Privacy Policy.

This policy explains what The Bull Rankings ("we", "us") collects when you use The Bull Rankings, why, where it is stored, who else processes it, and the choices you have. It applies to the website and its APIs.

1. Information we collect

If you create an account:

• Email address — for sign-in, email verification, and account recovery.
• Password — stored only as a salted bcrypt hash. We never store or log your plaintext password.
• Display name — optional, shown only to you.
• Watchlist and search history — the tickers you save or look up, so they follow you across devices.

If you subscribe to a paid plan:

• Billing identifiers — a Stripe customer ID and subscription status. Card numbers and payment details are entered directly with Stripe and never reach our servers.

Collected automatically when you use the site:

• Security and abuse-prevention data — IP address and browser user-agent, used transiently for rate limiting and recorded in a security audit log of authentication events (sign-up, sign-in, failed attempts). Failed-login counts and temporary lockouts are kept on your account record.
• Analytics — aggregate, cookieless usage measurements (page views, referrers, performance timings) via Vercel Analytics. These do not identify you individually.

2. Cookies and local storage

• Session cookie (essential) — a single signed, HttpOnly cookie that keeps you signed in. It carries only an opaque account identifier. Required for the site to function; not used for tracking.
• Browser local storage — your recent searches and a copy of your watchlist are cached in your own browser for a faster experience. This never leaves your device except as described above for signed-in accounts.
• Advertising cookies — if and when display advertising (Google AdSense) is enabled, Google may set cookies to serve and measure ads. That activity is governed by Google's own policies; see Section 4.

Analytics is cookieless and needs no consent banner. If advertising cookies are introduced, this policy and any required consent controls will be updated first.

3. How we use your information

• To operate core features — accounts, watchlists, search, and subscriptions.
• To secure the service — rate limiting, lockouts, and abuse detection.
• To send transactional email — verification and password-reset messages only. We do not send marketing email.
• To understand aggregate usage and improve the product.

We do not sell your personal data.

4. Where your data is stored and who processes it

We rely on the following providers, each acting as a processor or independent controller for the data noted:

• Vercel — website hosting and cookieless analytics.
• Neon — the PostgreSQL database holding account, watchlist, search, and subscription-status records.
• Stripe — payment processing and storage of card details for subscriptions.
• Resend — delivery of verification and password-reset emails (receives your email address).
• Google AdSense — display advertising, if enabled after launch (an independent controller for ad-targeting data).
• Yahoo Finance and Finnhub — market-data sources. They receive ticker symbols only — never your personal information.
• Groq and Google (Gemini) — generate the written stock commentary. They receive ticker symbols and public company fundamentals only — never your personal information.

5. Data retention

• Account data — kept while your account is active. On deletion it is removed from the live database; routine encrypted backups may persist for up to 30 days.
• Security audit log — authentication events are retained for up to 90 days, then discarded.
• Single-use tokens — email-verification and password-reset tokens are stored only as hashes and expire shortly after issuance.

6. Your rights and choices

• Access — request a copy of the data associated with your account by emailing us.
• Deletion — delete your account, which removes your account data as described in Section 5.
• Correction — update your display name and watchlist at any time from your account.
• EU/UK residents — you have rights under the GDPR/UK GDPR, including access, rectification, erasure, restriction, portability, and objection. Our legal bases are contract (operating your account), legitimate interests (securing the service), and consent where required.
• California residents — you have rights under the CCPA/CPRA, including to know, delete, and correct your personal information, and to opt out of any "sale" or "sharing." We do not sell personal data; if advertising cookies are enabled, ad personalization may be treated as "sharing," and an opt-out control will be provided.

To exercise any of these rights, contact us at the address in Section 10.

7. Security

Passwords are bcrypt-hashed; session cookies are signed, HttpOnly, and scoped with the __Host- prefix in production; verification and reset tokens are stored only as hashes; the site sends a strict Content-Security-Policy and other hardening headers; and access is rate-limited. No system is perfectly secure, but we apply current best practices.

8. International transfers

Our providers may process data in the United States and other countries. Where required, transfers rely on appropriate safeguards such as Standard Contractual Clauses.

9. Children

The site is intended for adults and is not directed to anyone under 18. We do not knowingly collect data from minors; if you believe a minor has provided us data, contact us and we will delete it.

10. Contact

Privacy questions or requests: Bullrankings@gmail.com.

11. Changes to this policy

We may update this policy as the service evolves. Material changes will be reflected in the "Effective" date above, and — where the law requires — communicated to signed-in users.

This policy is provided for transparency and is not legal advice.