1. Introduction

Cogent Cash ("we," "us," or "our") respects your privacy and is committed to protecting your personal data. Cogent Cash is a collaborative project developed by an independent team. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and services.

This policy applies to users in Singapore (under the Personal Data Protection Act 2012), the European Union (under the GDPR), the United Kingdom (under the UK GDPR), and the United States (including California under the CCPA/CPRA).

By using the Service, you consent to the practices described in this policy.

2. Data We Collect

We collect the following categories of personal data:

2.1 Account Data

Email address — required for account creation and authentication
Password — handled entirely by Supabase (our auth provider); we never store or access passwords
OAuth provider data — if you sign in via Google, GitHub, or other providers, we receive your profile information from that provider

2.2 Profile Data

Full name (optional)
Company name (optional)
Website (optional)
Avatar image (optional, stored in Supabase storage)
Email subscription preferences (unsubscribed status)

2.3 Financial Data

Ticker symbols you track in cost averaging positions
Investment amounts (stored as integers in cents for precision)
Number of shares
Current and target prices
Monthly savings contributions
Savings goals (name, target amount, current amount, contribution rates, interest rates)
Strategy parameters you configure in simulation tools

2.4 Contact Form Data

First name, last name
Email address
Phone number (optional)
Company name (optional)
Message body (optional)

2.5 Payment Data

Stripe customer ID — mapped to your user account
Subscription status and plan — managed via Stripe
We do not store credit card numbers or payment details; all payment processing is handled by Stripe

2.6 Technical Data

Session cookies — Supabase sets authentication cookies to maintain your logged-in session
Browser information — user agent, device type (collected in server logs)
Usage data — pages visited, features used (for service improvement)

3. How We Use Your Data

We use your personal data for the following purposes:

Service delivery — creating and managing your account, storing your financial data, providing calculator and analysis tools
Billing — processing subscription payments, managing your plan
Communication — sending transactional emails (account verification, password reset), responding to contact form inquiries, sending product updates (only if you opt in)
Fraud prevention — detecting and preventing abuse, unauthorized access, and fraudulent activity
Service improvement — analyzing usage patterns to improve features and user experience
Anonymized insights — creating aggregated, anonymized statistical insights that contain no personally identifiable information (see Section 10)

4. Legal Basis for Processing (EU/UK GDPR)

Under the GDPR and UK GDPR, we process your personal data on the following legal bases:

Contract performance (Art. 6(1)(b)) — processing necessary to provide the Service you requested, including account creation, data storage, and billing
Legitimate interests (Art. 6(1)(f)) — fraud prevention, service improvement, security, and creating anonymized aggregated insights
Consent (Art. 6(1)(a)) — marketing emails, newsletter subscriptions, and any future data-sharing purposes that require explicit consent
Legal obligation (Art. 6(1)(c)) — compliance with applicable laws including tax and accounting requirements

5. Data Sharing & Sub-Processors

We do not sell your personal information. We share data only with trusted third-party service providers who process data on our behalf under appropriate data protection agreements:

Processor	Purpose	Location
Supabase	Authentication, database hosting, file storage	United States
Stripe	Payment processing, subscription management	United States
Resend	Email delivery (transactional and marketing)	United States
Yahoo Finance	Market data (no user data is shared with Yahoo)	United States

All sub-processors are bound by data processing agreements that require them to protect your data and use it only for the purposes specified by us.

6. Cross-Border Data Transfers

Your data is stored on servers located in the United States through our service providers (Supabase, Stripe, Resend).

If you are located in Singapore, the EU, or the UK, your data will be transferred to and processed in the United States. These transfers are governed by:

For EU transfers: EU Standard Contractual Clauses (SCCs) and adequacy decisions
For UK transfers: UK International Data Transfer Agreement and adequacy regulations
For Singapore transfers: Appropriate safeguards under the PDPA Transfer Limitation Obligation

By using the Service, you consent to these transfers. If you have concerns about data transfers, please contact us using the information in Section 16.

