE cookie: gex_session. It's a random token that lets you stay logged in. No tracking cookies. No third-party cookies. We don't need a cookie banner because we don't use cookies that require consent.
Changes to this policy
If we change something material, we'll email you and give 30 days notice. Your continued use after that constitutes acceptance. If you don't accept, delete your account and we'll wipe the data.