Privacy Policy

ThinkInPatterns · thinkinpatterns.com · Effective: April 13, 2026 · Last updated: April 23, 2026

This policy explains what data ThinkInPatterns collects, why, and what rights you have over it. It's written to be readable — not to bury the important parts in legalese.

If you have questions, email privacy@thinkinpatterns.com.

1. Who We Are

ThinkInPatterns ("we", "us", "our") operates the website at thinkinpatterns.com — a members-only trading research platform publishing daily and weekly stock watchlists, educational market analysis, and the StockBrief AI research tool.

The site is operated by Kumar Nayan, an individual trader and developer.

⚠️ Legal review: If you're subject to GDPR, a formal "Data Controller" designation with a registered address or EU representative may be required. Confirm with legal counsel.

2. What Data We Collect

Account data

Email address — collected when you sign up or request access
Access tier (free, paid, admin) and account status (active, suspended, pending)
Timestamps for account creation and last sign-in (managed by Supabase Auth)

Usage data

Pages visited, time on site, browser type, device type, and approximate location (country/region) — collected by Google Analytics 4.
GA4 uses anonymized IP addresses by default. We do not enable Google Signals or cross-device tracking.

Locally stored data

If you use StockBrief with a personal Financial Modeling Prep (FMP) API key, that key is stored in your browser's localStorage only. It never leaves your device and is never sent to our servers.

What we do not collect

We do not collect your name, phone number, address, or government ID.
We do not build behavioral profiles for advertising.
We do not track your activity across other websites.

3. How We Use Your Data

To provide the service — authenticate your login, verify your access tier, and display the correct content (gated vs. paid).
To improve the site — understand which pages and features get used via aggregate analytics.
To communicate with you— send account-related emails (access confirmations, policy updates). We don't send marketing emails without your explicit opt-in.
To enforce our terms — detect abuse, suspend accounts that violate site rules.

4. Legal Basis for Processing (GDPR)

If you're in the EU, UK, or another GDPR-covered jurisdiction, we rely on these legal bases:

Contract performance — processing your account data and payment to deliver the service you signed up for (Art. 6(1)(b)).
Legitimate interests— security monitoring, fraud prevention, and aggregate analytics (Art. 6(1)(f)). These don't override your rights.
Consent — non-essential cookies (analytics). You can withdraw consent at any time via our cookie settings.

⚠️ Legal review: If you process data of users in Germany, France, or other EU states, country-specific rules may apply on top of GDPR. Verify with local counsel.

5. Cookies and Tracking

We use the following cookies:

Cookie	Provider	Purpose	Type	Duration
`sb-*`	Supabase	Authentication session — keeps you logged in	Necessary	Session / 1 year
`_ga`	Google Analytics 4	Distinguishes unique visitors	Analytics	2 years
`_ga_*`	Google Analytics 4	Session state for GA4 measurement	Analytics	2 years
TradingView cookies	TradingView	Chart widget preferences and session data	Functional	Varies

Necessary cookiescannot be turned off — the site won't function without them. Analytics and functional cookies require your consent. You can manage your preferences at any time using the cookie settings link in the footer.

⚠️ Implementation required: A cookie consent banner must be shown to all visitors (especially EU/UK) before any analytics cookies fire. This is a hard GDPR requirement. Recommended tools: Cookiebot, Osano, or a lightweight custom banner with consent logging.

6. Third-Party Services

We share data with the following processors to operate the site. They act on our behalf and are bound by their own privacy and security standards.

Supabase (supabase.com) — database and authentication. Stores your email, account status, and plan tier. Data hosted on AWS infrastructure.
Vercel (vercel.com) — website hosting and CDN. May log IP addresses and request metadata for security.
Google Analytics 4 (google.com) — usage analytics. Data is anonymized and aggregated. See Google's Privacy Policy.
TradingView(tradingview.com) — embedded charting widget. Subject to TradingView's own terms.
Perplexity AI(perplexity.ai) — StockBrief opens Perplexity in a new browser tab when you click "Analyze in Perplexity" or "Open Space". Your prompt (ticker and research instructions) is sent directly from your browser to Perplexity. Subject to Perplexity's Privacy Policy.
Anthropic / Google Gemini / OpenAI— the admin watchlist import feature uses LLM APIs server-side to extract structured data from uploaded files. No member personal data is included in these requests — only the uploaded file content. Subject to each provider's data processing terms.