7. Your Rights

Depending on your jurisdiction, you have the following rights:

7.1 All Users

Access — request a copy of the personal data we hold about you
Rectification — request correction of inaccurate or incomplete data
Erasure — request deletion of your personal data (delete your account)
Data portability — request a machine-readable export of your data (export your data)
Object to processing — object to processing based on legitimate interests
Withdraw consent — withdraw consent at any time where processing is based on consent

7.2 Lodge a Complaint

You have the right to lodge a complaint with a data protection authority:

Singapore: Personal Data Protection Commission (PDPC) — www.pdpc.gov.sg
EU: Your national data protection authority (e.g., CNIL in France, BfDI in Germany)
UK: Information Commissioner's Office (ICO) — ico.org.uk
California: California Privacy Protection Agency

8. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (as amended by the CPRA):

Right to Know — request information about the categories and specific pieces of personal information we have collected about you
Right to Delete — request deletion of your personal information
Right to Correct — request correction of inaccurate personal information
Right to Opt-Out of Sale or Sharing — direct us not to sell or share your personal information
Right to Limit Use of Sensitive Personal Information — limit our use of sensitive personal information
Right to Non-Discrimination — we will not discriminate against you for exercising your privacy rights

Do Not Sell or Share My Personal Information

We do not sell or share your personal information. We do not sell, rent, or trade your personal data to third parties for monetary or other valuable consideration.

To exercise any of your CCPA/CPRA rights, contact us at the email address provided in Section 16. We will respond to verified requests within 45 days.

9. Anonymized Insights

We may create aggregated, anonymized statistical insights from user data for research, industry reports, or commercial purposes. Examples include:

"X% of users are bullish on technology stocks this quarter"
"Average cost averaging contribution amounts by region"
"Most popular hedging strategies among retail investors"

These insights meet the following criteria:

No personally identifiable information — all direct identifiers (user ID, email, name) are removed
Aggregated — data is combined across groups of at least 100 users to prevent re-identification
Irreversibly anonymized — data cannot be traced back to individual users through any reasonable means

Because anonymized data is not personal data under the GDPR, UK GDPR, PDPA, or CCPA, separate consent is not required for this processing. However, we will provide an opt-out option in your account settings if you prefer your data not be included.

10. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

Notify the relevant data protection authority within 72 hours of becoming aware of the breach (or 3 days under Singapore PDPA)
Notify affected users without undue delay if the breach poses a high risk to their rights and freedoms
Take immediate steps to contain the breach and mitigate any harm

11. Data Retention

We retain your personal data only for as long as necessary:

Account and profile data: Until you delete your account or after 2 years of inactivity
Financial data: Deleted when your account is deleted
Billing records: 7 years (managed by Stripe for tax compliance)
Contact form submissions: 2 years
Consent records: 3 years after account deletion (legal audit trail)
Deleted accounts: Soft-deleted for 30 days (recovery window), then permanently purged

12. Security

We implement appropriate technical and organizational measures to protect your personal data:

Encryption at rest — data stored in Supabase is encrypted
Encryption in transit — all communications use HTTPS/TLS
Password security — passwords are hashed by Supabase using industry-standard algorithms; we never see or store passwords
Access controls — Row Level Security (RLS) in Supabase ensures users can only access their own data
Secure payments — all payment processing is handled by Stripe, a PCI DSS Level 1 certified provider

13. Children's Privacy

The Service is not intended for children under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that we have inadvertently collected personal data from a child under 16, we will take steps to delete such information promptly.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us.

14. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through an in-app notice before the changes take effect.

For material changes that affect how we process your data, we will seek your re-consent where required by applicable law.

The "Last updated" date at the top of this policy indicates when it was last revised.

15. Data Protection Officer Contact

If you have any questions about this Privacy Policy, wish to exercise your rights, or have a privacy-related complaint, please contact the Cogent Cash team:

Email: [Your DPO contact email]
Address: [Your address in Singapore]

We will respond to access requests and complaints within 30 days as required under the Singapore PDPA (or within the timeframe required by your local legislation, whichever is shorter).