Privacy Policy

Last updated: March 2026

1. What We Collect

• Account data: Email address, hashed password, display name
• Usage data: Watchlist tickers, lookup history, login timestamps
• Technical data: IP address (for rate limiting), browser user-agent

We do not collect payment card details directly — all billing is handled by Stripe.

2. Why We Collect It

• To provide and maintain the Biocat service
• To authenticate your account and enforce rate limits
• To improve the platform based on usage patterns

3. Data Storage

Your data is stored in a PostgreSQL database hosted on Railway (EU/US infrastructure). Passwords are hashed with bcrypt and never stored in plain text.

4. Data Sharing

We do not sell, rent, or share your personal data with third parties, except:

• Stripe (payment processing, if applicable)
• Railway (infrastructure hosting)

5. Your Rights (GDPR)

Under the General Data Protection Regulation, you have the right to:

• Access: Request a copy of your data via GET /auth/export-data
• Rectification: Update your account information
• Erasure: Delete your account via DELETE /auth/account
• Portability: Export your data in JSON format

6. Data Retention

Active accounts: data retained while account is active. Deleted accounts: PII is cleared immediately, remaining anonymized data is purged within 30 days.

7. Cookies

We use a single httpOnly cookie for JWT refresh tokens. No tracking cookies or third-party analytics.

8. Data Controller

The data controller for the purposes of the GDPR is:
Biocat — Operated from Lisbon, Portugal
For privacy inquiries or to exercise your rights: g.cecinelli@gmail.com

You also have the right to lodge a complaint with the Portuguese data protection authority (CNPD — Comissão Nacional de Proteção de Dados) at www.cnpd.pt.

See also: Terms of Service · Legal Disclaimer