Legal Document

Privacy Policy

Effective date: January 1, 2026 · Last updated: May 7, 2026
Operator: Z-Scope PRO · Contact: [email protected]

This Privacy Policy describes how Z-Scope PRO ("we", "us", "the Service") collects, uses, stores, and protects your personal data in accordance with Regulation (EU) 2016/679 (GDPR) and applicable Czech law (Act No. 110/2019 Sb.).

Our approach in one sentence: We collect the minimum data necessary to provide the Service. We do not run analytics, tracking pixels, advertising networks, behavioral profiling, or fingerprinting. We do not sell or rent your data to anyone.

1.Data Controller

Z-Scope PRO · Contact: [email protected]

Z-Scope PRO operates in compliance with applicable Czech and EU data protection laws.

2.What Data We Collect

The Service collects only the following personal data:

Category	What it includes
Account data	Email address (used for login and essential service communication).
User-generated data	Watchlist entries, portfolio entries, alert configurations, trading journal notes, language and display preferences. You voluntarily input this data; it stays in your account.
Authentication data	Session tokens stored in your browser (localStorage and cookies) to keep you logged in.
Server access logs	IP address, browser type, requested URL, and timestamp — generated automatically by our web server (Nginx) for security and debugging. Retained for a maximum of 30 days, then automatically deleted.

3.What We Do Not Collect

To set clear expectations, here is what we explicitly do not do:

We do not use Google Analytics, Mixpanel, PostHog, Segment, or any other analytics platform.
We do not use advertising networks, retargeting pixels, Facebook/Meta Pixel, TikTok pixel, or any tracking scripts.
We do not profile users for behavioral targeting.
We do not use browser fingerprinting or canvas fingerprinting.
We do not collect contact lists, phone numbers, photos, or location data beyond IP-based country detection.
We do not sell, rent, or trade your personal data to third parties under any circumstances.

4.Legal Basis for Processing (Art. 6 GDPR)

We process your personal data on the following lawful bases:

(a) Performance of a contract (Art. 6(1)(b)): Processing necessary to provide the Service — managing your account, storing your watchlist and portfolio, and delivering features you actively use.

(b) Legitimate interests (Art. 6(1)(f)): Server access logs for security monitoring, fraud prevention, and debugging. Our legitimate interests do not override your fundamental rights.

(c) Legal obligation (Art. 6(1)(c)): Where applicable, retaining records required by Czech tax or accounting law.

5.Sub-processors

We do not sell, rent, or trade your personal data. We share data only with the following sub-processors, each operating under data processing agreements (DPAs) compliant with Art. 28 GDPR:

Provider	Purpose	Data hosting
Supabase Inc. (USA)	Authentication and database hosting (account data, watchlist, portfolio, journal)	Data hosted on AWS, region ap-south-1 (Mumbai, India). International transfer safeguarded by Standard Contractual Clauses (SCCs) per Decision 2021/914.
Hetzner Online GmbH (Germany)	Web server infrastructure (Nginx, Node.js backend)	Servers in the European Union (Germany / Finland). No international transfer.
Anthropic PBC (USA)	AI processing for market analyses (Claude API)	Important: no user-identifying data is sent to Anthropic. Only aggregated, anonymized market data (coin symbols, prices, news headlines) is processed via a shared server-side cache. Your email, portfolio, and watchlist never leave our database. Transfers to USA safeguarded by SCCs.

No data is shared with advertisers, data brokers, or marketing platforms.

6.International Data Transfers

Some sub-processors are based outside the EU/EEA. Specifically, account data, watchlist, and portfolio data are stored in AWS Mumbai (India) via Supabase. Transfers to countries outside the EU/EEA are protected by Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914), supplemented by additional technical safeguards including encryption in transit (TLS 1.3) and encryption at rest.

We do not transfer data based on derogations or one-off bases under Art. 49 GDPR.

7.Data Retention

Account data, watchlist, portfolio, journal: retained as long as your account is active. Deleted within 30 days of account deletion (or your written request).
Server access logs: retained for a maximum of 30 days, then automatically deleted.
Backup copies: rotated within 90 days. After this period, all data is permanently removed.
Anonymized aggregate statistics (no longer personal data): may be retained indefinitely for product analysis.

8.Your Rights Under GDPR

You have the following rights regarding your personal data:

Right of access (Art. 15): Request a copy of your personal data.
Right to rectification (Art. 16): Request correction of inaccurate data.
Right to erasure (Art. 17): Request deletion of your data ("right to be forgotten").
Right to restriction (Art. 18): Request restriction of processing under certain conditions.
Right to data portability (Art. 20): Receive your data in a structured, machine-readable format (JSON).
Right to object (Art. 21): Object to processing based on legitimate interests.

To exercise any of these rights, contact [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with the relevant data protection supervisory authority in your country of residence if you are unsatisfied with our response.

9.Cookies and Browser Storage

We use only strictly necessary cookies and local browser storage required for the Service to function:

Authentication tokens (Supabase session) — to keep you logged in.
User preferences stored in localStorage — language, display settings, watchlist cache, ticker controls. These never leave your device.

These technologies are exempt from prior consent requirements under Art. 5(3) of the ePrivacy Directive (technically necessary cookies). We do not use third-party tracking cookies, advertising cookies, social media pixels, or fingerprinting technologies.

10.Security Measures

We implement appropriate technical and organizational measures to protect your data:

Encryption in transit: All connections use TLS 1.3 (HTTPS).
Encryption at rest: Database storage encrypted by Supabase/AWS.
Row-Level Security (RLS): Database policies ensure users can only read/write their own data, even if API keys are compromised.
Authentication: Industry-standard JWT tokens via Supabase Auth.
Access control: Administrative access limited to the Operator only.
Regular updates: Server software and dependencies kept up to date.

11.Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children under 16 (the digital consent age in the Czech Republic under Art. 8 GDPR). If we become aware that we have collected data from a minor, we will promptly delete it.

12.Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 14 days before taking effect. The current version is always available at zscope.org/legal/privacy.html. Where material changes affect your rights or require renewed consent, we will obtain it before processing data under the new terms.

13.Contact

For privacy-related questions or requests, contact: [email protected]

Z-Scope PRO is operated by a self-employed individual ("OSVČ" – fyzická osoba podnikající) registered in the Czech Republic.