← Back to RegimeFlow

Privacy Policy

Last updated: May 18, 2026

1. Who we are

RegimeFlow ("we", "us", "our") operates the website at regimeflow.com, which provides AI-driven technical analysis tools and risk-management indicators for crypto and financial markets. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our platform.

For privacy-related questions, contact: privacy@regimeflow.com.

2. Data we collect

Account data

  • Email address (required for authentication)
  • Display name and profile picture (if you sign in via Google)
  • Authentication identifiers (Google sub, Supabase user UUID)

Disclaimer acceptance

  • Timestamp, IP address, user-agent string, disclaimer version accepted
  • Stored for legal defensibility (chargeback disputes, regulatory audit)

Technical data

  • IP address (used for rate-limiting and abuse prevention)
  • Browser type, device type, OS
  • Pages visited, session duration (aggregated, cookieless via Vercel Analytics)

What we do NOT collect

  • We do not have access to your exchange accounts, wallets, or private keys
  • We do not collect payment card data directly — Stripe handles all billing
  • We do not sell, rent, or share your personal data with advertisers

3. Legal basis for processing (GDPR)

  • Contract: providing the platform you signed up for
  • Legitimate interest: security, fraud prevention, service improvement
  • Consent: optional analytics and marketing cookies (where applicable)
  • Legal obligation: tax records, anti-money-laundering compliance

4. Sub-processors (third-party data processors)

We are required by GDPR Art. 28 to disclose every company with whom we share your personal data. The current list is:

Sub-processorPurposeLocation
Stripe Inc.Payment processing, billing, invoicesUS, EU
Supabase Inc.Authentication, database (PostgreSQL), file storageEU (Frankfurt)
Upstash Inc.Rate-limiting (hashed IPs, 60-second TTL)EU, US
Vercel Inc.Hosting, edge network, cookieless analyticsGlobal
Hugging Face Inc.AI model inference (price data only, no PII)US, EU
Google LLCSign in with Google (authentication only)US
Cookie-Script Ltd.Cookie consent management (GDPR/CCPA)EU (Lithuania)

All sub-processors are bound by Data Processing Agreements (DPA). Transfers outside the EEA are protected by Standard Contractual Clauses (SCCs). We do not currently use OpenAI or any other third-party LLM provider; AI inference runs on our own Hugging Face Space with the model weights under our control.

We will update this list before adding any new sub-processor. Registered users are notified by email at least 14 days before changes affecting personal data take effect.

5. Data retention

  • Account data: retained while your account is active. Deleted within 30 days of account deletion request.
  • Disclaimer acceptance log: retained for 6 years after account closure (statute of limitations for financial disputes).
  • IP addresses in rate-limit cache: maximum 60 seconds.
  • Aggregated analytics: indefinitely, but contains no personal identifiers.

6. Your rights

Under GDPR (EU/UK) and CCPA (California), you have the following rights:

Right to be forgotten (erasure)

You can delete your account at any time directly from the platform: User menu (top-left) → Delete account → type "DELETE" to confirm. This permanently removes from Supabase:

  • Your auth.users entry (email, OAuth identifiers)
  • Your disclaimer acceptance history
  • Your subscription record (the Stripe customer is canceled separately on request)

A minimal anonymized audit record (SHA-256 hash of your user ID + timestamp) is kept for 6 years for legal compliance with financial-services audit requirements.

Right of access

You can request a full export of your data in JSON format by emailing privacy@regimeflow.com from your registered email address. We respond within 30 days at no cost.

Other rights

  • Rectify inaccurate data
  • Object to processing based on legitimate interest
  • Port your data in a machine-readable format (JSON)
  • Opt out of any data sale (we do not sell, but the right exists by law — see the "Do Not Sell My Info" link in the footer)
  • Restrict processing in specific circumstances (GDPR Art. 18)
  • Lodge a complaint with your local data protection authority (for Romanian residents: ANSPDCP, anspdcp.ro)

For all other requests, email privacy@regimeflow.com. We respond within 30 days, free of charge.

7. International transfers

Data may be processed in the United States and the European Union. Transfers outside the EEA are protected by Standard Contractual Clauses (SCCs) signed with each sub-processor.

8. Security

  • All data in transit is encrypted (HTTPS/TLS 1.3)
  • Database access protected by Row-Level Security (RLS) policies
  • Service-role keys never exposed to client-side code
  • Rate-limiting on all API endpoints to prevent abuse

9. Children

RegimeFlow is intended for users aged 18 or older. We do not knowingly collect data from minors. If you believe a minor has signed up, contact us for immediate deletion.

10. Changes

We will update this policy as needed. Material changes will be communicated via email to registered users. The "Last updated" date at the top reflects the current version.