Privacy Policy

Last updated: February 2026

1. What We Collect

When you register for an API key we collect:

• Email address — used for one-time verification codes. Re-registering with the same email deactivates your old key and issues a new one.
• IP address & user-agent — stored in server request logs for rate limiting and abuse prevention. For anonymous (unregistered) users, these are also hashed into a SHA-256 fingerprint to enforce free trial quotas.

When you use the analysis tools we log:

• Ticker symbol requested, response status, and response time.
• Your API key identifier (not the key itself) for usage tracking.

2. What We Do NOT Collect

• We do not collect payment information, government IDs, or health data.
• We do not read, store, or have access to your AI assistant conversations.
• We do not use cookies or third-party tracking scripts.

3. How We Use Your Data

• Email: Sending OTP codes during registration and key resets only.
• Usage logs: Monitoring server health, enforcing rate limits, and improving the service.
• Anonymous fingerprints: Enforcing the free trial quota for unregistered users.

4. Data Sharing

We do not sell, rent, or share your personal data with third parties. Market data is fetched from Financial Modeling Prep (FMP) using our server-side API key — your identity is never sent to FMP.

5. Data Retention

• Analysis results are cached for 24 hours (daily) to 72 hours (weekly). Expired cache entries and their files are automatically deleted within 7 days of expiry.
• Request logs (ticker, status, response time, IP address, user-agent) are retained indefinitely for operational and debugging purposes. We may implement automated cleanup in the future.
• Email addresses are retained as long as you have an active API key. Re-registering deactivates your old key. You can request full data deletion by contacting us (see Contact below), which requires manual database cleanup on our end.

6. Security

All communication is encrypted via HTTPS (TLS certificates auto-managed by Caddy). API keys are validated by comparing SHA-256 hashes — the raw key is only shown once at registration. During OAuth flows, the raw API key is temporarily stored in an authorization session record to complete the token exchange; these sessions expire within 5 minutes. OTP codes expire after 10 minutes. Bearer tokens are validated against the database on every request.

7. Your Rights

You may request access to, correction of, or deletion of your personal data at any time by contacting us via the methods below.

8. Contact

For privacy-related questions or data deletion requests, email us at support@technical-analysis-mcp.com.