Privacy Policy

Last updated: June 14, 2026

This Privacy Policy explains what personal data GEX Session Monitor (the “Service”) collects, how we use it, and the third parties that process it on our behalf. We collect the minimum needed to run the Service.

1. Data we collect

• Account data (via Google sign-in): your name, email address, and profile picture URL, as provided by Google when you authenticate. We use Google as the only sign-in method.
• Subscription & entitlement data: your trial start/end dates and plan status (trial, pro, expired), stored to control access. We do not store your payment-card details (see §3).
• Usage & technical data: which ticker/views you request and standard server logs (IP address, timestamp, user agent) generated by our hosting provider for security and reliability.
• Session cookie: a single secure, http-only session cookie (__session) used to keep you signed in. It is essential to the Service’s operation.

2. How we use your data

• to authenticate you and keep you signed in;
• to provide the dashboard and serve market-data reads;
• to manage your free trial and subscription entitlement;
• to operate, secure, debug, and improve the Service;
• to communicate with you about your account or support requests;
• to comply with legal obligations.

We do not sell your personal data, and we do not use it for third-party advertising.

3. Payments

Payments are processed by Paddle, which acts as the Merchant of Record. When you subscribe, your payment details (card number, billing address, etc.) are collected and processed directly by Paddle under Paddle’s privacy policy. We never see or store your full card details; we receive only the subscription status and limited billing metadata needed to grant access.

4. Service providers (sub-processors)

We rely on the following third parties to operate the Service. Each processes data only as needed:

• Google Firebase (Authentication & Firestore): stores your account record and subscription/entitlement data, and verifies your sign-in. Governed by Google’s privacy terms.
• Google Cloud (Cloud Functions & Secret Manager): runs our scheduled market-data poller and stores API credentials securely. No personal data is sent to this component.
• Vercel: hosts the application and serves requests; generates standard access logs.
• Market-data provider: the third-party source of our options-gamma data. We fetch market data from this provider; we do not send your personal data to it.
• Anthropic: generates the optional AI “desk note.” We send only anonymized market state (regime, levels, flow) for summarization — no personal data is sent to Anthropic.
• Paddle: processes payments as Merchant of Record (see §3).

5. Data retention

We retain your account and entitlement data for as long as your account exists. If you delete your account or ask us to remove your data, we delete your account record from Firestore, subject to any data we must retain for legal, tax, or fraud-prevention purposes (for example, payment records held by Paddle). Server logs are retained for a limited period by our hosting providers.

6. Your rights

Depending on your jurisdiction, you may have the right to access, correct, export, or delete your personal data, and to object to or restrict certain processing. To exercise these rights, email us at support@gexmon.app. You can revoke the app’s access to your Google account at any time from your Google account settings.

7. Data security

We use reputable infrastructure providers, encrypted transport (HTTPS), secure http-only session cookies, and secret management for credentials. No method of transmission or storage is completely secure, so we cannot guarantee absolute security, but we take reasonable measures to protect your data.

8. International transfers

Our providers may process and store data in countries other than yours, including the United States. By using the Service, you acknowledge that your data may be transferred to and processed in such locations under those providers’ safeguards.

9. Children

The Service is not directed to anyone under 18, and we do not knowingly collect data from children. If you believe a minor has provided us data, contact us and we will delete it.

10. Changes to this policy

We may update this Privacy Policy from time to time. Changes are reflected by the “Last updated” date above. Your continued use of the Service after changes take effect constitutes acceptance.

11. Contact

Questions about your privacy or this policy? Contact us at support@gexmon.app.