Privacy Policy
Last Updated: July 4, 2026
1. Introduction
MacroPulse ("we", "us", or "our") operates the MacroPulse website, application, API, and related services (collectively, the "Services"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use our Services.
This Privacy Policy is published in accordance with the Personal Information Protection Act of the Republic of Korea (개인정보 보호법, "PIPA"), the European Union General Data Protection Regulation ("GDPR"), and the California Consumer Privacy Act ("CCPA"), where applicable to our operations.
By creating an account or using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described herein, you must not use the Services.
2. Information We Collect
2.1 Account Information. When you register, we collect:
- Your email address (used as your account identifier and for communication)
- A bcrypt-hashed password (plaintext passwords are never stored)
- Your preferred language (English, Korean, or Japanese)
- Your subscription tier (Trial, Explorer, Insider, or Pro)
If you register via Google Single Sign-On, we also receive from Google:
- Your Google subject identifier
- Your name as shown on your Google profile
- Your Google profile picture URL
2.2 Usage and Activity Data. When you interact with the Services, we log:
- IP addresses (for security, audit, and rate-limiting purposes)
- Login timestamps and authentication events
- API request metadata (method, path, status code, timestamp) for audit trails
- Session identifiers
2.3 Email Communication Data. We retain records of emails sent to and from you:
- Outbound email logs (recipient addresses, subject lines, send status, timestamps)
- Inbound email content (when you reply to our emails, we store the sender email, subject, body text, and headers)
- Contact form submissions (your email, name, message, and category)
- Pro-tier email distribution lists (client email addresses you add for report distribution)
2.4 Payment Information. For paid subscriptions, we store:
- PayPal subscription identifiers and payer identifiers
- PayPal account email address
- Billing period dates and payment amounts
- Billing event records (subscription activation, payment completion, cancellation)
We do NOT collect, store, or process credit card numbers, CVVs, or bank account details. All payment instrument storage is handled by PayPal, our payment processor. We never receive or store your full card information.
2.5 Economic and Market Data. The Services collect, process, and display publicly available economic and financial data from third-party sources (Federal Reserve, Bank of Korea, ECB, and others). This data is not personal information and is not linked to your identity.
3. How We Use Your Information
We use your personal information for the following purposes:
- Service delivery: Creating and managing your account, authenticating your identity, and providing access to the Services
- Communication: Sending daily market reports, trial expiration reminders, and service notifications
- Billing: Processing subscription payments, managing billing cycles, and handling cancellations
- Security: Monitoring for unauthorized access, detecting fraud, rate-limiting, and maintaining audit trails
- Support: Responding to your inquiries and providing customer service
- Improvement: Analyzing usage patterns to improve the Services, fix bugs, and develop new features
- Legal compliance: Fulfilling legal obligations and protecting our rights
4. Legal Basis for Processing (GDPR)
For users in the European Economic Area, we process your personal data under the following legal bases:
- Contractual necessity: Processing your account information and payment data to fulfill our service agreement with you
- Legitimate interests: Logging security and audit data to protect the Service, and using usage data to improve the Service
- Consent: Sending you email communications (you can withdraw consent at any time via the unsubscribe link in any email)
5. Cookies and Local Storage
5.1 Authentication Cookie. The Services use a single first-party cookie, mmti_refresh_token, to maintain your login session. This cookie contains only a JWT refresh token (not your access token or password). The cookie expires after 7 days, or 30 days if you select "Remember me" at login.
5.2 Session State. Your access token and user profile are stored in server-side session memory (Streamlit session state) that is cleared when you close your browser tab. This data is not persisted in cookies or local storage.
5.3 No Tracking Cookies. We do not use Google Analytics, advertising cookies, tracking pixels, or third-party tracking scripts. The only cookie we set is the authentication cookie described above.