We do not sell your personal data. We do not share your data with advertisers, data brokers, or marketing platforms.

⚠️ Legal review: GDPR requires Data Processing Agreements (DPAs) with each processor above. Supabase, Vercel, Google, Perplexity, Anthropic, Google DeepMind (Gemini), and OpenAI all provide standard DPAs or data processing terms — you should formally execute these. Confirm international transfer mechanisms (Standard Contractual Clauses) are in place for each.

7. Data Retention

Daily watchlists — retained for 7 days, then deleted.
Weekly watchlists — retained for 30 days, then deleted.
Member accounts— retained while your account is active. If you request deletion, we'll remove your data within 30 days unless we're required to retain it (e.g., payment records for tax purposes).
Analytics data— Google Analytics retains data for 14 months by default. We don't export or archive it.

8. Your Rights

Depending on where you live, you may have some or all of the following rights:

Access — request a copy of the personal data we hold about you.
Correction — ask us to fix inaccurate data.
Deletion— request that we delete your account and associated data ("right to be forgotten").
Portability — receive your data in a machine-readable format (GDPR).
Objection — object to processing based on legitimate interests (GDPR).
Withdraw consent — for analytics cookies, at any time via cookie settings.
Opt out of sale— we don't sell your data, but California residents (CCPA) have the right to confirm this.

To exercise any of these rights, email privacy@thinkinpatterns.com. We'll respond within 30 days (GDPR) or 45 days (CCPA).

EU/UK residents also have the right to lodge a complaint with your local data protection authority.

9. International Data Transfers

ThinkInPatterns serves a global audience. Your data may be processed in the United States or other countries where our service providers operate. Where required by GDPR, we rely on Standard Contractual Clauses (SCCs) to ensure adequate protection for transfers outside the EU/UK/EEA.

⚠️ Legal review: Confirm that Supabase's selected AWS region and data residency settings align with any EU data localisation expectations. Review Vercel's DPA and each AI provider's international transfer provisions.

10. Children's Privacy

ThinkInPatterns is intended for users aged 14 and over. We don't knowingly collect personal data from children under 14. If you believe a child under 14 has created an account, please contact us at privacy@thinkinpatterns.comand we'll remove the account promptly.

⚠️ Legal review: COPPA (US) restricts collection from under-13s. The EU's GDPR Article 8 sets 16 as the digital consent age (though member states can lower it to 13). A 14+ policy sits between these thresholds — confirm it's sufficient for your primary jurisdictions, particularly if you have EU members.

11. Security

We take reasonable steps to protect your data:

All data in transit is encrypted via HTTPS (TLS).
Database access is enforced by Row-Level Security (RLS) policies — your data is only accessible to you and authorized admin users.
Passwords are never stored — authentication uses magic links via Supabase Auth.

No system is perfectly secure. If you believe there's been a breach affecting your data, email us immediately at privacy@thinkinpatterns.com.

12. Policy Updates

We'll update this policy when our data practices change — not just on a calendar schedule. When we make material changes, we'll post a notice on the site and update the "Last updated" date above. Continued use of the site after the effective date constitutes acceptance of the updated policy.

13. Contact

For privacy requests, data deletion, or questions about this policy:

Email: privacy@thinkinpatterns.com

We aim to respond within 5 business days for general questions, and within 30 days for formal data subject requests.

This policy was drafted as a starting template. It is not legal advice and should be reviewed by qualified legal counsel before publication — particularly for GDPR compliance, DPA execution, and CCPA verification.