Privacy Policy

What we collect

We collect your email address when you sign up, and a randomly-assigned auth subject ID (UUID) from Supabase Auth. That's it. No real name required. No phone number. No PII beyond those two fields.

We also collect anonymous event data via PostHog to understand how features are used. PostHog is self-hosted or configured to respect Do Not Track. No cross-site tracking. No ad networks.

Authentication

Auth is handled by Supabase. We use magic-link (passwordless) email sign-in. Sessions are stored in signed, httpOnly cookies. We do not store passwords. You can delete your account by emailing ops@bloxray.com.

Data access and row-level security

All user data in our Supabase database is protected by Row Level Security (RLS) policies. You can only read and write your own records. Anonymous users can read public editorial content (editions, breakdowns, spotlights) where status is ‘live’. No user can read another user's watchlist, profile, or org data.

Billing

Payments are processed by Stripe. We never see or store your full card number. Stripe handles PCI compliance. When you subscribe, Stripe stores a customer ID linked to your email. We store only the Stripe customer ID and subscription status on our side.

Third-party services

• Supabase — database and auth. Data hosted in their cloud. See supabase.com/privacy.
• PostHog — anonymous analytics. No PII sent.
• Stripe — payments. Subject to Stripe's privacy policy.
• Resend — transactional email (magic links, edition newsletters).
• Vercel — hosting and edge infrastructure.

Your rights

You can request export or deletion of your data at any time. Email ops@bloxray.com with the subject line “Data Request”. We'll respond within 14 days.

Contact

Questions about this policy: ops@bloxray.com