6. Third-Party Service Providers
Your data is processed by the following third-party providers:
- PayPal — Payment processing — Subscription ID, payer email, billing events
- Resend — Email delivery — Recipient email, subject, email body
- DigitalOcean — Cloud hosting — All application data (hosted on DO Managed PostgreSQL in NYC2)
- Google — Optional SSO — Your Google ID, email, name, profile picture (only if you use Google login)
- Ollama Cloud / OpenCodeGo — AI sentiment analysis — Market news text for sentiment scoring (no personal data sent)
- FRED, BOK, ECB, Shiller — Economic data sources — No personal data is sent to these providers
We do not sell, rent, or share your personal information with any other third parties for marketing or advertising purposes.
7. Data Security
We implement the following security measures to protect your personal information:
- Password hashing: All passwords are hashed using bcrypt before storage
- Token hashing: Refresh tokens are stored as HMAC-SHA256 hashes, never as plaintext
- Encryption at rest: Sensitive API keys are encrypted using Fernet (AES-128-CBC)
- Encryption in transit: All connections use TLS 1.2/1.3 via Let's Encrypt certificates; HSTS is enforced
- Database security: PostgreSQL connections require SSL; managed by DigitalOcean with network-level isolation
- Encrypted backups: Database backups are encrypted with AES-256-CBC; stored on a separate encrypted volume
- Security headers: Content Security Policy (CSP), X-Frame-Options, X-Content-Type-Options, and other security headers are enforced
- Rate limiting: API endpoints are rate-limited to prevent abuse
- Login throttling: Repeated failed login attempts trigger temporary account lockout
Despite these measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security of your data.
8. Data Retention
- Active accounts: Your personal information is retained for as long as your account is active
- Encrypted backups: Database backups are retained for 3 days, then automatically deleted
- Authentication tokens: Expired refresh tokens and password reset codes are periodically cleaned up
- Audit logs: Activity logs and audit trails are retained for the operational lifetime of the Service for security and compliance purposes
- Account deletion: You may request deletion of your account at any time by contacting support@app.macropulses.com. Upon deletion, your user record, subscriptions, and email distribution lists are permanently removed. Activity log entries referencing your account are anonymized (user ID set to null) to preserve audit integrity
9. Your Privacy Rights
9.1 Under PIPA (Korea). You have the right to:
- Request access to your personal information
- Request correction of inaccurate personal information
- Request deletion of your personal information
- Withdraw consent for processing at any time
9.2 Under GDPR (EU). You have the right to:
- Access your personal data (Article 15)
- Rectify inaccurate personal data (Article 16)
- Erase your personal data ("right to be forgotten", Article 17)
- Restrict processing (Article 18)
- Data portability (Article 20)
- Object to processing (Article 21)
- Withdraw consent at any time (Article 7)
9.3 Under CCPA (California). You have the right to:
- Know what personal information is collected about you
- Request deletion of your personal information
- Opt out of the sale of personal information (we do not sell your data)
- Non-discrimination for exercising your privacy rights
9.4 Exercising Your Rights. To exercise any of these rights, contact us at support@app.macropulses.com. We will respond to your request within 30 days. If we refuse to act on your request, we will inform you of the reasons and your right to lodge a complaint with the relevant supervisory authority.
10. Children's Privacy
The Services are not directed to children under the age of 13 (under COPPA, US) or 16 (under GDPR, EU). We do not knowingly collect personal information from children. If you believe we have inadvertently collected personal information from a child, please contact us at support@app.macropulses.com and we will promptly delete such information.
11. International Data Transfers
Your personal information is hosted on DigitalOcean infrastructure in New York City, USA (NYC2 region). If you access the Services from the Republic of Korea, the European Union, or other jurisdictions outside the United States, your data will be transferred to and processed in the United States.
For users in the Republic of Korea, this Privacy Policy is published in accordance with PIPA, and MacroPulse complies with cross-border data transfer requirements under PIPA Article 28. For users in the European Union, we rely on Standard Contractual Clauses or other lawful transfer mechanisms as appropriate.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and, where appropriate, sending a notification to your registered email address. The "Last Updated" date at the top of this page indicates when the policy was last revised. Your continued use of the Services after any change constitutes acceptance of the updated policy.
13. Contact Us
If you have questions, concerns, or requests regarding this Privacy Policy or your personal information, please contact us:
- Email: support@app.macropulses.com
- Postal: Available upon request
We are committed to resolving any privacy-related concerns promptly and transparently.