Privacy Policy

“Bullboard,” “we,” “us,” and “the Bullboard team” refer to the people who operate the Bullboard service at bullboard.org. We are the data controller for personal data processed through the service. We are based in the European Union and you can reach us at support@bullboard.org.

We try to collect as little as possible. Here is the full list, grouped by where it comes from:

From you, when you sign up or use the service:

• Account identity: name, email address, optional profile picture. If you sign in with Google, your name, email, and Google profile picture are provided by Google.
• Authentication: for email/password sign-ups, a salted bcrypt hash of your password. We never see or store your actual password.
• Portfolio data: positions, transactions, watchlist entries, price alerts, and any notes you choose to add. You enter these directly or import them from CSV.
• Picks & posts: if you are an admin user publishing picks or community posts, the content of those posts and any reactions you leave.
• Comments & reactions: any comments you write on picks, and any reactions you leave.
• News interactions:if you bookmark a news article or click through to read one, we record that so the “Saved” tab and the “already read” styling work across your devices.

Generated automatically as you use the service:

• Session cookies: a signed token that proves you are signed in. See the Cookie Notice for the full list.
• Server logs: our hosting provider (Vercel) records request metadata: IP address, user agent, requested URL, response status, timing. Retained for up to 30 days for security and debugging.
• Analytics: we use Vercel Analytics for privacy-friendly, cookieless aggregate visit counting. It does not track individual users and does not use third-party tracking cookies.

What we do NOT collect:

• Brokerage account credentials. We never ask for them.
• Bank account or credit card details. Bullboard takes no payments.
• Your full chat history with us outside of in-app comments.
• Your data from other apps or websites.

Under GDPR we must tell you why we process each category of data and what our legal basis is. Plain version:

• To run the service you signed up for (account, portfolio, watchlist, alerts, comments). Legal basis: contract — you ask us to provide the service and we cannot without this data.
• To keep the service secure (server logs, session tokens, rate-limit tracking). Legal basis: legitimate interest in preventing abuse, plus our obligation to keep the service safe for everyone.
• To improve the service (cookieless analytics, error monitoring). Legal basis: legitimate interest in understanding aggregate usage. None of this profiles you individually.
• To meet legal obligations (responding to lawful requests, accounting where applicable). Legal basis: legal obligation.

Bullboard does not sell your data. Period. We share data only with the processors we need to run the service:

• Vercel (hosting and analytics). Processes request data and stores the application. Located in the EU and US, transfers governed by Standard Contractual Clauses.
• Neon (Postgres database). Stores all application data described above. EU region.
• Google (OAuth sign-in, optional). Only when you choose to sign in with Google. Google sees that you signed in to Bullboard but does not see your portfolio or any other in-app data.
• Finnhub, Marketaux, FRED, Yahoo Finance (market data). We send them ticker symbols and date ranges to get prices and news. We never send your identity, your portfolio, or anything personal.
• Cloudflare Email Routing (email forwarding). Forwards mail sent to support@bullboard.org to a personal inbox.

We may also disclose data if compelled by a court order or other valid legal process. Where we can, we will notify you first.

Our retention policy:

• Account & portfolio data: kept for as long as your account is active. Deleted within 30 days of you closing your account.
• Comments & posts:kept indefinitely as part of the published record, unless you delete them yourself or close your account. When you close your account, your comments are anonymised (author shown as “deleted user”) rather than removed, so threads stay coherent.
• Server logs: 30 days, then automatically purged.
• News article cache & RSS articles: 30 days rolling, then archived; archived rows hard-deleted after a further 60 days.
• Authentication sessions: 30 days from your last activity, then the token expires and is removed.
• Backups: Neon retains automated backups for up to 7 days. Data deleted on your request will fully disappear within that window.

If you are in the EU, UK, or another jurisdiction with similar data rights, you have the right to:

• Access the personal data we hold about you.
• Receive a copy of your data in a portable format (CSV). You can do this yourself anytime from your profile page — click “Export my data.”
• Correctinaccurate data. Most fields are editable from your profile or the relevant page. For anything you can't edit, email us.
• Delete your account and associated personal data. You can do this yourself immediately from your profile page, or by emailing us. Portfolio, watchlist, alerts, and notifications are deleted immediately. Comments and posts are anonymised (author unlinked) rather than removed so threads stay coherent — see Retention above for details.
• Restrict or object to specific processing.
• Withdraw consent at any time, where we relied on consent (cookies in particular).
• Lodge a complaint with your local data protection authority. For users in Malta, that is the Information and Data Protection Commissioner (idpc.org.mt).

Email support@bullboard.org to exercise any of these rights. We will respond within 30 days.

California residents have additional rights under the California Consumer Privacy Act and California Privacy Rights Act:

• The right to know what personal information we collect, why, and who we share it with. This page covers all of that.
• The right to delete your personal information.
• The right to correct inaccurate personal information.
• The right to opt out of the sale or sharing of your personal information for cross-context behavioural advertising. Bullboard does not sell or share your personal information for advertising and never has. There is nothing to opt out of.
• The right to non-discrimination for exercising these rights. We will not deny service or change pricing based on a privacy request.

Exercise these rights by emailing support@bullboard.org. We respond within 45 days as required by California law.

Bullboard is not directed at children under 16. We do not knowingly collect data from anyone under 16. If you believe a child has signed up, email us and we will delete the account.

Bullboard's database is in the EU. Our hosting provider (Vercel) operates in both the EU and the US. Some processing of request metadata may occur in the US. Where we transfer data outside the European Economic Area, we rely on the European Commission's Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework where applicable.

We use industry-standard practices: TLS for all traffic, bcrypt for password hashing, principle-of-least-privilege database access, OAuth-issued tokens stored as HTTP-only cookies. No system is perfectly secure. If you discover a vulnerability, please email support@bullboard.org before disclosing publicly.

If we ever experience a data breach affecting your personal data, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR.

We may update this policy as the service evolves. When we make material changes, we will update the “Last updated” date at the top and, for significant changes, notify signed-in users in the app. Continued use of Bullboard after a change means you accept the updated policy.

For anything related to this policy, email support@bullboard.org.