Privacy Policy
This policy explains what data Shishin collects, how it's used, who it's shared with, and what rights you have over it. Plain language; the legal version defers to the Terms of Service when interpretation is needed.
What we collect
- Account data. Your email address, when you signed up, and password hash. Managed by Supabase (our auth provider).
- Usage data. Which pages you visit, when, and basic device/browser info. Used to detect bugs and abuse.
- Email preferences. If you opt in to digest or alert emails, we keep that preference associated with your account.
We don't collect financial information beyond what's needed to process a payment, and payments are handled entirely by Stripe, we never see or store your card details.
How we use it
- To operate the Service, show you the signals you signed up for, log you in, send you alerts you requested.
- To improve the Service, investigate bugs, measure which features are used.
- To communicate with you about account or service changes (administrative emails, never sold).
We don't sell your data. Aside from the advertising pixels described under Cookies below, which share limited event data with Reddit and Meta so we can measure our ads, we don't share your data with advertisers. We never share it with brokerages, market makers, or any party that might use it to trade against you.
Who else handles it
The Service runs on infrastructure provided by:
- Supabase, authentication and user database
- Our backend host, API server and signal database (provider listed at paid launch)
Each is a data processor acting on our instructions. Each has its own security practices that you can review on their respective websites.
How long we keep it
- Account data, for as long as your account exists, plus 30 days after closure (in case you change your mind).
- Usage logs, 90 days, then aggregated / anonymised.
- Signal history, indefinitely, because the public performance record needs to remain auditable.
Your rights
If you're in a jurisdiction that grants data-subject rights (EU/UK GDPR, California CCPA, etc.), you have the right to:
- Access the data we hold about you
- Correct it if it's inaccurate
- Delete it (within legal retention obligations)
- Receive a portable copy
- Object to processing for certain purposes
Email [email protected] and we'll act within 30 days.
Cookies and similar
A strictly-necessary cookie keeps you logged in and the site secure, it's always on and doesn't require consent. Beyond that, we use a small number of third-party tools that set their own cookies, grouped into two categories you control:
- Analytics, Microsoft Clarity. Records how visitors move through the site (clicks, scrolls, navigation) as replayable sessions and aggregate heatmaps, so we can find and fix what's confusing. It sets its own cookies (_clck, _clsk), masks the text you type by default, and we don't use it to identify you personally.
- Advertising, Reddit and Meta (Facebook) pixels. Measure whether a visit that began from one of our ads led to a sign-up, so we can judge whether that advertising is worth running, and help us reach similar audiences. They set advertising cookies and share limited event data with Reddit and Meta for that measurement.
If you're in the EU, EEA, UK, or Switzerland, none of these load until you opt in: we show a consent banner on your first visit, and you can accept all, reject all, or choose by category. You can change or withdraw your choice at any time using Cookie settings at the bottom of any page. Elsewhere, you can still block or clear these cookies in your browser, and the data-subject rights above always apply.
Children
The Service isn't intended for anyone under 18, and we don't knowingly collect data from minors. If you believe we have, email [email protected] and we'll delete it.
Changes to this policy
Material changes will be announced via email or an in-app notice at least 14 days before they take effect.
Contact
Privacy questions: [email protected]. General contact: [email protected].