Privacy Policy

1. Data controller

MyDealList is operated by Sidrit Skenderaj (Quimper, Brittany, France). Contact: contact@mydeallist.com.

2. Data we collect

• Account: email, hashed password, profile name and avatar
• Billing: processed by Stripe (we do not store card numbers)
• Usage: pages viewed, filters, listings, AI analyses requested
• Preferences: saved searches, investment goals, alert settings
• Technical: IP, browser, device, cookies (see Cookie Policy)

3. Legal bases (GDPR)

• Contract: delivering the subscription you signed up for
• Legitimate interests: security, fraud prevention, product improvement
• Consent: non-essential cookies and marketing email
• Legal obligation: tax and accounting records where required

4. Your rights

Under GDPR and applicable law you may:

• Access a copy of your personal data
• Rectify inaccurate data via Settings or by contacting us
• Request erasure ("right to be forgotten") — use Delete Account in Settings or email us
• Export your data in a portable format on request
• Object to processing based on legitimate interests
• Withdraw consent for marketing at any time via unsubscribe links or Settings

We respond to verified requests within 30 days. Email contact@mydeallist.com.

5. Retention & erasure

Data is kept while your account is active. After account deletion we erase personal data within 30 days except where law requires longer retention (e.g. invoices, 7 years). Marketing opt-out is immediate.

6. Processors

Stripe, Supabase, Vercel, Resend, and AI providers process data under agreements aligned with GDPR. International transfers use SCCs or equivalent safeguards.

8. International transfers

MyDealList serves users globally. Where personal data is transferred outside the European Economic Area (EEA), we rely on Standard Contractual Clauses (SCCs), adequacy decisions, or equivalent safeguards required under GDPR Chapter V. Processor locations are disclosed on request.

9. Automated decision-making

AI-generated scores, summaries, and alerts are assistive only—they do not produce legal or similarly significant effects without human review. You may request human intervention or contest automated outputs by contacting contact@mydeallist.com.

10. Children's privacy

The Service is not directed to individuals under 16 (or the higher age required in your jurisdiction). We do not knowingly collect children's data. Contact us to request deletion if you believe we have received such data.

11. Security measures

We implement technical and organizational measures including:

• Encryption in transit (TLS) and at rest where supported
• Role-based access controls and audit logging for staff systems
• Hashed credentials; we never store plaintext passwords
• Regular dependency patching and infrastructure hardening
• Incident response procedures with user notification when required

12. GDPR — detailed erasure procedure

When you delete your account (Settings → Danger zone) or submit a verified erasure request:

1. We deactivate authentication and revoke API keys within 24 hours.
2. Profile, preferences, saved searches, investment goals, and alert configurations are purged from primary databases.
3. Marketing lists are updated immediately; you will not receive further promotional email.
4. Backups containing personal data roll off on a 30-day cycle unless a shorter window is technically feasible.
5. Billing records retained by Stripe remain under Stripe's policies; we delete local billing references where not legally required.
6. Anonymized analytics may persist in aggregate form without re-identification.

Erasure is completed within 30 days; we confirm by email when practicable. Partial erasure (e.g. marketing only) is available via unsubscribe links or Settings.

13. Data portability & access

You may export core account data (profile, preferences, investment goals) by request. We provide machine-readable JSON or CSV within 30 days of identity verification. Access requests follow the same timeline.

14. Supervisory authority

EEA residents may lodge a complaint with their local data protection authority. In France, this is the CNIL (cnil.fr). We encourage you to contact us first so we can resolve concerns promptly.

15. Policy updates

Material changes will be posted on this page with an updated effective date. Continued use after notice constitutes acceptance where permitted by law; for material GDPR-related changes we will provide additional notice (email or in-app banner).

16. Related policies

Terms of Service · Cookie Policy · Disclaimer