Privacy Policy
1. Introduction
This Privacy Policy explains how Catalyst Hunt ("Company," "we," "us," or "our") collects, uses, and protects your personal information when you use the Catalyst Hunt platform ("Service").
2. Information We Collect
2.1 Account Information
When you sign in via OAuth (Google, Apple, or Microsoft), we receive:
- Your name and email address.
- A unique identifier from the OAuth provider.
- Your profile picture URL (if provided by the OAuth provider).
We do not receive or store your OAuth provider password.
2.2 Subscription and Payment Data
Payment processing is handled entirely by Stripe. We store:
- Your Stripe Customer ID.
- Subscription status and plan type.
We do not store credit card numbers, CVVs, or full payment card details.
2.3 Usage Data
We collect:
- Companies added to your watchlist.
- Dossier and Flash Note requests you make.
- General usage analytics (pages visited, feature usage).
2.4 Automatically Collected Data
- IP address and approximate geolocation.
- Browser type and operating system.
- Referring URLs and access timestamps.
2.5 Analytics Data
With your consent, we use Google Analytics and Google Tag Manager to collect:
- Pages visited and navigation paths.
- Feature usage and conversion events.
- Session duration and bounce rate.
- Device type, screen resolution, and browser language.
- A randomly generated analytics client ID (not linked to your account).
Analytics data is collected only after you grant cookie consent. You may withdraw consent at any time via the cookie settings link in the site footer.
3. How We Use Your Information
We use your data to:
- Provide the Service: Deliver Flash Notes, Dossiers, and watchlist features.
- Process Payments: Manage subscriptions via Stripe.
- Improve the Service: Analyze usage patterns to enhance features and performance.
- Communicate: Send transactional emails (subscription confirmations, material Terms changes).
- Ensure Security: Detect and prevent fraud, abuse, or unauthorized access.
We do not sell your personal information to third parties.
4. Data Sharing
We share data only with:
| Recipient | Purpose | Data Shared |
|---|---|---|
| Supabase | Database hosting and authentication | Account info, usage data |
| Stripe | Payment processing | Email, subscription details |
| Third-party AI providers | AI analysis generation | Anonymized filing/clinical data (no PII) |
| Cloudflare | CDN and DDoS protection | IP addresses, request metadata |
| Analytics and conversion tracking (with consent) | IP address, pages visited, events, device info, analytics client ID |
We may also disclose information if required by law or to protect our legal rights.
5. Data Retention
- Account data: Retained while your account is active and for 30 days after deletion.
- Watchlist and research data: Deleted within 30 days of account deletion.
- Payment records: Retained as required by tax and financial regulations (typically 7 years).
- Server logs: Automatically purged after 90 days.
6. Your Rights
Depending on your jurisdiction, you may have the right to:
- Access: Request a copy of the personal data we hold about you.
- Correction: Request correction of inaccurate data.
- Deletion: Request deletion of your account and associated data.
- Portability: Receive your data in a structured, machine-readable format.
- Opt-out: Unsubscribe from non-essential communications.
To exercise any of these rights, contact [email protected].
7. Cookies
We use the following categories of cookies:
7.1 Essential Cookies (always active)
These cookies are strictly necessary for the Service to function and cannot be disabled.
| Cookie | Purpose | Duration |
|---|---|---|
| Supabase auth cookies | Maintaining your login session | Session |
| CSRF token | Security protection | Session |
7.2 Analytics Cookies (consent required)
These cookies are set only after you grant consent via our cookie banner.
| Cookie | Purpose | Duration |
|---|---|---|
_ga |
Google Analytics — distinguishes users | 2 years |
_ga_* |
Google Analytics — maintains session state | 2 years |
_gid |
Google Analytics — distinguishes users | 24 hours |
You can withdraw your consent at any time via the cookie settings link in the site footer. Withdrawing consent will delete analytics cookies and prevent further collection.
We do not use advertising or remarketing cookies.
8. Security
We implement industry-standard security measures including:
- Encryption in transit (TLS/HTTPS).
- Row Level Security (RLS) in our database ensuring users can only access their own data.
- OAuth-only authentication (no password storage).
- Regular dependency updates and security audits.
No system is 100% secure. We cannot guarantee absolute security of your data.
9. Children's Privacy
The Service is not directed to individuals under 18. We do not knowingly collect personal information from children. If we learn we have collected data from a child under 18, we will delete it promptly.
10. International Data Transfers
Your data is stored in European data centers operated by Supabase and Cloudflare. Some data may be processed in other regions by our service providers (e.g., Stripe for payments, third-party AI providers for analysis, Google for analytics). Where data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 30 days before they take effect. The version number and effective date at the top will be updated accordingly.
12. Contact
For privacy-related questions or requests, contact us at [email protected].