Legal

Privacy Policy

Last updated: May 27, 2026 · Effective: May 27, 2026

1. Introduction

This Privacy Policy explains how MysticMarkets (“MysticMarkets,” “we,” “us,” or “our”) collects, uses, shares, and protects information when you visit or use the MysticMarkets website at https://mysticmarkets.appand any related services (collectively, the “Service”).

By using the Service, you agree to the practices described here. If you do not agree, do not use the Service. This Privacy Policy is incorporated by reference into our Terms of Service.

We are committed to collecting only the information we need to run the Service, to being transparent about what we collect, and to giving you straightforward ways to access, correct, or delete your information.

2. Information We Collect

2.1 Information you provide. When you create an account or use the Service we collect:

  • Account information — your email address and password (passwords are never stored in plaintext; they are hashed by our authentication provider).
  • Profile information from third-party sign-in— if you sign in with Google, we receive your name, email address, profile picture (if any), and a unique Google user identifier, as authorized by the standard “profile” and “email” OAuth scopes. We do not request additional Google scopes.
  • Communications — if you email us, we receive your email address and the contents of your message.
  • User Content — feedback, comments, or suggestions you choose to submit.

2.2 Information collected automatically. When you use the Service we may automatically collect:

  • Log data — IP address, browser type and version, operating system, device identifiers, referring or exit pages, and the date/time of your requests.
  • Usage data — pages viewed, features used, queries entered, tickers searched, time spent on the Service, and other interaction events.
  • Cookies and similar technologies — see Section 5 below.

2.3 What we do NOT collect.We do not collect or process: government-issued ID numbers (SSN, passport, etc.), bank-account numbers, credit-card numbers, brokerage-account numbers, your portfolio holdings, your actual trades, your net worth, your political affiliation, your race or ethnicity, biometric identifiers, precise geolocation, or any other category of “sensitive personal information” under CCPA/CPRA — unless you voluntarily place it in a User Content submission (please don’t).

3. How We Use Information

We use the information we collect to:

  • Provide, maintain, and improve the Service;
  • Create and manage your account, authenticate you, and deliver requested features;
  • Send transactional emails — account confirmation, password reset, security notifications, and other service-related messages;
  • Respond to your questions, feedback, and support requests;
  • Detect, prevent, investigate, and address security incidents, fraud, abuse, and violations of our Terms;
  • Analyze usage patterns to understand how features perform and to improve them;
  • Comply with legal obligations, enforce our Terms, and protect our rights, property, and safety, and that of our users and the public.

4. Legal Bases for Processing (GDPR / UK GDPR)

For users in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under Article 6 of the GDPR / UK GDPR:

  • Contract(Art. 6(1)(b)) — to provide the Service you have requested.
  • Legitimate interests(Art. 6(1)(f)) — to operate, secure, and improve the Service; to prevent fraud and abuse; to communicate with you about the Service.
  • Legal obligation(Art. 6(1)(c)) — to comply with applicable laws and legal process.
  • Consent(Art. 6(1)(a)) — where we rely on consent (e.g., for non-essential cookies or marketing emails), you can withdraw it at any time.

5. Cookies and Tracking Technologies

We use:

  • Strictly necessary cookies— required to operate the Service, including session and authentication cookies issued by our auth provider. Without these, the Service cannot function.
  • Analytics— we use Vercel Analytics, which is privacy-preserving by design: it does not use cookies, does not collect IP addresses in identifiable form, and does not build cross-site tracking profiles.

We do not use third-party advertising cookies, retargeting pixels, or social-media tracking pixels.

You can control cookies through your browser settings. Disabling strictly necessary cookies will break authentication and you will not be able to sign in.

6. How We Share Information

We do not sell your personal information, and we do not share it for cross-context behavioral advertising. We share information only with:

  • Service providers (processors) who help us operate the Service:
    • Supabase— authentication, database, and object storage (Supabase Privacy).
    • Vercel— web hosting and privacy-preserving analytics (Vercel Privacy).
    • Resend— transactional email delivery (Resend Privacy).
    • Google— OAuth sign-in (only if you choose to use Sign in with Google). We receive your profile information from Google in accordance with the Google scopes you approve.
    • DeepSeek— LLM-powered summarization and analysis features (we send public filing text and tickers; we do not send your account email, name, or personal identifiers).
  • Legal and safety— if required by law, subpoena, court order, or other legal process, or where we believe disclosure is necessary to protect our rights, prevent fraud, address security or technical issues, or protect the safety of any person.
  • Business transfers— in connection with a merger, acquisition, financing, reorganization, or sale of assets, in which case we will require the recipient to honor this Privacy Policy or notify you and provide a meaningful choice before your information is used in a materially different way.
  • With your consent— for any other purpose, but only with your explicit consent.

All service providers act as our “processors” under GDPR / “service providers” under CCPA and are contractually bound to use information only for our instructions.

