Privacy policy

What we collect

• Anonymous usage: request logs (path, status, timing), aggregated for capacity and abuse monitoring. Retained 90 days.
• Cookie session ID: a random opaque identifier used to bind investor alerts to your browser. Not linked to identity.
• Account credentials: for admin/analyst/viewer users only — username, email (optional), bcrypt-hashed password, role, last-login timestamp.
• API key metadata: name, tier, rate limit, last-used timestamp; the key itself is stored only as a bcrypt hash.
• Audit log: every authenticated action (login, key creation, data reseed) is recorded with actor, action, target, IP, and timestamp. Retained 1 year.

What we do NOT collect

• No third-party analytics (no Google Analytics, no pixels).
• No advertising identifiers, no cross-site tracking.
• No payment information yet (no payment processor integrated).
• No personal data is sold or shared with third parties.

Where data lives

All data is stored on EU/UAE-region servers (Contabo VPS, EU data centers). Database is PostgreSQL with at-rest encryption at the volume level. Transport is HTTPS only (HSTS enabled).

Your rights

You may request deletion of your account, alerts, or audit-log entries by contacting the operator. Anonymous session-bound alerts are deleted when their cookie expires (1 year by default) or when you clear cookies for floxcy.com.

Security

We use industry-standard practices: bcrypt for credentials, HTTP-only secure cookies for sessions, JWT-signed tokens with short TTL, rate limiting per IP/key, strict security headers (CSP, HSTS, X-Frame-Options), and a full audit trail for privileged actions. No security system is perfect; report vulnerabilities to the operator.