Skip to main content

Privacy Policy

Effective date: May 25, 2026 Last updated: May 25, 2026 (Wave 13-D — picks-as-state + HMAC signing + user context memory) Operator: TIMxAI LLC, a Pennsylvania limited liability company ("TIMxAI", "we", "us", "our") Privacy contact: privacy@tickin.io

This Privacy Policy explains what we collect about you, how we use it, who we share it with, and what rights you have. It applies to your use of the Tickin application and any related websites, APIs, and services we provide (the "Service"). By using the Service, you agree to the practices described here. If you do not agree, do not use the Service.

The Service is offered only to users in the United States. We do not knowingly accept users in the European Union or the United Kingdom, and we restrict access from those regions at the edge of our network.

1. The short version, friend-to-friend

  • We collect what we need to log you in, run the product, keep it secure, and bill you if you pay.
  • We do not sell your personal information, run ad trackers, or share your data with marketing partners.
  • We are not connected to any brokerage. We cannot see your trades, your balances, or your bank. We never ask for your SSN.
  • Every advisor response is HMAC-signed server-side so you (or anyone) can independently verify the text was not tampered with after it left us.
  • You can delete your account or export your data at any time from /settings or by emailing privacy@tickin.io.

The rest of this policy is the detail.

2. What we collect

2.1 Information you provide

  • Account email. To sign you in via magic link and send service emails.
  • Federated sign-in identifiers. If you sign in with Google or Apple, we receive a stable opaque identifier and your email. We never see your provider password.
  • Watchlist symbols. Tickers you save to your watchlist, kept per-account.
  • Simulator configurations. Paper-trading-style positions you simulate (entry, target, stop, notes). These are never executed in any real market.
  • Chat history. Messages you send to Tickin's chat and the responses generated for you. Chat history is automatically cleared on a 24-hour rolling window. Anything you want to keep, save it to Notes.
  • User context memory (DCG Phase 3). Long-term preferences the chat remembers across sessions (e.g., your default horizon, sectors you watch, voice tone). You can review and delete every memory item at /settings/memory.
  • Notes. Snippets you explicitly save from chat, retained until you delete them or your account.
  • Support correspondence. Emails to privacy@tickin.io or legal@tickin.io.
  • Payment information (paid tier only). Handled by Stripe. We never store your full card number, expiry, or CVV. We receive only a customer ID, plan, last-four digits, expiry, and billing status from Stripe.

2.2 Information we collect automatically

  • Authentication metadata. IP address, user-agent, timestamp, and provider on each login. Used for security and abuse prevention.
  • Device and session signals. Browser type, OS, screen size, locale, approximate region from IP — used to render the product and detect anomalous access.
  • Minimal product analytics. Aggregate events about which features you use and error reports, used to debug and improve the Service. We do not run third-party advertising trackers. We do not sell this data and we do not combine it with ad profiles.
  • Server logs. Request, error, and audit logs, retained on a rolling basis for security and operations.

2.3 Information we do not collect

  • No brokerage credentials, brokerage balances, or brokerage positions. Tickin is not connected to any broker.
  • No bank account numbers, routing numbers, or ACH credentials.
  • No Social Security numbers, government IDs, or tax IDs.
  • No biometric data, no health data, no sensitive categories under U.S. state privacy laws.
  • No real-time trade orders (we don't place any).

2.4 Cookies and similar technologies

We use only the minimum cookies required to operate the Service:

  • Session and authentication cookies set by Supabase so you stay signed in.
  • Anti-CSRF tokens and short-lived security cookies.
  • First-party analytics signals to count page views and detect errors. No third-party advertising cookies. No cross-site tracking.

You can clear cookies in your browser at any time; doing so will sign you out.

3. How we use what we collect

We use the information above to:

  • Provide the Service — authenticate you, generate picks, render the chat, save your watchlist, deliver subscriptions.
  • Bill paid tiers — process payments via Stripe, send receipts, manage cancellations and refunds.
  • Secure the Service — detect and prevent fraud, abuse, scraping, brute-force login attempts; investigate incidents.
  • Debug and improve — diagnose errors, prioritize fixes, measure feature adoption in aggregate.
  • Communicate with you — transactional emails (magic links, receipts, security alerts, material policy changes). No marketing email without an explicit opt-in.
  • Comply with law — respond to lawful requests, enforce our Terms of Service, and protect our rights and users.

We do not use your chat, watchlist, simulator configurations, or memory items to train third-party AI models. The third-party model providers we use (see Section 5) are bound by data-processing agreements that prohibit training on your content.

4. Tamper-evident advisor outputs (HMAC signing)

Every response Tickin's advisor generates is signed server-side with HMAC-SHA256 before it is shown to you. The signature, the response hash, and a version tag are recorded in our advisor_outputs_signed ledger.

What this means for you:

  • You (or a journalist, or an auditor) can independently confirm a Tickin response is byte-for-byte the text Tickin produced. The verifier is public, rate-limited, and the signing key is never echoed in any response.
  • If anyone screenshots a Tickin response and edits the text, the signature stops verifying.
  • The signing key is held only by our server and is never sent to your browser.

Full runbook for the verifier: sigverify-runbook.md in our public docs. See /about for a plain-English explainer.

5. Service providers (processors and sub-processors)

We rely on the following service providers. Each is bound by a data-processing agreement requiring them to handle your information only on our instructions and to keep it secure.

