Czar28
Sign inGet started

Privacy Policy

Last updated May 19, 2026

This Privacy Policy explains what personal information PublicOptions (“we”) collects when you use our API, website, or dashboard, how we use it, and the rights you have over it. We act as the controller of personal data about our account holders and as a processor of any personal data you process through the Service on behalf of your end users.

1. Information we collect

  • Account data — name, email address, hashed password, and authentication identifiers (e.g. Google OAuth sub).
  • Billing data — billing address, last four digits and brand of payment card, invoice history. Card numbers are processed and stored by Stripe; we never see the full card number.
  • Usage data — API key identifier, endpoint, status code, latency, request timestamp, and IP address for each request.
  • Support data — content of emails and messages you send to us.
  • Cookies & local storage — see our Cookie Notice.

2. How we use information

  • To provide, operate, and secure the Service.
  • To authenticate requests, enforce quotas, and prevent abuse.
  • To bill you and process refunds.
  • To send transactional emails (account, security, billing, incident notices).
  • To respond to support inquiries.
  • To comply with legal obligations and enforce our Terms.

We do not sell personal information, and we do not use account or usage data for behavioural advertising.

3. Legal bases (EEA / UK users)

Depending on the activity, we rely on: contract (to provide the Service), legitimate interests (security, fraud prevention, product improvement), consent (non-essential cookies), and legal obligation (tax, accounting, lawful requests).

4. Sharing

We share personal information only with the subprocessors listed in our Data Processing Addendum — currently our cloud host, database/auth provider (Supabase), payment processor (Stripe), upstream market data provider, and email provider — and with authorities when required by law.

5. International transfers

Our infrastructure runs primarily in the United States. Where we transfer personal data out of the EEA, UK, or Switzerland, we rely on the European Commission’s Standard Contractual Clauses or another lawful transfer mechanism.

6. Retention

  • Account & billing data — for the life of your account, plus up to 7 years for tax and audit purposes.
  • API usage logs — 13 months, then aggregated and de-identified.
  • Support correspondence — 3 years from last contact.

7. Security

All traffic is encrypted in transit (TLS 1.2+). Passwords and API keys are hashed at rest. Access to production systems is least-privilege, MFA-enforced, and logged. Full details in our DPA.

8. Your rights

Depending on your jurisdiction, you may have the right to access, correct, delete, port, restrict, or object to processing of your personal data, and to withdraw consent at any time. Submit requests to [email protected]; we respond within 30 days. EEA/UK users may also lodge a complaint with their local supervisory authority.

9. Children

The Service is not directed to children under 16, and we do not knowingly collect their personal information.

10. Changes to this Policy

We will post any updates here and, for material changes, email account owners at least 30 days before the changes take effect.

11. Contact

Privacy questions or requests: [email protected].