Privacy Policy

Last updated: May 29, 2026 · Effective: May 29, 2026 · [email protected]

1. Who We Are (Data Controller)

NeverHodl ("NeverHodl™", "we", "us", "our") is a cryptocurrency market cycle intelligence platform operated by Luis Armando Fraga, NIF 110.039.537-78, registered in Spain. Trademark: OEPM M4370276 (Classes 36 and 42).

Website: neverhodl.com · Contact: [email protected] · Supervisory authority: AEPD (Spain)

2. Data We Collect

2.1 Account data (when you sign up)

• Email address — required to create your account
• Display name — optional, chosen by you
• Password — securely hashed (bcrypt), never stored in plaintext
• Language preference and timezone
• Authentication method — email/password or X (Twitter) OAuth

2.2 Optional profile data

• Telegram username — for community alerts (optional)
• X/Twitter handle — for social share verification (optional)
• Avatar emoji — chosen from a predefined set

2.3 Payment data

• Stripe customer ID — links your account to your Stripe subscription. We do NOT store credit card numbers, CVV, or full payment details. All payment processing is handled by Stripe (PCI DSS Level 1 certified).
• Subscription status — tier, billing period, cancellation state

2.4 Usage data (collected automatically)

• API usage logs — endpoint, response time, IP address (hashed for analytics). Retained 90 days.
• Login activity — timestamps, login streak. No passwords are logged.
• Audit log — security events (tier changes, admin actions). Retained 2 years for compliance.
• Analytics — if you consent, Google Analytics 4 with IP anonymisation. No personal identifiers.

2.5 Community data

• Chat messages — content you post in community channels. Soft-deleted messages are purged after 90 days.
• Push notification tokens — device tokens for sending phase alerts (if enabled).

2.6 What we do NOT collect

• Credit card numbers or payment details (Stripe handles this)
• Government IDs or identity documents
• Precise geolocation
• Phone numbers or physical addresses
• Wallet addresses or on-chain transaction data

3. How We Use Your Data

• Provide the service: display your dashboard, NHCI scores, cycle history, and AI analysis
• Account management: authentication, subscription management, profile settings
• Notifications: phase change alerts, daily briefings, payment alerts (based on your preferences)
• Marketing emails: NHCI updates, educational content (only with your opt-in consent)
• Security: rate limiting, fraud prevention, audit logging
• Analytics: anonymised, pseudonymised usage statistics to improve the product

4. Legal Basis (GDPR Art. 6)

• Contract (Art. 6.1.b) — processing necessary to provide the service you signed up for
• Consent (Art. 6.1.a) — marketing emails, analytics cookies, push notifications. Withdrawable at any time.
• Legitimate interest (Art. 6.1.f) — security logging, fraud prevention, service improvement
• Legal obligation (Art. 6.1.c) — audit logs for compliance, tax-related subscription records

5. Notification Preferences

You have granular control over every notification channel. Manage preferences in your profile settings:

Channel	Default	Type
Marketing emails (NHCI updates, insights)	Off	Opt-in required
Product emails (welcome, payment, subscription)	On	Transactional
Push notifications (phase changes, score alerts)	On	Consent via device permission
Telegram alerts (daily briefing)	Off	Opt-in required

You can unsubscribe from marketing emails instantly via the one-click unsubscribe link in every email (RFC 8058 compliant).

6. Cookies

• Strictly necessary: language preference, cookie consent state, authentication tokens. Cannot be disabled.
• Analytics (optional): Google Analytics 4 with IP anonymisation. Only placed after your explicit consent via the cookie banner.
• No advertising or tracking cookies are used.

7. Data Sharing

We use the following sub-processors:

Provider	Purpose	Data processed
Supabase	Database, authentication	Account data, encrypted at rest
Stripe	Payment processing	Payment method, billing info
Resend	Email delivery	Email address, email content
Vercel	Hosting, serverless functions	Server logs, IP addresses
Upstash	Rate limiting (Redis)	IP hashes (no PII)
Firebase	Push notifications	Device tokens
Google Analytics 4	Anonymised analytics	Page views, sessions (consent-gated)

8. Data Retention

Data type	Retention
Account profile	Until you delete your account
API usage logs	90 days
Activity logs	1 year
Audit logs (compliance)	2 years (anonymised on account deletion)
Points ledger	2 years
Deleted chat messages	90 days after deletion
Analytics (GA4)	14 months (Google default)
Expired admin sessions	24 hours

Automated data cleanup runs weekly to enforce these retention periods.

9. Data Security (Art. 32)

We implement technical and organisational measures to protect your data:

• Encryption at rest: sensitive personal data (email, social handles, payment identifiers) is encrypted using AES-256 via PostgreSQL pgcrypto with keys stored in Supabase Vault
• Pseudonymisation: analytics data uses HMAC-SHA256 pseudonymous identifiers. IP addresses are hashed with monthly rotation salt.
• Transport security: HTTPS everywhere with HSTS preload (max-age 2 years), TLS 1.3
• Access control: Row Level Security (RLS) on all database tables. Admin access requires triple-factor authentication (password + email code + TOTP).
• Brute-force protection: account lockout after 5 failed attempts (30-minute cooldown), rate limiting on all endpoints
• Subresource Integrity: SHA-384 hashes on all external CDN scripts
• Content Security Policy: restricts script sources, prevents clickjacking (X-Frame-Options: DENY)
• Dependency security: regular npm vulnerability audits, zero known CVEs
• No PII in logs: server logs never contain email addresses or personal identifiers

In the event of a data breach affecting your personal data, we will notify you within 72 hours as required by GDPR Art. 33/34.

10. Your Rights

Under GDPR (EU 2016/679), LOPDGDD (Spain), and LGPD (Brazil), you have the following rights:

• Access (Art. 15): view all data we hold about you in your profile
• Portability (Art. 20): download all your data as JSON from Profile → Account → "Download my data"
• Rectification (Art. 16): update your data in your profile settings at any time
• Erasure (Art. 17): permanently delete your account and all data from Profile → Account → "Delete account"
• Restriction (Art. 18): request that we limit processing — contact us
• Objection (Art. 21): unsubscribe from marketing emails via one-click link or profile toggle
• Withdraw consent: disable any notification channel in your profile at any time

Most rights can be exercised directly from your profile page without contacting us. For requests that require manual processing, email [email protected] — we respond within 30 days (GDPR Art. 12.3).

You also have the right to lodge a complaint with the AEPD (Agencia Espanola de Proteccion de Datos) at aepd.es.

11. International Transfers

Your data may be processed in the EU and the United States by our sub-processors. Transfers outside the EU/EEA are covered by Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework as required by GDPR Chapter V.

12. Children

NeverHodl is not directed at children under 16. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a child, contact us immediately.

13. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be communicated via a notice on the website. The "Last updated" date at the top indicates when the policy was last revised.

14. Disclaimer

NeverHodl is a market data and educational intelligence platform. Nothing on this website constitutes financial advice, investment advice, or a recommendation to buy or sell any asset. All investment decisions are the sole responsibility of the user. Crypto assets are highly volatile and can lose all their value.