Privacy and data

What we collect

If you sign up: your email address. That is what magic-link sign-in needs to work, and it is the only personal data we keep about you. We do not ask for your name, address, phone, or anything else.

If you visit any page: an anonymous page-view count, your country, your browser type, and Core Web Vitals timings. This is gathered by Cloudflare Web Analytics, which is cookieless and does not assign you a persistent identifier.

If you submit the sign-in form: a Cloudflare Turnstile bot-check briefly examines your IP and browser characteristics to distinguish humans from automated abuse. The pass or fail result is checked once and discarded.

When you load any page: Cloudflare records edge-server logs (IP address, request path, response status) for security and abuse monitoring. These are short-lived operational logs, not a profile of you.

We do not collect: your name, your address, your phone number, payment details (Stripe will handle billing when Pro launches), browsing history outside our site, or anything from third-party trackers, because we do not run any.

How we use it

Email: to send you the one-time login link, and to send service notices about your account if anything important changes. We do not send marketing emails.

Page-view counts: to understand which pages get traffic so we can prioritize what to improve. Aggregate, not per-user.

Anti-bot signals: to keep automated abuse off the sign-in form. Not retained.

Subscription status (planned, not yet active): once the $9 per month Pro tier launches, we store a Stripe customer ID and your subscription state so we know what features to grant you.

Cookies and local storage

Session cookie (NextAuth, names like authjs.session-token): keeps you logged in after you click a magic link. First-party, HTTP-only, expires when you sign out or after a period of inactivity. Strictly necessary.

CSRF cookie (authjs.csrf-token): prevents cross-site request forgery on the login form. First-party, short-lived, strictly necessary.

Cloudflare bot-management cookie (__cf_bm and similar): used by Cloudflare across its network to distinguish bots from humans. First-party to tickerstance.com, short-lived, treated as strictly necessary for security.

Theme preference (browser localStorage): remembers whether you picked light or dark mode. Stored in your browser only; never sent to our servers.

We do not use: analytics cookies, advertising cookies, conversion pixels, fingerprinting scripts, or any third-party cookies. Cloudflare Web Analytics is the only analytics we run, and it does not set cookies.

Since every cookie in use is either strictly necessary or for security, no consent banner is required under EU and UK rules today. If we ever add an analytics or marketing tool that uses non-essential cookies, the banner goes up before the tool turns on.

Third parties we rely on

Cloudflare (hosting, DNS, edge network, Turnstile bot mitigation, Web Analytics): processes IP addresses for routing and abuse prevention. Web Analytics is cookieless and anonymized. See Cloudflare's public privacy policy for full details.

Supabase (managed Postgres database, EU region): stores your account record. Email address and authentication metadata are the only personal data on disk.

Resend (transactional email provider): sends the magic-link sign-in emails. Sees your email address only at the moment a sign-in link is dispatched.

Stripe (planned, not yet active): once Pro launches, Stripe handles all payments. We never see your card details, only a Stripe customer ID and subscription status.

Massive (market data) and FRED (US Federal Reserve macroeconomic data): we fetch market and macro data from these providers. Your activity on TickerStance is not shared with them.

Where your data is stored

If you have an account, your email and authentication metadata live in Supabase's eu-central-1 region (Frankfurt, Germany). If you never sign up, we store nothing about you. The public dashboard works without an account.

Edge requests are routed through the global Cloudflare network and terminate at our Workers in whichever Cloudflare data center is nearest you.

When you request a magic link, your email is sent to Resend (a US provider) for that one delivery. The international transfer is covered by standard contractual clauses. Resend does not retain it beyond delivery diagnostics.

How long we keep it

Account email: for as long as your account exists. After account deletion we remove the record, typically within 30 days.

Cloudflare Web Analytics: aggregated metrics retained by Cloudflare per their policy, currently up to six months.

Cloudflare edge logs: short-lived operational logs, retained per Cloudflare's policy.

Anti-bot signals: not retained.

Email delivery records (Resend): a short delivery log is kept by Resend for diagnostics and is purged on their schedule.

Your rights

You have the right to access the data we hold about you, correct anything inaccurate, delete your account and all associated data, export your data in a machine-readable format, and object to processing.

To exercise any of these, email privacy@tickerstance.com. We respond within 30 days. If you are in the EU or EEA, you also have the right to lodge a complaint with your national data protection authority.

We do not sell your data. We do not share it with advertisers. There is no business model here that depends on your data leaving our servers.

Children

TickerStance is not directed at children under 16 and we do not knowingly collect data from them. If you believe a child has signed up, email privacy@tickerstance.com and we will delete the account.

Who is responsible

TickerStance is operated from Norway. Email privacy@tickerstance.com for any privacy question or data request. We reply within 30 days at the outside, usually faster.

Changes to this policy

We update this page when practices change and note the date below. We do not start collecting new categories of data without disclosing it here first. If a change materially affects you and you have an account, we email you.

Last updated: 4 May 2026.