Privacy Policy

Effective 2026-05-14.

This document is provided in English. The English version is the official and legally binding version; any translations are for convenience only — in case of conflict the English version prevails.

This policy explains what personal data we collect when you use TSP Core, why we collect it, the legal bases on which we rely, and what you can do about it.

1. Who is the data controller

The data controller for personal data processed through TSP Core is Maksym Rudevych, a sole proprietor (ФОП) registered in Ukraine, operating the website at tspcore.com. Contact for privacy questions and rights requests: [email protected].

2. What we collect

• Account data — email, first name, surname, and a cryptographically-protected password. Optional: referral code presented at sign-up.
• Activity data — login timestamps, last-active timestamp, cumulative session duration, IP address and User-Agent header of each authenticated session.
• Configuration data — your alert preferences (sound, duration, email opt-in), saved chart drawings, registered price alerts.
• Email logs — subject lines and delivery status of transactional emails (verification, password reset, alert fan-out). We do not store message bodies after dispatch.
• Limited payment metadata from Paddle — customer id, subscription id, plan, payment status, billing period and transaction status. We do not see or store card numbers, bank details, or full billing addresses; those stay with Paddle.

We do not collect payment card data, government IDs, or third-party social profiles.

3. How we use it

• To authenticate you and run the platform.
• To send transactional email — email verification, password reset, price-alert notifications.
• To detect abuse and operational issues (rate limits, sign-in anomalies).
• To attribute referrals between accounts.
• To provide and renew paid access (acting on payment confirmations received from Paddle).

We do not sell personal data, and we do not run third-party advertising or analytics trackers on the dashboard.

4. Legal bases

Where the GDPR or an equivalent law applies, we rely on the following legal bases:

• Performance of a contract — for account data and any processing required to provide the service you signed up for, including paid subscriptions.
• Legitimate interest — for security and activity logs (keeping the platform secure, preventing abuse, troubleshooting operational issues) and for protecting our legal rights.
• Consent — for optional alert emails and for non-essential storage on your device (see Cookies policy). You can withdraw consent at any time without affecting processing carried out before withdrawal.
• Legal obligation — for tax, accounting and fraud-prevention records related to paid transactions.

5. Payments

Paid subscriptions and checkout are processed by Paddle, our Merchant of Record and payment provider. We do not collect or store payment card numbers. Paddle may process billing details, tax information, payment identifiers, receipts, invoices and transaction history in accordance with its own buyer terms and privacy notice. We receive limited payment-related information from Paddle — customer id, subscription id, plan, payment status, billing period and transaction status — so that we can provide or update paid access.

6. Cookies

The dashboard uses a small number of cookies for authentication and CSRF protection. Full details: Cookies policy.

7. Where data lives

Account and activity data is stored on servers operated by TSP Core in the European Union. Transactional email (verification, password reset, alert notifications) is delivered via an external email-sending provider. Market data is ingested directly from supported exchanges.

8. Service providers

We use third-party service providers for hosting, email delivery, payment processing, security, logging and infrastructure operations. These providers process personal data only as needed to provide their services to us, under contract, and only for the purposes we instruct. The categories we use are:

• Hosting / infrastructure — a cloud infrastructure provider operating data centres in the European Union.
• Edge / CDN / DDoS protection — a global edge network provider that fronts the website.
• Transactional email delivery — an external email-sending provider used for account verification, password reset and alert notifications.
• Payments — Paddle, our Merchant of Record (see section 5).

We can name the specific providers in each category on request — email [email protected].

9. International transfers

Some service providers may process data outside your country or the European Economic Area. Where required, we rely on appropriate safeguards such as adequacy decisions, EU Standard Contractual Clauses, or equivalent legal mechanisms to ensure your data receives a comparable level of protection.

10. Retention

Account records are kept for the lifetime of your account plus 12 months after deletion (for fraud-prevention and tax-reporting reasons). Session and activity logs are kept for 12 months. Payment-related records may be kept longer where tax or accounting law requires it. You can request earlier deletion — see Your rights below.

11. Your rights

Depending on where you live, you may have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data or update outdated fields.
• Request deletion of your account and associated data.
• Export your data in a portable format.
• Object to or restrict certain types of processing.
• Withdraw consent for processing based on consent.
• Opt out of non-essential emails (alert email notifications are opt-in already; verification + password-reset are essential and cannot be disabled).
• Lodge a complaint with your local data-protection authority.

To exercise any of these rights, email [email protected]. We respond within 30 days.

12. Security

Passwords are stored in a cryptographically-protected form and never kept in plain text. Sessions run over HTTPS only; the session cookie is HTTP-only and protected against cross-site request forgery. We never log raw passwords or password-reset tokens beyond what's strictly necessary to deliver them.

13. Children

TSP Core is not intended for users under 18. We do not knowingly collect data from anyone under that age.

14. Changes

Material changes to this policy will be announced inside the dashboard or via the email on your account. The effective date at the top of this page always reflects the latest version.