
Privacy Policy
Effective: July 10, 2026 · Prepared with Thailand’s PDPA (B.E. 2562) in mind
1. Data We Collect
- Account — email, display name, one-way-hashed password (bcrypt). With Google sign-in we receive your Google email and name.
- Usage — practice sessions, simulated trades, journal entries, chart snapshots, preferences, computed statistics.
- Payments — processed entirely by Lemon Squeezy (our merchant of record); we store only your plan status and subscription reference. We never store card numbers.
- Technical — server logs (IP, timestamps) for security and troubleshooting.
2. Purposes & Legal Bases
- Contract — operating your account, storing practice results, billing.
- Legitimate interest — security, abuse prevention, service improvement.
- Consent — marketing communication (if any), withdrawable at any time.
3. Sharing
We never sell personal data. We share only what is necessary with: Google (sign-in), Lemon Squeezy (payments, invoices and subscription management as merchant of record), infrastructure providers (hosting/database) and error tracking (e.g. Sentry), and authorities where legally required.
4. Cookies & Browser Storage
We use localStorage for your sign-in token and preferences (language, drawing tools). No advertising trackers. If product analytics (e.g. PostHog) is enabled, it only runs after you click "Allow" in the consent banner, and is used to improve the product — never for advertising or selling data.
5. Retention
Data is kept for the life of your account. On deletion, personal and practice data are removed, except records we must keep by law (e.g. accounting).
6. Your Rights (PDPA)
You may request access/copies, correction, deletion or restriction, object to processing, request portability, withdraw consent, and lodge complaints with Thailand’s PDPC. Contact us below; we respond within 30 days. You can also delete your account and all data instantly yourself from Account settings.
EU/UK and California users: we honour equivalent rights under GDPR/UK GDPR (access, rectification, erasure, restriction, portability, objection, and complaint to your local supervisory authority) and CCPA/CPRA (right to know, delete, correct and opt out — we do not sell or share your personal information) through the same contact below.
7. Security
Passwords are bcrypt-hashed, every request is authorised server-side per account, production traffic uses HTTPS, and the database is backed up regularly.
8. Controller & Contact
The A-Backtest operator is the data controller. Contact: ai2.techlegend@gmail.com
9. Changes
Material changes will be announced by email or in-app notice before taking effect.