Privacy Policy

Last updated: 2026-05-09

This Privacy Policy explains what information CharmCast collects, why we collect it, and how we handle it when you use the desktop app, web dashboard, public APIs, or marketing site at charmcast.co.uk.

1. What we collect

• Account data — email address, scrypt-hashed password, subscription tier, account-creation timestamp.
• Activity data — page navigation, AI prompts, indicator clicks, analysis runs. Stored as JSONL audit trails per user under the application's private storage.
• Usage telemetry — request paths, response codes, error stacks. We actively scrub stack traces in production responses.
• Trading-context data — symbols you analyze, watchlists, saved settings, optional broker keys you enter (stored locally, never transmitted to us unless you explicitly link an account).

2. What we do not collect

• We do not collect plaintext passwords. Passwords are hashed with scrypt before storage and cannot be recovered, even by an administrator.
• We do not track you across third-party sites. There is no advertising network embedded in the dashboard.
• We do not sell or share your data with third-party data brokers.

3. Why we collect it

To provide and operate the Service, authenticate sessions, generate per-user analyses, detect abuse, debug issues, and produce aggregated usage metrics that inform product development. Activity logs help us audit access and protect your account.

4. Cookies & sessions

We use first-party HTTP-only cookies for session management. Cookies are scoped with SameSite=Strict and the Secure flag on production. We do not use third-party advertising cookies.

5. Third parties

• Cloudflare — fronts charmcast.co.uk via Tunnel; receives standard edge metadata (IP, user-agent, request path).
• AI providers — when you trigger an analysis, the relevant prompt payload (no account credentials) is sent to the configured AI provider (Anthropic Claude, Google Gemini) per your account's tier routing.
• Market-data providers — symbol-level public market data is fetched from upstream providers; your identity is not transmitted to them.
• Stripe — payment processing for paid tiers. We never see your full card number.

6. Storage & retention

User data is stored on infrastructure operated by us. Activity logs are retained while your account is active and for a reasonable period afterward to satisfy security and audit obligations. You can request deletion of your account and associated personal data by emailing support@charmcast.co.uk.

7. Your rights

Depending on your jurisdiction (e.g. UK GDPR, EU GDPR), you may have rights to access, correct, port, or delete your personal data, and to object to certain processing. To exercise any of these rights, contact support@charmcast.co.uk.

8. Security

Passwords are hashed with scrypt. Sessions support absolute timeouts and account-lockout after repeated failed attempts. Admin actions require step-up authentication. Production deployment runs behind Cloudflare with strict CSP, SameSite=Strict cookies, and origin-locked CSRF protection.

9. Children

The Service is not directed to children under 18. We do not knowingly collect personal data from children.

10. Changes

We may update this policy from time to time. Material changes will be communicated via the dashboard or email.

11. Contact

Questions? support@charmcast.co.uk.

← Back to home