Privacy Policy
Last updated: May 27, 2026
1. Who We Are
Bullynx is operated by [ENTITY_NAME_TBD] (“we”, “us”). This Privacy Policy explains how we collect, use, share, and protect your personal data when you use bullynx.com (“the Service”). Contact: legal@bullynx.com.
For GDPR purposes, [ENTITY_NAME_TBD] is the data controller.
2. Data We Collect
We collect the following categories of data:
Account data (via Clerk)
Email address, name (optional), profile picture (if Google OAuth), authentication tokens.
Profile data (from onboarding)
Investment horizon, risk tolerance, capital range, asset preferences, trading style, experience level, goals. This data is used solely to personalise the AI’s communication style — it is not used to generate securities recommendations.
Usage data
Conversation messages, chart images uploaded, AI-generated responses, timestamps, feature interactions.
Billing data (via Stripe)
Subscription plan, billing period, payment status. We do not store full card numbers — Stripe handles payment instrument storage under PCI-DSS.
Technical data
IP address (logged by infrastructure), browser type, device type, request logs. IP addresses may be retained in server logs for up to 90 days.
Analytics data (PostHog, with consent)
Page views, feature usage, session duration. Collected only after you grant analytics consent via the cookie banner.
AI audit data
Token counts, model used, cost-per-message. Stored in anonymised form (user_id nulled on account deletion) for financial reconciliation purposes.
3. Legal Basis for Processing (GDPR Art. 6)
| Processing purpose | Legal basis |
|---|---|
| Providing the Service | Contract (Art. 6(1)(b)) |
| Personalising AI communication style | Contract (Art. 6(1)(b)) |
| Billing and payment processing | Contract + Legal obligation (Art. 6(1)(b)(c)) |
| Error monitoring and security | Legitimate interest (Art. 6(1)(f)) |
| Analytics and product improvement | Consent (Art. 6(1)(a)) |
| AI audit log retention (anonymised) | Legal obligation — fraud prevention (Art. 6(1)(c)) |
4. How We Use Your Data
- To provide, maintain, and improve the Service
- To personalise the AI assistant’s communication style based on your investor profile
- To process payments and manage subscriptions
- To send transactional emails (account changes, payment receipts, subscription updates)
- To monitor errors and ensure security
- To comply with legal obligations
We do not use your data to train AI models. We do not sell your data to third parties. We do not use your data for targeted advertising.
5. Data Sharing and Subprocessors
We share data with the following subprocessors to operate the Service. All subprocessors are contractually bound to protect your data and use it only to provide their service to us:
| Subprocessor | Purpose | Location | Data shared |
|---|---|---|---|
| Vercel | Hosting and CDN | United States (edge global) | Request logs, IP addresses |
| Supabase | Database and file storage | United States (AWS us-east-1) | All user data |
| Clerk | Authentication | United States | Email address, OAuth tokens |
| OpenAI | AI text and vision processing | United States | Conversation content, uploaded chart images |
| Stripe | Payment processing | United States | Name, email, subscription data |
| Twelve Data | Market data queries | United States | Ticker symbols (no personal data) |
| Upstash | Rate limiting and caching | United States | User ID (rate limit keys only) |
| Resend | Transactional email | United States | Email address |
| Sentry | Error monitoring | United States | Stack traces, anonymised user ID |
| PostHog | Product analytics (consent-gated) | European Union | Page views, feature events |
| Helicone | AI cost tracking | United States | User ID, token counts |
| Cloudflare | DNS and network | Global | IP addresses, request metadata |
6. Cookies
We use cookies as described in our Cookie Policy. You can manage your preferences at any time via the cookie banner at the bottom of any page.
7. Data Retention
| Data | Retention | Legal basis |
|---|---|---|
| User profiles | Deleted on account erasure | Contractual necessity |
| Conversations and messages | Deleted on account erasure | Contractual necessity |
| Memory facts | Deleted on account erasure | Contractual necessity |
| Chart analyses | Deleted on account erasure | Contractual necessity |
| AI audit log | Retained indefinitely (user ID anonymised on erasure) | Legal obligation (fraud/billing) |
| Consent logs | 3 years | Legal obligation (GDPR consent audit trail) |
| Usage events | 12 months | Legitimate interest (rate limiting, billing disputes) |
8. Your Rights
If you are located in the European Economic Area, United Kingdom, or have rights under CCPA (California), you have the following rights:
- Right of access (GDPR Art. 15): Request a copy of your personal data.
- Right to rectification (Art. 16): Correct inaccurate data.
- Right to erasure (Art. 17): Delete your account and all associated data from your account settings, or contact legal@bullynx.com.
- Right to restriction (Art. 18): Restrict processing in certain circumstances.
- Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
- Right to object (Art. 21): Object to processing based on legitimate interest.
- Right to withdraw consent (Art. 7(3)): Withdraw analytics consent at any time via the cookie banner.
To exercise these rights, contact legal@bullynx.com. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority.
CCPA rights (California residents): You have the right to know what personal information we collect, the right to delete it, and the right to opt out of its sale. We do not sell personal information.
9. International Data Transfers
[ENTITY_NAME_TBD] is a US entity. When you use the Service from the European Economic Area, your data is transferred to the United States. These transfers rely on Standard Contractual Clauses (SCCs) where required by GDPR. Our subprocessors who process EU data are either Privacy Shield certified (where applicable) or covered by SCCs.
10. Children’s Privacy
The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If you believe we have collected data from a child, contact legal@bullynx.com immediately.
11. Changes to This Policy
We may update this Privacy Policy. We will notify you of material changes via email or a prominent notice on the Service at least 30 days before they take effect.
12. Contact and DPA
Data controller: [ENTITY_NAME_TBD] · legal@bullynx.com · [Address — to be added before launch]