<div class="doc-header"> <span class="tag">Legal</span> <h1>Privacy Policy</h1> <p class="meta">Effective date: May 14, 2026 &nbsp;·&nbsp; Sharkly &nbsp;·&nbsp; GDPR compliant</p> </div> <div class="callout"> <p>We don't sell your data. Ever. This policy explains exactly what we collect, why, and how you can delete it.</p> </div> <h2>1. Introduction</h2> <p>Sharkly is a <strong>data analytics and research</strong> product. This Privacy Policy explains how we collect, use, store, and protect your information when you use the Sharkly service, in compliance with the General Data Protection Regulation (GDPR) and other applicable privacy laws.</p> <p><strong>Data Controller:</strong> Sharkly &nbsp;·&nbsp; <a href="mailto:legal@sharkly.com" style="color:#8675D4">legal@sharkly.com</a></p> <h2>2. Data We Collect</h2> <h3>2.1 Account Data (Google OAuth or email)</h3> <p>When you sign in with Google, we receive: your full name, email address, profile picture URL, and a unique Google account identifier. We do NOT receive your Google password or access to Gmail, Drive, or any other Google data.</p> <p>When you create an account with email and password, we store your email address and name (if you provide one). Your password is stored only as a one-way cryptographic hash — we never store your password in plain text.</p> <h3>2.2 Usage Data</h3> <p>We collect: timestamps and results of research runs you perform, the market questions extracted from your screenshots, AI-generated analytical outputs associated with your account, your credit balance and transaction history, and standard web server logs (browser type, IP address, device information).</p> <h3>2.3 Payment Data</h3> <p>Payment data is processed exclusively by Stripe, Inc. Sharkly does not store, see, or have access to your full card number or payment credentials. We receive only a transaction confirmation and billing summary from Stripe.</p> <h3>2.4 Uploaded Screenshots</h3> <p>Screenshots you upload are processed in real-time to extract market information. Screenshots are <strong>not permanently stored</strong> on our servers after processing is complete. They are transmitted to our AI processing pipeline and discarded within seconds of analysis completion.</p> <h2>3. How We Use Your Data</h2> <ul> <li>To create and manage your account</li> <li>To provide the Service, including processing your scans and delivering results</li> <li>To manage your credit balance and process payments</li> <li>To improve our AI models and service quality (using anonymised, aggregated data only)</li> <li>To send you important service communications (account changes, policy updates)</li> <li>To detect and prevent fraud, abuse, and security incidents</li> <li>To comply with legal obligations</li> </ul> <p>We do <strong>not</strong> use your data for selling to third parties, targeted advertising, or training third-party AI models with your identifiable data.</p> <h2>4. Legal Basis for Processing (GDPR)</h2> <ul> <li><strong>Contract performance:</strong> processing necessary to provide the Service you signed up for</li> <li><strong>Legitimate interests:</strong> fraud prevention, security, and service improvement</li> <li><strong>Legal obligation:</strong> compliance with applicable laws</li> <li><strong>Consent:</strong> where you have explicitly opted in (e.g., marketing emails)</li> </ul> <h2>5. Data Retention</h2> <ul> <li>Account data (name, email): retained for the lifetime of your account</li> <li>Scan history and diagnostic outputs: retained for 24 months, then automatically deleted</li> <li>Payment records: retained for 7 years as required by French accounting law</li> <li>Web server logs: retained for 30 days</li> </ul> <p>When you delete your account, all personal data is permanently deleted within 30 days, except where retention is required by law.</p> <h2>6. Data Sharing &amp; Third Parties</h2> <p>We share your data only with the following service providers, strictly for the purpose of delivering the Service:</p> <ul> <li><strong>OpenAI, Inc. (USA)</strong> — AI processing of extracted market questions. Data is processed under OpenAI's API terms and is not used to train their models by default.</li> <li><strong>Tavily AI (USA)</strong> — Web search and news retrieval based on extracted market questions.</li> <li><strong>Stripe, Inc. (USA)</strong> — Payment processing.</li> <li><strong>Sentry (USA)</strong> — Error monitoring and crash reporting (anonymised stack traces only).</li> <li><strong>Google LLC (USA)</strong> — OAuth authentication.</li> </ul> <p>All third-party providers are contractually bound to process your data only for the purposes we specify. Transfers to the USA are covered by Standard Contractual Clauses (SCCs) where required by GDPR. We do <strong>not</strong> sell, rent, or trade your personal data to any third party.</p> <h2>7. Your Rights (GDPR)</h2> <ul> <li><strong>Right of access:</strong> request a copy of all personal data we hold about you</li> <li><strong>Right to rectification:</strong> request correction of inaccurate data</li> <li><strong>Right to erasure:</strong> request deletion of your account and all associated data</li> <li><strong>Right to restriction:</strong> request that we limit processing of your data</li> <li><strong>Right to data portability:</strong> receive your data in a machine-readable format</li> <li><strong>Right to object:</strong> object to processing based on legitimate interests</li> <li><strong>Right to withdraw consent:</strong> withdraw it at any time where processing is consent-based</li> </ul> <p>To exercise any of these rights, email us at <a href="mailto:legal@sharkly.com" style="color:#8675D4">legal@sharkly.com</a>. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority (in France: CNIL — <a href="https://www.cnil.fr" style="color:#8675D4" target="_blank">www.cnil.fr</a>).</p> <h2>8. Cookies &amp; Tracking</h2> <p>We use only essential cookies necessary for the Service to function (e.g., session management, authentication tokens). We do <strong>not</strong> use tracking cookies, advertising cookies, or third-party analytics cookies. You can disable cookies in your browser settings, but this may affect Service functionality.</p> <h2>9. Security</h2> <p>We implement industry-standard security measures: HTTPS encryption for all data in transit, encrypted storage for sensitive data at rest, access controls limiting employee access to personal data, and regular security reviews. No method of transmission over the internet is 100% secure.</p> <h2>10. Children's Privacy</h2> <p>The Service is not directed to individuals under the age of 18. If you believe we have inadvertently collected data from a minor, contact us immediately at <a href="mailto:legal@sharkly.com" style="color:#8675D4">legal@sharkly.com</a> and we will delete it promptly.</p> <h2>11. Changes to This Policy</h2> <p>We may update this Privacy Policy from time to time. We will notify you of material changes by email or by displaying a prominent notice on the Service at least 14 days before the changes take effect.</p> <h2>12. Contact</h2> <p>For privacy-related questions or data requests: <a href="mailto:legal@sharkly.com" style="color:#8675D4">legal@sharkly.com</a></p> <p>We aim to respond to all privacy requests within 30 days.</p>