Privacy Policy

Last updated: April 25, 2026 · Owned by Apache-3 Inc.

What we collect

• Email address (required for sign-in and alerts)
• Watchlist data: URLs, IATA codes, dates, alert thresholds you create
• Scraped price data tied to your targets (retained 90 days)
• Cron-run health metadata (retained 30 days)
• Stripe customer ID + subscription ID (no card data — Stripe holds it)
• Auth session cookies + minimal IP/User-Agent for fraud prevention

What we don't collect

• Credit card details (handled exclusively by Stripe)
• Browsing history outside our domains
• Any personal data beyond email + payment metadata

How we use it

Operating the Service: scraping the targets you configure, sending alerts to your email + Discord, billing your subscription, providing support. We do not sell user data, and we do not run advertising trackers on the Service.

Sub-processors

• Supabase (database + auth) — US
• Vercel (hosting) — US/EU edge
• Resend (transactional email) — US
• Discord (webhook delivery) — US
• Stripe (payments) — US
• SerpAPI (travel/hotel data) — US

Your rights (GDPR / CCPA)

• Access & portability: download all your data: GET /api/me/export
• Erasure: delete your account + all data: DELETE /api/me?confirm=DELETE
• Rectification: email apache3corp@gmail.com to update.
• Objection / restriction: same email.

Retention

Profile + watchlist data: kept while your account is active. Scraped prices: 90 days. Cron health logs: 30 days. Deleted accounts: purged within 30 days.

Security

TLS in transit, encryption at rest (Supabase / Stripe defaults). RLS policies isolate each user's data at the database level. Service-role keys are stored in Vercel environment variables and rotated on a quarterly cadence.

Children

The Service is not directed to anyone under 18. We do not knowingly collect data from children.

Contact

Privacy questions: apache3corp@gmail.com

⚠️ This is template wording. Have an attorney review before going to GA.