Privacy policy

Last updated: 16 May 2026 · Effective: 16 May 2026

1. Who we are

For the purposes of South Africa's Protection of Personal Information Act, 2013 (POPIA), and the EU General Data Protection Regulation (GDPR) where it applies to you, the responsible party / data controller is Mind Money Movement (Pty) Ltd, a South African private company (registration number 2024/350331/07). You can reach our information officer at legal@signalcartel.trade.

2. What data we collect

2.1 Account data (you give us)

• Email address — used to sign in, send confirmation and password-reset links, and (where you have an active subscription) operational notices about your account.
• Password — stored in encrypted/hashed form by our authentication provider (Supabase Auth). We never see or store your plain-text password.
• Telegram username (optional) — if you choose to enter it on your /account page so we can reference you in support conversations.

2.2 Subscription & payment data (we receive from PayPal)

• PayPal subscription ID and subscription status (pending, active, cancelled, expired, past due), period start/end dates, currency, and the plan you signed up for. We use these to grant and revoke access to the Service.
• Webhook event history from PayPal — for audit, dispute resolution, and reconciliation.
• We do NOT receive or store your full credit-card number, CVV, bank details, or PayPal password. All card data is held by PayPal and handled per their privacy policy.

2.3 Telegram identifier (collected on first channel join)

• Telegram user ID (a numeric identifier) — captured by our Telegram bot (@SignalCartelTradeBot) when you accept your invite link and join a paid channel. We use this to revoke channel access when your subscription ends, and to re-issue invites if you lose them.
• Your Telegram first name and username (if your Telegram privacy settings make them visible) may also be retained in operational logs.

2.4 Usage and server logs (collected automatically)

• IP address, browser user-agent, and timestamps of requests — kept by our hosting provider (Vercel) for typical web-server log retention windows. Used for security, anti-abuse, and performance monitoring.
• Authentication session cookies — strictly necessary to keep you signed in. No cross-site tracking, no advertising cookies, no third-party analytics scripts at this time.

3. How we use your data (lawful bases)

Under POPIA and GDPR, we process your data on the following bases:

• Performance of a contract — to give you the Service you signed up for: authenticate you, process subscriptions, send invite links, grant and revoke channel access, and respond to support requests.
• Legitimate interests — to operate, secure, and improve the Service; to detect and prevent fraud or abuse; to keep audit records of webhook events for dispute resolution.
• Legal obligation — to retain financial records as required by South African tax law (currently 5 years), and to respond to lawful requests from authorities.
• Consent — for any optional processing where consent is the applicable basis. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

4. Who we share data with (sub-processors)

We use a small number of carefully selected service providers to operate the Service. Each is bound by data-processing terms that match or exceed what we promise you here.

• Supabase (Supabase Inc., USA) — database, authentication, and storage. Your account, subscription, and channel-membership records live here.
• Vercel (Vercel Inc., USA) — hosting of the website and serverless functions. Receives request metadata (IP, user-agent, headers) and forwards requests to our application.
• PayPal(PayPal Pte. Ltd. and affiliates) — payment processing. Subscribers' payment data is collected, processed, and stored by PayPal.
• Telegram (Telegram FZ-LLC, UAE) — messaging platform for signal delivery. Your Telegram identifier and channel-membership status are visible to Telegram per their terms.
• Cloudflare (Cloudflare, Inc., USA) — DNS, edge routing, and tunnel infrastructure between our trading bots and the website. Receives request metadata in transit.
• GitHub (GitHub, Inc., USA) — source-code hosting (no subscriber data).

We do not sell your personal data to anyone, and we do not share it with third parties for their own marketing.

5. International transfers

Several of our sub-processors are located outside South Africa or the EEA. By using the Service you understand and agree that your personal data may be transferred to and processed in jurisdictions whose data-protection laws may differ from your own. Where required, we rely on appropriate safeguards (such as standard contractual clauses or provider-side adequacy programmes) to protect cross-border transfers.

6. Data retention

• Active account data: for as long as your account exists. Closed accounts are retained for up to 12 months after closure to handle disputes and backups, then deleted or anonymised.
• Payment and subscription records: retained for at least 5 years to comply with South African tax recordkeeping requirements.
• Telegram identifiers and invite history: retained for the lifetime of the related subscription plus 30 days, then deleted.
• Server logs: retained per the hosting provider's default rolling retention window (typically 30–90 days).

7. Your rights

Subject to applicable law (POPIA, GDPR, and similar regimes), you have the right to:

• Access the personal data we hold about you and obtain a copy;
• Rectify data that is inaccurate, incomplete, or out of date;
• Delete your account and personal data, subject to legal retention requirements (e.g., tax records);
• Restrict or object to certain processing;
• Data portability — receive your data in a structured, commonly used, machine-readable format;
• Withdraw consent where processing is based on consent;
• Lodge a complaint with the Information Regulator (South Africa) at inforegulator.org.za or the equivalent supervisory authority in your country.

To exercise any of these rights, email legal@signalcartel.tradefrom the address on your account. We'll respond within 30 days (or sooner where the law requires it).

8. Children

The Service is not intended for individuals under 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us and we will delete it.

9. Security

We use industry-standard safeguards including TLS encryption in transit, encrypted at-rest storage at our database provider, row-level security policies that prevent users from accessing other users' data, and access controls limiting who on our side can view production data. No system is perfectly secure; if we become aware of a breach affecting your personal data, we will notify you and the Information Regulator as required by POPIA.

10. Cookies and tracking

We use a minimal set of cookies needed to keep you signed in (the authentication session cookie from Supabase Auth). We do not use third-party advertising cookies, third-party analytics cookies (such as Google Analytics or Meta pixel), or cross-site tracking technologies. We may add a privacy-respecting analytics tool in the future, in which case this policy will be updated and material changes will be notified to active subscribers by email.

11. Changes to this policy

We may update this Privacy Policy from time to time. The updated version will be posted on this page with a new “Last updated” date. For material changes, we will notify active subscribers by email at least seven (7) days before the change takes effect.

12. Contact

Questions, access requests, or complaints about this Privacy Policy can be sent to our information officer at legal@signalcartel.trade.

This document is a starting draft and has not yet been reviewed by qualified counsel. Mind Money Movement (Pty) Ltd intends to engage legal counsel to review and finalise this Privacy Policy (particularly its POPIA and GDPR alignment) before public launch.