Privacy Policy

1. Who We Are

ValueMarkers is a financial research and stock analysis platform operated by Oliva Real Estate Technology LLC, a Delaware limited liability company, doing business as ValueMarkers ("Company," "we," "us," or "our"). This Privacy Policy describes how we collect, use, disclose, and protect information when you access or use our website, applications, and services (collectively, the "Service").

By using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you do not agree, you must discontinue use of the Service.

Data protection inquiries: privacy [at] valuemarkers.com

2. Information We Collect

2.1 Information You Provide

• Account registration data: email address and display name
• Password (stored as a one-way bcrypt hash with cost factor 12; we never store or have access to your plaintext password)
• Subscription tier selection and billing preferences
• Portfolio holdings and watchlists you create within the Service
• Investment theses, comments, and other content you publish to the Community
• Screener configurations, saved searches, and alert preferences
• Communications you send to our support team

2.2 Information Collected Automatically

• IP address (used for security, rate limiting, and abuse prevention)
• Browser type, device type, and operating system
• Pages visited, features used, and interaction timestamps
• Referral source (how you arrived at the Service)
• Aggregate performance metrics (page load times, error rates)

2.3 Payment Information

All payment processing is handled by Stripe, Inc., a PCI-DSS Level 1 certified payment processor. We do not receive, store, or have access to your full credit card number, debit card number, or bank account details at any time. Stripe provides us with a limited transaction reference, the last four digits of your card, card brand, and billing country for record-keeping purposes only.

2.4 Information We Do NOT Collect

We do not collect government-issued identification numbers (such as Social Security numbers), biometric data, precise geolocation, or data from children under 18. We do not conduct facial recognition or behavioral profiling for advertising.

3. How We Use Your Information

We process your information for the following purposes:

• Service Delivery: Provide personalized stock screening, portfolio tracking, watchlists, DCF calculators, AI analysis, and guru portfolio intelligence based on your subscription tier
• Authentication and Security: Verify your identity, maintain session integrity, enforce rate limits, and detect unauthorized access, fraud, or abuse
• Billing: Process subscription payments, issue invoices, and manage refund requests through Stripe
• Transactional Communications: Send account verification emails, password reset links, subscription confirmations, and critical service notifications
• Product Improvement: Analyze aggregate, de-identified usage patterns to improve features, fix issues, and prioritize development. We do not build individual advertising profiles
• Legal Compliance: Comply with applicable legal obligations, respond to lawful requests from government authorities, and enforce our Terms of Service

We do NOT sell, rent, or trade your personal information to third parties. We do NOT use your data for targeted advertising. We do NOT share your portfolio holdings, watchlists, or investment activity with any third party except as described in Section 4.

4. Third-Party Service Providers

We share limited information with the following service providers, each operating under their own privacy policies and data processing agreements:

We do not share personal information with third parties for their own marketing purposes. We may disclose information if required by law, subpoena, court order, or to protect the safety, rights, or property of ValueMarkers, our users, or the public.

5. Cookies and Tracking Technologies

5.1 Essential Cookies (Always Active)

These cookies are necessary for the Service to function and cannot be disabled. They include: the cookie consent preference cookie (vm_consent, 365-day expiry) and session identifiers required for authentication.

5.2 Analytics Cookies (Opt-In Only)

Google Analytics 4, Amplitude, and Hotjar cookies are activated only after you explicitly grant consent through our cookie banner. We implement Google Consent Mode V2, which means all analytics tracking is blocked by default until you click "Accept" or enable analytics in cookie settings. Amplitude and Hotjar are likewise gated behind cookie consent and do not load until you opt in. You may withdraw consent at any time by clearing your cookies or using the cookie settings link in our footer.

5.3 What We Do NOT Use

We do not use advertising cookies, retargeting pixels, or cross-site tracking technologies. We do not participate in ad networks. JWT authentication tokens are stored in browser memory only and are never written to cookies or localStorage, reducing exposure to XSS-based session theft.

