Privacy Policy

Last updated: April 21, 2026

Shopforge B.V. ("we", "us", "our"), trading as Contrarian Analysis, operates the Contrarian Analysis mobile application and web app (the "Service"). This policy explains what personal data we process, why, on what lawful basis, who we share it with, and the rights you can exercise. It is written to meet the standard set by the EU General Data Protection Regulation (GDPR) and the UK GDPR. If you are an EU or UK resident, this policy forms part of your data-processing contract with us.

Data controller: Shopforge B.V., trading as Contrarian Analysis, Oosteinde 6, 1474 MB Oosthuizen, The Netherlands. KvK (Netherlands Chamber of Commerce) 42027447 · VAT NL00541246B85. Reachable at privacy@contrariananalysis.app. A formal data-protection officer has not been appointed; the email address above is monitored for all privacy-related correspondence.

1. Data we collect and why

We categorise data by source and purpose.

1.1 Account data

Email address — used for sign-in, password reset, and security alerts.
Display name — shown publicly in the community (leaderboards, chat, comments).
Profile photo (optional) — shown publicly in the community.
Google account ID and photo (if you sign in with Google) — used only to link the Firebase Auth session; never shared with third parties beyond Google's own Sign-In flow.

1.2 Usage data

Analyses you create, including ticker, free-form thesis text, and the AI-generated report.
Public social activity — comments, chat messages, likes, follows, badges, streaks, XP.
Private activity — watchlist, tracked picks, portfolio, subscriptions, price alerts, quest progress.

1.3 Technical data

Firebase installation ID and FCM push-notification token (only if you opt into notifications).
Hashed IP (SHA-256) — used for rate-limit and abuse-detection keys. The raw IP is never written to durable storage.
Crash logs via Firebase Crashlytics — stack traces and device model, never message contents.

1.4 Payment data

When you subscribe, Stripe (web) or RevenueCat + Apple/Google (mobile) collects and stores your card or in-app-purchase details directly. We only store the resulting subscription ID, tier, and renewal date — never your card number, CVV, or billing address.

2. Lawful basis (GDPR Art. 6)

Each processing activity uses the lawful basis below. You can withdraw consent at any time; where the basis is "contract", withdrawing means terminating the Service.

Processing	Lawful basis
Creating and maintaining your account	Art. 6(1)(b) — contract
Delivering AI analyses, watchlist, alerts, portfolio	Art. 6(1)(b) — contract
Community features (leaderboard, chat, comments, follows)	Art. 6(1)(b) — contract
Push notifications (price alerts, copytrade, digest)	Art. 6(1)(a) — consent (per-device opt-in)
Rate-limiting and abuse prevention	Art. 6(1)(f) — legitimate interest (platform integrity)
Crash reporting and error logs	Art. 6(1)(f) — legitimate interest (quality and security)
Billing and subscription management	Art. 6(1)(b) — contract
Responding to legal requests	Art. 6(1)(c) — legal obligation

3. Data storage and location

Your data is stored in Google Cloud Firestore in the us-central1 region (Iowa, USA). We rely on the European Commission-approved Standard Contractual Clauses (SCCs) incorporated into Google's Cloud Data Processing Addendum as the transfer mechanism for data exported from the EEA / UK. A copy of the applicable DPA is available on request.

Access is governed by Firebase Security Rules: your private subcollection (email, subscription, watchlist, tracked picks, FCM token) is readable only by you and by our Cloud Functions running as Firebase Admin. Public profile data is readable by other signed-in users.

4. Sub-processors we rely on

The providers below process data strictly to deliver the Service. We have executed a Data Processing Addendum with each, either directly or via the parent platform's standard DPA.

