Privacy Policy

1. Introduction

This Privacy Policy describes how Smart Money API ("we," "us," or "our"), operated by Ardit Tashi, collects, uses, and shares information about you when you use our website (smartmoneyapi.com), API services, dashboard, and related products (collectively, the "Service").

We are committed to protecting your privacy and processing your personal data in compliance with the General Data Protection Regulation (GDPR), the UK GDPR, and other applicable data protection laws.

By using our Service, you agree to the collection and use of information in accordance with this policy. If you do not agree with any part of this policy, please discontinue use of our Service.

2. Data Controller

The data controller responsible for your personal data is:

For any questions or requests regarding your personal data, please contact us at privacy@smartmoneyapi.com.

3. Data We Collect

3.1 Information You Provide Directly

• Account registration: Email address, display name, and password (hashed) when you sign up via email. If you use Google Sign-In via Firebase Authentication, we receive your email address and Google profile name.
• Billing information: Payment method details are processed and stored by Stripe, our payment processor. We receive only non-sensitive billing summary data (last 4 digits of card, billing country, subscription status). We never store full card numbers.
• Contact form: Name, email address, subject, and message content when you contact us.
• API usage preferences: Watchlist symbols, alert rules, webhook URLs, and other configuration settings you save in the dashboard.

3.2 Information Collected Automatically

• API request logs: Timestamps, endpoint accessed, HTTP status codes, response times, and your API key identifier (not the key itself) for each request. Used for rate limiting, abuse prevention, and usage analytics.
• IP address: Collected for security, fraud prevention, and rate limiting. IP addresses are anonymised after 30 days.
• Browser and device information: Browser type, operating system, and viewport size collected via server logs and cookies. Used to improve compatibility.
• Session data: Authentication tokens and session identifiers managed via Firebase Authentication secure cookies.
• Usage analytics: Page views, feature usage patterns, and navigation paths collected anonymously to understand how users interact with the Service.

3.3 Information from Third Parties

• Google / Firebase: If you sign in with Google, we receive your Google account email address and display name from Firebase Authentication.
• Stripe: Subscription status, plan tier, and billing information summary from Stripe webhooks when you subscribe or manage your subscription.

4. How We Use Your Data

We use the information we collect for the following purposes:

• Service delivery: To provide, operate, and maintain the API, dashboard, and associated services, including authenticating your identity and enforcing subscription tiers and rate limits.
• Account management: To create and manage your account, process payments through Stripe, send billing receipts, and notify you of account-related issues.
• Service improvement: To understand how users interact with our platform, identify bugs, and develop new features based on aggregate usage patterns.
• Security and fraud prevention: To detect and prevent unauthorised access, API abuse, and fraudulent activity.
• Communications: To respond to your support requests and contact form submissions. We may also send infrequent product updates if you have an active account; you can unsubscribe at any time.
• Legal compliance: To comply with applicable legal obligations, respond to lawful requests from public authorities, and enforce our Terms of Service.

5. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data under the following legal bases:

• Contract performance (Article 6(1)(b)): Processing necessary to provide the Service to you, including account creation, API access, and payment processing.
• Legitimate interests (Article 6(1)(f)): Processing for security, fraud prevention, service improvement, and aggregate analytics where our interests are not overridden by your rights.
• Legal obligation (Article 6(1)(c)): Processing required to comply with applicable laws and regulations.
• Consent (Article 6(1)(a)): For non-essential cookies and optional marketing communications, where you have given specific consent. You may withdraw consent at any time without affecting the lawfulness of prior processing.

6. Data Sharing and Disclosure

We share your data only in the following circumstances:

• Service providers: We share data with trusted third-party service providers who assist us in operating the Service (see Section 7). These providers are bound by data processing agreements and may only use your data as directed by us.
• Legal requirements: We may disclose your data if required by law, court order, or government authority, or if we believe disclosure is necessary to protect the rights, property, or safety of Smart Money API, our users, or the public.
• Business transfers: If Smart Money API is acquired, merged, or transfers assets, your data may be transferred as part of that transaction. We will notify you via email or a prominent notice on our website before any transfer occurs.
• With your consent: We may share your data for any other purpose with your explicit consent.

We do not share individual user data with other users of the Service.

7. Third-Party Services

We use the following third-party services, each with their own privacy policies:

7.1 Firebase / Google (Authentication & Storage)

We use Firebase Authentication (provided by Google LLC) to manage user accounts and authentication. Firebase may collect device identifiers, IP addresses, and authentication event data. Firebase is covered by Google's Privacy Policy: policies.google.com/privacy. Data processed through Firebase may be stored in the United States. Standard Contractual Clauses (SCCs) apply for EEA users.

7.2 Stripe (Payment Processing)

All payment processing is handled by Stripe, Inc. (or Stripe Payments Europe Ltd. for EEA users). Stripe processes your payment card information in compliance with PCI DSS Level 1. Smart Money API never stores payment card numbers. Stripe's Privacy Policy: stripe.com/privacy.

7.3 Cloudflare (CDN & DDoS Protection)

Our website is served through Cloudflare's content delivery network. Cloudflare processes IP addresses, browser characteristics, and request headers for security and performance purposes. Cloudflare's Privacy Policy: cloudflare.com/privacypolicy.

7.4 Telegram (Optional Alerts)

If you configure Telegram bot alerts (Pro plan), your Telegram chat ID is stored securely and used only to deliver alerts you have configured. We do not access your Telegram message history.

8. Cookies and Tracking

We use cookies and similar technologies to operate the Service and improve your experience. For full details on the cookies we use and how to manage them, please see our Cookie Policy.

In summary:

• Essential cookies: Required for authentication, session management, and security. Cannot be disabled without breaking core functionality.
• Analytics cookies: Used to understand aggregate usage patterns. Can be declined via the cookie consent banner.
• Third-party cookies: Set by Stripe and Firebase for payment and authentication flows.

You can manage your cookie preferences at any time using our cookie consent banner or by adjusting your browser settings.

9. Data Retention

We retain your personal data only as long as necessary for the purposes described in this policy:

• Active accounts: Account data and preferences are retained while your account is active.
• API request logs: Detailed logs are retained for 90 days for debugging and security. Aggregate anonymised statistics are retained indefinitely.
• IP addresses: Full IP addresses are anonymised after 30 days. Anonymised records may be retained for security analytics.
• Billing records: Stripe payment and subscription records are retained for 7 years to comply with financial record-keeping obligations.
• Deleted accounts: Upon account deletion, your personal data (email, preferences, API keys) is deleted within 30 days. Anonymised aggregate analytics data may be retained.
• Contact form submissions: Retained for up to 2 years to track support history, then deleted.

10. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Right of access (Article 15 GDPR): Request a copy of the personal data we hold about you.
• Right to rectification (Article 16 GDPR): Request correction of inaccurate or incomplete data.
• Right to erasure / "right to be forgotten" (Article 17 GDPR): Request deletion of your personal data where there is no overriding legal reason for us to continue processing it.
• Right to restriction of processing (Article 18 GDPR): Request that we restrict processing of your data in certain circumstances.
• Right to data portability (Article 20 GDPR): Receive your data in a structured, machine-readable format and have it transferred to another controller.
• Right to object (Article 21 GDPR): Object to processing based on our legitimate interests.
• Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior lawful processing.
• Right to lodge a complaint: Lodge a complaint with your national data protection authority (e.g., the ICO in the UK, or your local EU supervisory authority).

To exercise any of these rights, contact us at privacy@smartmoneyapi.com. We will respond within 30 days. We may ask you to verify your identity before fulfilling certain requests.

11. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include:

• HTTPS/TLS encryption for all data in transit
• API keys hashed using bcrypt before storage
• Firebase Authentication industry-standard session management
• SQLite databases with restricted file system permissions
• Cloudflare DDoS protection and WAF
• Access controls limiting data access to the minimum required

No method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security. In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected users and relevant supervisory authorities as required by law.

12. International Data Transfers

Smart Money API is operated from within the European Economic Area. However, some of our third-party service providers (including Google/Firebase and Stripe) process data in the United States. Where we transfer personal data outside the EEA or UK, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions where applicable
• Binding Corporate Rules where applicable

You can request information about the specific transfer mechanisms we rely on by contacting privacy@smartmoneyapi.com.

13. Children's Privacy

Our Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@smartmoneyapi.com and we will delete the data promptly.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page
• Notify registered users via email where changes significantly affect your rights
• Display a prominent notice on our website

We encourage you to review this policy periodically. Your continued use of the Service after changes become effective constitutes your acceptance of the revised policy.

15. Contact Us

For any questions, concerns, or requests relating to this Privacy Policy or your personal data, please contact us:

If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority. In the UK, this is the Information Commissioner's Office (ICO) at ico.org.uk.