6. Data Security

We implement industry-standard security measures to protect your information:

• All data in transit is encrypted using TLS 1.3 (HTTPS enforced on all pages)
• Passwords are hashed using bcrypt with a cost factor of 12
• JWT access tokens expire after 30 minutes; refresh tokens after 30 days with automatic rotation
• Reset tokens and API keys are hashed with SHA-256 before database storage
• IP-based login throttling: 5 failed attempts within 15 minutes triggers a temporary lockout
• CORS origin whitelisting, Content Security Policy headers, and input sanitization across all endpoints
• Database backups are encrypted and retained for 30 days
• Portfolio holdings data is stored encrypted at rest

While we employ commercially reasonable security measures, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security of your data. In the event of a data breach affecting your personal information, we will notify affected users without unreasonable delay and in accordance with applicable law.

7. Data Retention

• Active accounts: Personal data is retained for the duration of your account. Usage data is retained for up to 14 months (matching GA4 data retention settings)
• Deleted accounts: Upon account deletion, personal data is permanently purged within 30 days, except as noted below
• Legal and tax records: Billing records, invoices, and transaction history are retained for up to 7 years as required by applicable tax and financial regulations
• Aggregated data: De-identified, aggregated analytics data that cannot be linked back to any individual is retained indefinitely for product improvement
• Community content: Published investment theses remain visible unless you delete them before account deletion, or request their removal

8. Your Rights Under GDPR (EU/EEA Residents)

If you are located in the European Union or European Economic Area, you have the following rights under the General Data Protection Regulation (GDPR):

• Right of Access (Art. 15): Request a copy of all personal data we hold about you
• Right to Rectification (Art. 16): Correct inaccurate or incomplete personal data
• Right to Erasure (Art. 17): Request deletion of your personal data, subject to legal retention requirements
• Right to Restrict Processing (Art. 18): Request limitation of processing while accuracy or legality is contested
• Right to Data Portability (Art. 20): Receive your personal data in a structured, machine-readable format
• Right to Object (Art. 21): Object to processing based on legitimate interests, including profiling
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing

Legal Basis for Processing: We process your data based on: (a) performance of a contract (providing the Service), (b) legitimate interests (security, fraud prevention, product improvement), and (c) consent (analytics cookies). We do not rely on consent for core service delivery.

International Transfers: Your data may be processed on servers located in the United States or the European Union. Where data is transferred outside the EU/EEA, we rely on Standard Contractual Clauses or other approved transfer mechanisms under GDPR.

Supervisory Authority: You have the right to lodge a complaint with a data protection supervisory authority in your EU/EEA member state.

To exercise any of these rights, email privacy [at] valuemarkers.com. We will respond within 30 days.

9. Your Rights Under CCPA (California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with the following rights:

• Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected, the sources of collection, the business purposes for collection, and the categories of third parties with whom we share it
• Right to Delete: Request deletion of your personal information, subject to certain exceptions (legal obligations, fraud detection, internal analytics)
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out of Sale/Sharing: We do not sell or share (as defined by CCPA/CPRA) your personal information for cross-context behavioral advertising. Therefore, no opt-out is necessary, but you may contact us to confirm this at any time
• Right to Non-Discrimination: We will not deny you service, charge different prices, or provide a different quality of service because you exercised your CCPA rights

Categories of Personal Information Collected (past 12 months): Identifiers (email, display name, IP address); commercial information (subscription tier, transaction history); internet activity (pages visited, features used); inferences drawn from the above for product improvement purposes.

To exercise any CCPA/CPRA rights, email privacy [at] valuemarkers.com with the subject line "CCPA Request." We will verify your identity before processing the request and respond within 45 days.

10. Children's Privacy

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children under 18. If you believe a child under 18 has provided us with personal information, please contact us at privacy [at] valuemarkers.com and we will promptly delete such information.

11. Do Not Track Signals

Our Service respects Do Not Track (DNT) browser signals. When a DNT signal is detected, we do not load analytics cookies regardless of prior consent settings.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. For material changes, we will provide notice via email to your registered address at least 14 days before the changes take effect. Non-material updates (formatting, clarifications) may be made without notice. The "Last updated" date at the top of this page indicates when the Policy was most recently revised.

Your continued use of the Service after the effective date of any updated Privacy Policy constitutes your acceptance of the revised terms.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, contact us at: