Privacy Policy
What Hesper Atlas collects, why, who processes it, and the rights you have over your data.
This policy explains how we, the data controller for Hesper Atlas, handle your personal data. The short version: we collect the minimum needed to run an account-based subscription service, we use one session cookie, and we never sell your data.
1Data we collect
| Data | Where it comes from |
|---|---|
| Email address | You, when you create an account. Used to sign you in and to contact you about your account. |
| Password (hash only) | You, at signup. We store only a salted cryptographic hash, never the password itself. |
| Subscription status | Stripe, our payment processor. We store your plan, billing period, and a Stripe customer reference. We never see or store your full card number. |
| Favorites / watchlist & app settings | You, as you use the app (e.g. starred tickers, theme preference, portfolio capital input). |
| Telegram chat ID (optional) | You, only if you connect Telegram to receive daily alert pushes. Removable at any time in Settings. |
| Server logs | Automatically: IP address, timestamps, requested pages, and user-agent: standard web-server logs kept for security and debugging. |
We do not collect names, addresses, government IDs, brokerage credentials, or holdings data, and we do not track you across other websites.
2Purposes & legal bases (GDPR)
| Purpose | Legal basis (Art. 6 GDPR) |
|---|---|
| Providing the service: account login, watchlists, signals, subscription management, billing | Contract (Art. 6(1)(b)), needed to deliver what you signed up for. |
| Sending daily alerts via Telegram | Contract / consent: this feature runs only if you opt in; disconnecting Telegram stops the processing. |
| Security, abuse prevention, debugging (server logs) | Legitimate interests (Art. 6(1)(f)): keeping the service secure and working. |
| Tax and accounting records of payments | Legal obligation (Art. 6(1)(c)). |
| Service emails about material changes to terms, prices, or this policy | Contract / legal obligation. We do not send marketing emails without separate consent. |
3Processors & recipients
We share data only with the processors needed to run the service, under data-processing agreements:
- Stripe: payment processing and subscription billing. Stripe is an independent controller for payment data; see Stripe's own privacy policy.
- Hosting provider: Render (render.com), runs the servers and database where account data is stored.
- Telegram: delivers alert messages, only if you connect it. Telegram receives the message content (ticker signals) at your chat ID, under Telegram's own terms.
Where a processor is located outside the EU/EEA, transfers rely on appropriate safeguards such as EU Standard Contractual Clauses or an adequacy decision.
We do not sell or rent personal data, and we do not share it with advertisers or data brokers. We disclose data beyond the processors above only if legally required (e.g. a valid court order) or in a business transfer, in which case this policy continues to apply.
4Retention
- Account data (email, password hash, watchlist, settings, Telegram ID): kept while your account exists; deleted within 30 days after you delete your account.
- Billing records: kept as long as required by tax and commercial law (typically up to 10 years, depending on jurisdiction), even after account deletion.
- Server logs: rotated and deleted after a short period (typically 30 to 90 days), unless needed for an ongoing security investigation.
5Your rights
If you are in the EU/EEA or UK (and in many other jurisdictions), you have the right to:
- Access: get a copy of the personal data we hold about you;
- Rectification: correct inaccurate data (e.g. change your email);
- Erasure: delete your account and data ("right to be forgotten"), subject to legal retention duties for billing records;
- Portability: receive your data in a structured, machine-readable format;
- Restriction & objection: restrict or object to processing based on legitimate interests;
- Withdraw consent: at any time, for consent-based processing (e.g. disconnect Telegram), without affecting prior processing;
- Complain: lodge a complaint with your local data-protection authority.
To exercise any of these rights, email support@hesperatlas.com. We respond within one month.
6Cookies
Hesper Atlas uses a single first-party session cookie, strictly necessary to keep you signed in. It contains an opaque session identifier, nothing else. We use no advertising trackers, no analytics cookies, and no third-party tracking pixels. Because the session cookie is strictly necessary, no cookie consent banner is required for it. Locally stored preferences (such as your light/dark theme choice) stay in your browser and are never transmitted to us.
7Security
Passwords are stored only as salted hashes; traffic is encrypted in transit with TLS; access to production data is restricted. No internet service can guarantee absolute security. If a breach affects your personal data, we will notify you and the competent authority as required by law.
8Children
The service is not directed at children and may not be used by anyone under 18. We do not knowingly collect data from minors; if you believe a minor has created an account, contact us and we will delete it.
9Changes to this policy
We may update this policy as the service evolves. The "Last updated" date above always reflects the current version, and we will notify you (by email or in-app notice) before material changes take effect.
10Contact & data controller
Data controller:
Privacy contact: support@hesperatlas.com