7. Data Retention

We retain personal information only as long as necessary for the purposes set out in this Policy:

  • Account information— for as long as your account is active. If you delete your account, we delete the associated account record within 30 days, except where we are required to retain it longer to comply with legal obligations or to resolve disputes.
  • Log and usage data— up to 90 days in identifiable form, then aggregated or deleted.
  • Email communications— up to 24 months from the last interaction.
  • Backups— routine backups may retain copies for up to 60 days beyond deletion of the live record.

8. Data Security

We implement reasonable technical and organizational measures to protect your information, including:

  • Encryption in transit (HTTPS / TLS 1.2+) and at rest;
  • Hashed password storage (never plaintext);
  • Row-Level Security policies on all user-scoped database tables;
  • Restricted access — only operators with a need to know access production data;
  • Routine dependency auditing and security advisories review.

No system is perfectly secure. While we take reasonable precautions, we cannot guarantee absolute security and you use the Service at your own risk.

9. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights with respect to your personal information:

  • Right to access— request a copy of the personal information we hold about you.
  • Right to correct— ask us to fix inaccurate or incomplete information.
  • Right to delete— ask us to delete your personal information, subject to limited exceptions.
  • Right to data portability— receive your information in a structured, commonly used, machine-readable format.
  • Right to opt out of sale or sharing — we do not sell or share for cross-context behavioral advertising, so there is nothing to opt out of, but you have the right regardless.
  • Right to limit use of sensitive personal information— we do not process sensitive personal information beyond what is strictly necessary to operate the Service.
  • Right to non-discrimination— we will not discriminate against you for exercising any of these rights.
  • Right to object(GDPR) — to certain types of processing.
  • Right to withdraw consent(GDPR) — where processing is based on consent.
  • Right to lodge a complaint— with your local data-protection authority.

To exercise any of these rights, email support@mysticmarkets.app from the email address associated with your account, or describe enough information that we can reasonably verify your identity. We will respond within 45 days (extendable to 90 days where allowed) or the period required by applicable law, whichever is shorter.

10. “Do Not Sell or Share My Personal Information”

MysticMarkets does not sell your personal information and does not share it for cross-context behavioral advertising. We do not engage in any activity that would qualify as a “sale” or “share” of personal information under California, Virginia, Colorado, Connecticut, or Utah privacy laws.

If this ever changes, we will update this Privacy Policy and provide a clear and conspicuous opt-out mechanism as required by law.

11. Children's Privacy

The Service is not directed to children under the age of 13, and we do not knowingly collect personal information from children under 13. If you believe we have collected information from a child under 13, contact us at support@mysticmarkets.app and we will delete it.

For users in jurisdictions where the digital-consent age is higher than 13 (e.g., 16 in parts of the EU), we do not knowingly collect from anyone below that age.

12. International Data Transfers

We are based in the United States, and the service providers we use process data in the United States and other countries. If you access the Service from outside the United States, your information will be transferred to and processed in the United States.

For transfers from the European Economic Area, the United Kingdom, or Switzerland to the United States, we rely on appropriate safeguards including Standard Contractual Clauses (SCCs) approved by the European Commission and supplementary measures where applicable.

13. Third-Party Links and Services

The Service contains links to third-party websites — including SEC EDGAR, the U.S. House Clerk, the U.S. Senate Office of Public Records, and other public-data sources. We are not responsible for the privacy practices of those sites and we encourage you to review their privacy policies.

14. Automated Decision-Making

The Service displays automated rankings, summaries, and analytical outputs derived from public filings. These outputs are informational and do not produce legal or similarly significant effects on you within the meaning of GDPR Article 22. No automated process makes a decision about you personally that affects your legal rights or opportunities.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we’ll update the “Last updated” date above and, where appropriate, provide additional notice (such as an email or in-app notification). We will review and update this Policy at least once every twelve (12) months as required by CCPA / CPRA.

16. State-Specific Disclosures

California (CCPA / CPRA). In the preceding 12 months we have collected the following categories of personal information from California consumers:

  • Identifiers(email address, IP address, online identifiers) — collected directly from you and automatically; used to operate the Service.
  • Internet/network activity(browsing activity within the Service, log data) — collected automatically; used to operate, secure, and improve the Service.
  • Inferences(none beyond aggregated usage patterns that don’t identify you).

California residents have the rights described in Section 9 above. Additionally, California “Shine the Light” law (Civil Code §1798.83) permits California residents to request information regarding disclosure of personal information to third parties for direct-marketing purposes; we do not disclose information for such purposes.

Virginia, Colorado, Connecticut, Utah. Residents of these states have rights similar to those described in Section 9 and may exercise them by emailing the contact below.

Nevada. Nevada residents may opt out of the sale of personal information by emailing the contact below, though as noted we do not engage in such sales.

17. Contact Us

For privacy questions or to exercise any of your rights, contact:

MysticMarkets
Email: support@mysticmarkets.app
Subject line: “Privacy Request” (so we can prioritize your message)