1. Data controller
The data controller for personal data is VLD SERVICES F.Z.E., a company under UAE law (license no. 38251, Ajman Free Zone), publisher of chartstrackr.com. Full details in the Legal Notice.
Contact for any GDPR question: contact@chartstrackr.com
2. Data collected
We collect and process the following categories of data:
- Identification data (provided by Whop during OAuth authentication): Whop ID, username, email, avatar.
- Subscription data (managed by Whop): plan status (Pro monthly or Elite lifetime), purchase date, expiration date. We do not store any banking data — this is managed exclusively by Whop.
- Service usage data: recorded trades, backtesting strategies, course progress, pre-trade checklist, panic room sessions.
- Technical data: session cookie (signed JWT), anonymized server logs.
3. Purposes and legal bases
- Providing the Service — legal basis: contract performance (Art. 6.1.b GDPR)
- Managing subscriptions and billing (via Whop) — legal basis: contract performance
- Complying with our legal obligations (accounting, tax) — legal basis: legal obligation (Art. 6.1.c GDPR)
- Improving the Service — legal basis: legitimate interest (Art. 6.1.f GDPR)
4. Subprocessors and recipients
Your data is shared with the following subprocessors, selected for their GDPR compliance:
- Vercel Inc. (site hosting) — United States. Transfer governed by Standard Contractual Clauses (SCC) and the EU-US Data Privacy Framework.
- Neon Inc. (database) — datacenter in Europe (Frankfurt, Germany).
- Whop Inc. (authentication and payment) — United States. Transfer governed by SCC.
- Cloudflare, Inc. (DNS and inbound email routing) — United States. Transfer governed by SCC.
- Resend, Inc. (outbound email delivery) — datacenter in Europe (Ireland).
Your data is never sold or shared for advertising purposes.
5. Retention period
- Active account: for as long as the user keeps their account.
- Deleted account: immediate and complete deletion (cascade delete) upon user request from the "My Account" page.
- Billing and accounting: retained by Whop, Inc. in its capacity as Merchant of Record, for the duration required by applicable accounting and tax obligations (generally 7 to 10 years).
- Server logs: 30 days maximum.
6. Your rights (GDPR)
In accordance with the GDPR, you have the following rights:
- Right of access: obtain a copy of your data.
- Right to rectification: correct inaccurate data.
- Right to erasure: delete your account directly from the "My Account" interface. Immediate, irreversible and complete deletion.
- Right to portability: receive your data in a structured format.
- Right to object to processing based on legitimate interest.
- Right to lodge a complaint with the CNIL if you believe your rights are not being respected.
To exercise these rights, contact us at contact@chartstrackr.com. We respond within 30 days maximum.
7. Cookies
chartstrackr uses a single cookie strictly necessary for operation:
ct_session: signed JWT containing your user ID and your plan. HttpOnly, Secure, SameSite=Lax. Duration: 30 days.
This cookie does not require prior consent (strictly necessary technical cookie within the meaning of article 82 of the French Data Protection Act).
chartstrackr does not use third-party advertising tracking cookies, Facebook/Google pixels, or third-party analytics to date.
8. Security
We implement appropriate technical and organizational measures to protect your data: mandatory HTTPS, HMAC SHA-256 signed JWT, encrypted database at rest (Neon), no password storage (delegated to Whop OAuth).
9. Policy updates
This policy may evolve. Users will be informed of significant changes by email or in-app notification. The last update date appears at the top of this document.