1. Who We Are
Market Suite is a software-as-a-service platform operated from Ontario, Canada. This Privacy Policy explains how we collect, use, and protect personal information in connection with your use of our service. We are subject to Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable Ontario privacy law.
Questions or requests regarding your personal information can be directed to: [email protected]
2. Information We Collect
| Category | What we collect | Why |
|---|---|---|
| Account information | Username, email address, hashed password | To create and manage your account |
| Billing information | Stripe customer ID, subscription ID, subscription status | To manage your subscription; card data is held by Stripe, not us |
| Journal content | Trade entries, notes, account metadata you input | To provide the journal and AI coaching features |
| Session data | Encrypted session token, IP address (hashed for rate limiting), user-agent string | Authentication, security, and brute-force protection |
| Server logs | Timestamps, request paths, HTTP status codes | Debugging and service reliability |
We do not collect information beyond what is necessary to operate the Service. We do not purchase, license, or source personal data from third parties.
3. How We Use Your Information
- To authenticate you and maintain secure access to your account
- To process subscription billing and manage your subscription lifecycle
- To deliver the Service, including generating AI analysis against your journal entries
- To send transactional emails: account welcome, billing receipts, and password reset links
- To enforce our Terms of Service and protect the integrity of the platform
- To comply with applicable legal obligations
We do not use your information for advertising, behavioural profiling, or sale to third parties.
4. Payment Processing (Stripe)
All payment processing is handled by Stripe, Inc., a third-party payment processor. When you subscribe, you are directed to Stripe's hosted checkout. We never see, transmit, or store your full card number, CVV, or bank details.
We store only your Stripe customer ID and subscription ID, which are used to verify your subscription status and manage cancellations. Stripe's privacy practices are described in the Stripe Privacy Policy.
5. Data Sharing and Disclosure
We do not sell, rent, or trade your personal information. We may disclose information only in the following limited circumstances:
- Service providers: Stripe (payment processing), the email provider used to send transactional messages (Google Workspace/Gmail SMTP). These providers are contractually bound to handle data only as directed by us.
- Legal requirements: If required by a court order, government authority, or applicable law, we may disclose information to the extent required.
- Business transfer: In the event of a merger, acquisition, or sale of assets, personal information may be transferred as part of that transaction, subject to equivalent privacy protections.
6. Data Retention
We retain your personal information for as long as your account is active. If you cancel your subscription and your account is subsequently deleted, we will purge your personal information within 90 days, except where we are required to retain it for legal, tax, or accounting obligations.
Server access logs are retained for up to 30 days. Journal entries are deleted when you delete them or when your account is removed.
7. Security
We implement reasonable technical and organizational measures to protect your information, including:
- Passwords stored as bcrypt hashes: we cannot recover your password in plain text
- All data transmitted over TLS (HTTPS)
- Session tokens are cryptographically random and bound to your IP at login
- Access to stored data is restricted to the application process and authorized administrators
No method of storage or transmission is 100% secure. In the event of a data breach affecting your personal information, we will notify you as required by applicable law.
8. Your Rights Under PIPEDA
Under Canada's Personal Information Protection and Electronic Documents Act, you have the right to:
- Access the personal information we hold about you
- Correct inaccurate or incomplete information
- Withdraw consent to the collection or use of your information (which may require closing your account)
- Request deletion of your account and associated personal data
- Lodge a complaint with the Office of the Privacy Commissioner of Canada if you believe your privacy rights have been violated
To exercise any of these rights, email us at [email protected]. We will respond within 30 days.
9. Cookies and Sessions
We use a single secure, HTTP-only session cookie to maintain your authenticated session. We do not use tracking cookies, advertising cookies, or any third-party analytics scripts. No cookies are set before you log in.
A CSRF protection cookie is also set alongside the session cookie to protect form submissions. Both cookies are strictly necessary for the Service to function and do not require consent under Canadian privacy law.
10. Children's Privacy
The Service is not directed at individuals under 18 years of age. We do not knowingly collect personal information from minors. If you believe a minor has provided us with personal information, please contact us and we will promptly delete it.
11. Changes to This Policy
We may update this Privacy Policy periodically. We will notify you of material changes by email to your registered address. The "effective date" at the top of this page indicates when the current version took effect. Your continued use of the Service after changes take effect constitutes acceptance of the revised Policy.
12. Contact
For any privacy-related questions, access requests, or complaints:
You may also contact the Office of the Privacy Commissioner of Canada at priv.gc.ca or 1-800-282-1376.
See also: Terms of Service