Legal
Privacy Policy
Last updated: May 20, 2026
This Privacy Policy explains what data Hedgelytics collects, how we use it, and the rights you have over it. We collect the minimum data needed to operate the service.
1. Data we collect
We collect: (a) your email address — required for account creation and authentication; (b) optional display name; (c) session metadata — IP address, user agent, sign-in timestamps; (d) usage telemetry — which API endpoints you call, response status codes, and aggregate request counts. We do NOT collect your real name, address, phone number, or payment details directly — payment data is handled exclusively by our payment processor.
2. How we use it
Your data is used to: (a) authenticate you and maintain your session; (b) deliver transactional email (magic-link sign-in, welcome, billing receipts); (c) bill you for paid plans; (d) meter API usage and enforce rate limits; (e) detect abuse and protect the service from fraud; (f) improve the product through aggregate analytics. We do NOT sell or rent personal data to third parties. We do NOT use your data to train AI models.
3. Where we store it
Primary data storage runs on dedicated infrastructure operated by Tessellatic, Inc. Transactional email is delivered via Resend. Edge delivery and DDoS protection run through Cloudflare's global network. Application telemetry flows through Datadog.
4. Third-party processors
We share the minimum data necessary with vetted sub-processors: Resend (transactional email delivery), Cloudflare (CDN, WAF, DNS), Datadog (telemetry and observability). Each is bound by data-processing terms. A current list is available on request to security@hedgelytics.com.
5. Your rights
You have the right to: (a) access the personal data we hold about you; (b) request correction of inaccurate data; (c) request deletion of your account and associated data; (d) request a portable export of your data in a machine-readable format; (e) object to or restrict certain processing. Email security@hedgelytics.com — we respond within 30 days. These rights apply globally, modeled on the GDPR and CCPA standards, regardless of your residence.
6. Cookies
We use a single session cookie to keep you signed in — HttpOnly, Secure, SameSite=Lax. We do NOT use advertising cookies, third-party trackers, or cross-site identifiers. We do not run a cookie banner because we don't run cookies that need consent under EU law.
7. Data retention
Authentication data (email, session records) is retained for 30 days after you delete your account, then permanently erased. Billing invoices are retained for the period required by applicable tax-record-retention law. Aggregate usage analytics (no PII) are retained indefinitely. Sessions older than 30 days are auto-expired.
8. Children
Hedgelytics is intended for users 18 and older. We do not knowingly collect data from anyone under 18. If you believe a minor has created an account, contact security@hedgelytics.com and we will delete the account.
9. Security & breach notification
We employ industry-standard safeguards including encryption at rest and in transit, schema-isolated authentication tables, dedicated database roles with least-privilege access, and continuous monitoring. In the event of a personal-data breach, we will notify affected users within 72 hours of detection and disclose the scope, the data involved, and steps taken.
10. Changes to this policy
Material changes will be announced via email to active account holders and posted here with a new "last updated" date. Routine clarifications may be made without notice.
11. Contact
Privacy questions, data-subject requests, and complaints — email security@hedgelytics.com.