ProviderRoleData handled
Supabase, Inc.Authentication, database, storage, edge functionsEmail, federated IDs, account data, watchlists, picks, chat history, sessions
Vercel, Inc.Hosting, edge compute, CDNRequest logs, IP addresses, device metadata
Anthropic, PBCLarge-language-model provider for the chat and specialistsChat prompts and responses (no training)
OpenAI, L.L.C.Embeddings providerPseudonymized text snippets used to compute embeddings
Stripe, Inc.Payment processor (paid tier)Billing identifiers, payment method status, transaction records
PostHog, Inc.Product analytics (first-party, no ad tracking)Aggregated usage events, anonymized device identifiers
Massive Stocks AdvancedMarket data provider (prices, fundamentals, reference data)No personal data sent. We send ticker queries only.

Massive Stocks Advanced is declared because it is the upstream source of the prices, fundamentals, and reference data shown on Tickin. They receive ticker queries from our server — not your identity.

We may update this list. Material changes are announced under Section 12.

We do not sell or rent your information. We do not share it with advertisers, data brokers, or marketing platforms.

We may disclose information when we believe in good faith that disclosure is required to (a) comply with a valid legal request, (b) protect the safety of users or the public, (c) investigate fraud or security issues, or (d) enforce our Terms of Service.

6. Your rights

You may at any time:

  • Access the personal information we hold about you.
  • Correct information that is inaccurate.
  • Export your account data in a portable format — visit /settings or the /api/account/export endpoint.
  • Delete your account and the personal information tied to it — visit /settings or the /api/account/delete endpoint. Subject to the retention exceptions in Section 9.
  • Delete user context memory items — visit /settings/memory to review and remove each remembered item individually.
  • Opt out of any future marketing emails.

To exercise any right, email privacy@tickin.io from the address on your account. We respond within thirty (30) days. We may need to verify your identity.

6.1 California residents (CCPA / CPRA)

If you are a California resident, you have the rights above plus the right to know the categories of personal information collected, the sources, the business purposes, and the categories of recipients, as detailed in Sections 2, 3, and 5.

We do not "sell" your personal information as that term is defined under the CCPA, and we do not "share" your personal information for cross-context behavioral advertising. You may nonetheless submit a "Do Not Sell or Share My Personal Information" request to privacy@tickin.io; we will confirm no sale or share occurs.

6.2 Other U.S. state residents

If you live in a U.S. state with a comprehensive privacy law (Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others as enacted), you have similar rights. Submit requests to privacy@tickin.io. You may appeal a denied request by replying to our response.

6.3 Children's privacy (COPPA)

The Service is not directed to children under 18. We do not knowingly collect personal information from anyone under 18. If we learn that we have, we delete it promptly. Parents or guardians who believe their child has provided information should contact privacy@tickin.io.

6.4 Geographic scope — EU/UK

The Service is not available in the EU or the UK. We restrict access from those regions at the edge of our network and do not target users there.

7. Security

Our practices include:

  • TLS in transit on all connections.
  • Encryption at rest for primary databases.
  • Row-level security (RLS) so one account cannot read another account's data.
  • Password-less authentication (email magic link or federated sign-in).
  • Least-privilege access to production systems.
  • HMAC-signed advisor outputs with tamper-evidence verifier.
  • Logging and alerting on authentication anomalies and suspicious activity.
  • Vendor due diligence on all processors.

No system is perfectly secure. You are responsible for keeping access to your email account safe, since possession of that inbox is what authenticates you.

8. Breach notification

If we determine an incident has resulted in unauthorized acquisition, access, or use of your personal information, we will:

  • Notify affected users within seventy-two (72) hours of confirming the incident, at the email on the account.
  • Describe what happened, the categories of information involved, and the steps we are taking.
  • Notify any state attorney general or other regulator as required.
  • Recommend steps you can take to protect yourself.

If you have evidence of a security incident, contact privacy@tickin.io immediately.

9. Data retention

  • Active accounts. Retained for as long as your account is active.
  • Deleted accounts. Soft-deleted then permanently purged within ninety (90) days, subject to legal holds for fraud or security and longer holds for billing records required by tax laws (typically up to seven (7) years for invoices).
  • Chat history. Auto-purged on a 24-hour rolling window. The scheduled job runs hourly.
  • Notes and memory items. Persist until you delete them individually or delete your account.
  • Picks ledger. The picks and pick_events tables (which back the History tab) keep specialist track records indefinitely so accountability survives. These rows are not personally identifying — they reference symbols, theses, and timestamps, not you.
  • Server logs. Rolling basis (typically 90 days hot, up to 1 year archived) for security and operations, then purged.

10. International transfers

The Service and its processors are located in the United States. Information is processed and stored in the United States. We do not offer the Service outside the United States.

11. Do Not Track

Some browsers send a "Do Not Track" or Global Privacy Control signal. Because we do not engage in cross-site tracking or sell personal information, these signals do not change how we process your data — we already behave as if they were set.

12. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced via email to your account address and posted in the Service at least thirty (30) days before they take effect. Your continued use after the effective date constitutes acceptance. If you do not agree, stop using the Service and request deletion.

13. Contact

Privacy questions, requests, or complaints: privacy@tickin.io

General inquiries: legal@tickin.io

TIMxAI LLC (Pennsylvania, U.S.A.)

Last updated 2026-05-25.