Sub-processor	Purpose	Data shared
Google Firebase	Authentication, database, hosting, Cloud Functions, Cloud Messaging, Crashlytics, reCAPTCHA Enterprise	All account and usage data
Anthropic (Claude API)	Generates AI analyses	Ticker, company name, your free-form thesis text; no account identifiers
Stripe	Web subscription payments	Email, Stripe customer ID, your UID for webhook reconciliation
RevenueCat	Mobile subscription entitlement management	App user ID (your UID), purchase receipts forwarded from Apple/Google
Apple App Store / Google Play	Mobile in-app purchases	Handled by the platform — we receive only the validated receipt via RevenueCat
Financial Modeling Prep (FMP)	Stock fundamentals and price data	Ticker symbols only; no user data
Finnhub	Alternative price provider	Ticker symbols only; no user data
Twelve Data	Alternative price provider	Ticker symbols only; no user data
Tiingo	Alternative price provider	Ticker symbols only; no user data
Alpha Vantage	Alternative price provider	Ticker symbols only; no user data
Yahoo Finance (via public endpoints)	Fallback price and quote data	Ticker symbols only; no user data
Clearbit	Public company-logo fetch	Company domain names only; no user data

We do not sell or trade your data. No advertising networks, analytics brokers, or data-broker services are used.

5. Data retention

Active accounts: retained while the account exists.
Account deletion: initiated synchronously when you use the in-app "Delete Account" flow. Firestore documents, Storage files, Auth record, and follower references are removed within seconds. Some billing records may be retained by Stripe or Apple/Google for up to 7 years under local tax law — these are outside our control.
Analyses: kept for up to 1 year; refreshed to 1-year horizon whenever you or another user re-analyses the same ticker within 5 months.
User-info and email-failure logs: 3 days, then auto-deleted via Firestore TTL.
Chat moderation reports: 90 days, to preserve evidence for appeals.
Password-reset audit log: 3 days.
Anonymised aggregate metrics: retained indefinitely. "Anonymised" means no personal identifier, hashed or otherwise, remains.

6. Your rights (GDPR Art. 15–22)

Access (Art. 15): in-app Profile → "Export my data" returns a JSON snapshot of every record we hold about you.
Rectification (Art. 16): Profile → edit display name, photo, and preferences.
Erasure / "Right to be forgotten" (Art. 17): Profile → "Delete Account". Deletion is irreversible.
Restriction (Art. 18): email privacy@contrariananalysis.app.
Portability (Art. 20): the export in § "Access" above is a machine-readable JSON.
Objection (Art. 21): email us if you believe our legitimate interest does not outweigh your rights.
Withdraw consent (Art. 7): disable notifications per-device in OS settings; opt out of email comms via the unsubscribe link in any message we send.
Lodge a complaint: contact your national supervisory authority — a full list is at edpb.europa.eu.

7. Cookies, local storage, tracking

The web Service uses:

Essential cookies / local storage (Firebase Authentication session, UI preferences, consent record) — no opt-in required, strictly necessary to deliver the Service you requested.
Security cookies set by Google reCAPTCHA Enterprise to block bots during sign-up and password reset — legitimate interest; limited purpose.

The web Service does not use advertising cookies, analytics-broker pixels, or cross-site trackers. No ePrivacy consent banner is therefore shown for non-essential trackers because none are loaded — a one-time pre-signup banner still informs you of the essential / security cookies above.

8. Children's privacy (GDPR Art. 8)

You must confirm you are at least 18 years old before creating an account. We do not knowingly process data from anyone under 16 without verifiable parental consent. If you believe a minor has created an account, email us and we will verify and delete it.

9. Data security (GDPR Art. 32)

TLS 1.2+ in transit for every client-to-server and server-to-server call.
Encryption at rest in Google Cloud Firestore and Cloud Storage.
Least-privilege IAM on Cloud Functions; OIDC-based deployment (no long-lived service-account keys).
Rate limits and App Check on high-risk endpoints.
Secrets stored in Google Secret Manager, never in source control.
Security-relevant events logged to an immutable audit collection with 3-day minimum retention.

10. Breach notification (GDPR Art. 33)

If we become aware of a personal-data breach that is likely to result in a risk to you, we will notify the relevant supervisory authority within 72 hours and, where required by law, inform affected users without undue delay.

11. Changes to this policy

When we change this policy materially, we will surface a notice in the app the next time you sign in. The "Last updated" date at the top is authoritative.

12. Contact

Privacy enquiries, erasure requests, or complaints: privacy@contrariananalysis.app.