Privacy Policy
Last updated: February 2026
This document is subject to periodic updates. Contact privacy@curistat.com with questions.
1. Introduction
Curistat LLC, doing business as Curistat Trading Analytics (“we”, “us”, “our”), operates the website curistat.com and related services (collectively, the “Service”).
This Privacy Policy describes what personal data we collect, why we collect it, how we use and protect it, and the choices you have regarding your data.
By using our Service, you consent to the data practices described in this policy. If you do not agree with this policy, please do not use the Service.
2. Information We Collect
2a. Information You Provide
- Email address — provided during account creation
- Name — provided in your account profile
- Payment information — processed by Stripe; we never see or store your card numbers
- Support inquiries — your name, email, and message content when you contact us
- Communication preferences — your notification and alert opt-in choices
2b. Information Collected Automatically
- IP address — for security, rate limiting, and fraud detection
- Browser type and version — User-Agent string
- Device information — operating system, screen resolution
- Pages visited and features used
- Timestamps of access
- Referral source — how you found us, including affiliate referral codes
- API usage metrics — endpoints called and request counts
2c. Information from Third Parties
- Clerk (authentication provider) — email verification status, login timestamps
- Stripe (payment processor) — subscription status and billing events (not card details)
3. How We Use Your Information
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Provide the Service | Email, subscription tier | Contract |
| Process payments | Stripe billing data | Contract |
| Send forecasts and alerts | Email, push tokens | Consent |
| Detect fraud and abuse | IP, User-Agent, usage patterns | Legitimate interest |
| Rate limiting | IP address, user ID | Legitimate interest |
| Improve the Service | Anonymized usage analytics | Legitimate interest |
| Respond to support requests | Name, email, message | Contract |
| Legal compliance | As required | Legal obligation |
4. Security Monitoring Disclosure
We actively monitor usage patterns to protect the Service, our data, and our users. This includes tracking request frequency, access times, and browsing behavior.
This monitoring detects:
- Automated scraping or data harvesting
- Credential sharing across multiple locations
- Abuse of rate limits
- Unauthorized API access
Automated systems may flag accounts exhibiting unusual activity. Flagged accounts may be temporarily rate-limited or suspended pending review.
Data logged for security monitoring:
- IP addresses
- Request paths and methods
- User-Agent strings
- Timestamps
- Bot detection flags
- Agent identifiers (X-Agent-ID header, if provided by AI agents or automated systems)
- Referral source and platform origin of API requests
AI agent and bot traffic:
We classify API requests as human, AI agent, or bot traffic based on User-Agent strings and optional agent identification headers. AI agents accessing our API are tracked for rate limiting, reputation scoring, and usage analytics. Agent reputation scores are calculated from request patterns and compliance history. This data is used solely for service quality and abuse prevention.
Access logs are retained for 90 days, then automatically deleted. This monitoring is necessary to protect the integrity of our Service and the experience of our legitimate users.
5. Data Sharing
We do NOT sell your personal data. We share data only with the following service providers:
- Clerk (authentication) — email and name, for login and signup. Privacy Policy
- Stripe (payments) — billing information, for subscription management. Privacy Policy
- Vercel (hosting) — IP address and request logs, for serving the website. Privacy Policy
- Railway (backend hosting) — IP address and request data, for serving the API. Privacy Policy
- Supabase (database) — account and subscription data, for storing user records. Privacy Policy
- Beehiiv (email marketing) — email address, for newsletter delivery and forecast emails. Privacy Policy
- Law enforcement — when required by law, subpoena, or court order
- Business transfers — if Curistat is acquired or merged (with advance notice to users)
We will NEVER:
- Sell your data to advertisers
- Share your data with data brokers
- Provide your trading behavior to third parties
- Use your data to trade against you
6. Data Retention
| Data Type | Retention Period | Deletion Method |
|---|---|---|
| Account info (email, name) | Until account deletion + 30 days | Automated |
| Payment records | 7 years (tax/legal requirement) | Automated |
| Access logs (IP, User-Agent) | 90 days | Automated rotation |
| API usage metrics | 12 months (anonymized after 90 days) | Automated |
| Support tickets | 2 years | Manual on request |
| Push notification tokens | Until unsubscribed | Automated |
| Affiliate referral data | 12 months | Automated |
7. Cookies and Local Storage
We use:
- Essential cookies — Clerk authentication session (required for login)
- Functional storage — localStorage for UI preferences (dark mode, dismissed banners, sidebar state)
- Affiliate cookie — stores referral code for 30 days if you arrived via a referral link
We do NOT use:
- Third-party tracking cookies
- Google Analytics (currently)
- Social media tracking pixels
- Cross-site tracking of any kind
8. Your Rights
All users can:
- Access your data — request a copy of all data we hold about you
- Correct your data — update your profile information at any time
- Delete your data — request account deletion (we will delete within 30 days)
- Export your data — request a machine-readable export
- Opt out of marketing — unsubscribe from any non-essential emails
- Withdraw consent — for optional processing such as alerts and notifications
California Residents (CCPA)
- Right to know what data we collect and why
- Right to delete personal information
- Right to opt-out of sale (we do not sell data, but you may still exercise this right)
- Right to non-discrimination for exercising your rights
Contact: privacy@curistat.com
EU/EEA Residents (GDPR)
- All rights above, plus right to data portability and right to restrict processing
- Legal basis for processing: contract performance, legitimate interest, consent
- Data controller: Curistat LLC (d/b/a Curistat Trading Analytics), United States
- You may lodge a complaint with your local data protection authority
9. Children's Privacy
Our Service is not intended for anyone under the age of 18. We do not knowingly collect personal data from minors.
If we discover that we have collected data from a person under 18, we will delete that data promptly. If you believe a minor has provided us with personal data, please contact us at privacy@curistat.com.
10. International Data Transfers
Our Service is operated from the United States. If you access the Service from outside the US, your data will be transferred to and processed in the United States.
We implement appropriate safeguards for international data transfers in accordance with applicable data protection laws.
11. Changes to This Policy
We may update this Privacy Policy periodically to reflect changes in our practices, technology, or legal requirements.
- Material changes will be communicated with at least 30 days notice via email
- Check the “Last updated” date at the top of this page for the latest revision
- Continued use of the Service after changes take effect constitutes acceptance of the revised policy
12. Contact Us
If you have questions about this Privacy Policy or wish to exercise your data rights, contact us:
- Privacy questions: privacy@curistat.com
- Data requests: privacy@curistat.com
- General support: support@curistat.com
- Security issues: security@curistat.com