Privacy Policy

The data controller responsible for processing your personal data is: Momentum SaaS Email: privacy@momentum-saas.com As data controller, we determine the purposes and means of processing your personal data and are responsible for ensuring compliance with applicable data protection laws.

We collect and process the following categories of personal data: **Account data** - Email address (provided during registration) - Authentication data (managed by our identity provider, Supabase) **Subscription data** - Subscription plan and status - Payment history (transaction records received from Lemon Squeezy; we do not store payment card details) **Portfolio and watchlist data** - Securities you add to your portfolio or watchlist - Portfolio composition and configurations **Alert configurations** - Alert rules you create (score thresholds, selected securities) - Alert delivery preferences **Usage data** - Pages visited within the application - Features used and interactions - Recent search queries (stored locally on your device via localStorage) **Technical data** - Browser type and version - Device type - IP address (truncated for analytics, if consent is given) **Error and performance data (with your consent only)** - Error reports and stack traces (via Sentry) - Session replay recordings: mouse movements, clicks, and navigation patterns for diagnostic purposes (via Sentry, if consent is given)

We process your personal data based on the following legal grounds under GDPR Article 6: **Performance of contract (Article 6(1)(b))** - Account creation and management - Providing the momentum scoring service - Processing subscriptions and managing access - Delivering alert notifications - Portfolio and watchlist functionality **Your consent (Article 6(1)(a))** - Error tracking and performance monitoring (Sentry) - Session replay recordings for diagnostic purposes - Non-essential cookies and similar technologies You can withdraw your consent at any time through the cookie preference center accessible on every page of the application. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal. **Legitimate interest (Article 6(1)(f))** - Security monitoring and fraud prevention - Service improvement based on aggregated, anonymized usage patterns - Enforcing our Terms of Service

We use the following third-party service providers to operate Momentum SaaS. Each processor handles your data only as instructed by us and in accordance with their own privacy policies and applicable data protection agreements: **Supabase** (Database and Authentication) - Purpose: stores your account data, portfolio configurations, alert settings, and application data; handles authentication - Data processed: email address, account data, application data - Location: United States (see Section 8 on international transfers) - Privacy policy: https://supabase.com/privacy **Resend** (Email delivery) - Purpose: sends transactional emails including alert notifications and account-related communications - Data processed: email address, email content - Privacy policy: https://resend.com/legal/privacy-policy **Lemon Squeezy** (Payment processing) - Purpose: processes subscription payments, manages billing, and handles refunds - Data processed: email address, payment information, transaction history - Note: Lemon Squeezy acts as an independent data controller for payment data. We do not store your payment card details. - Privacy policy: https://www.lemonsqueezy.com/privacy **Vercel** (Hosting and infrastructure) - Purpose: hosts and serves the web application - Data processed: IP address, request metadata - Location: United States (see Section 8 on international transfers) - Privacy policy: https://vercel.com/legal/privacy-policy **Sentry** (Error tracking and performance monitoring — only with your consent) - Purpose: captures error reports and optionally records user sessions for debugging and quality improvement - Data processed: error data, browser information, session recordings (mouse movements, clicks, navigation) - Activated: only after you give consent via the cookie preference center - Privacy policy: https://sentry.io/privacy/

We use cookies and local browser storage on your device. A detailed description of each cookie, its purpose, and its duration is available on our dedicated Cookie Policy page (/cookies). **Essential cookies (no consent required)** - Authentication session cookies (Supabase): required for you to log in and use the service - Consent preference cookie (momentum_consent): stores your cookie consent choices **Non-essential cookies (consent required)** - Sentry error tracking cookies: set only after you consent to the "Analytics" category **Local storage** - Recent search queries: stored locally on your device to display your recent searches. This data never leaves your device and is not transmitted to our servers. You can manage your cookie preferences at any time using the "Manage cookies" button accessible on every page. For full details, see our Cookie Policy page.

We retain your personal data only for as long as necessary for the purposes described in this policy, or as required by law: **Account and application data**: retained for the duration of your account. Deleted upon account deletion, subject to legal retention obligations. **Subscription and billing records**: retained for 10 years after the last transaction, as required by French commercial and tax law (Code de commerce, Article L123-22). **Alert and portfolio configurations**: deleted upon account deletion. **Error and performance data (Sentry)**: retained for a maximum of 90 days from collection. **Cookie consent records**: retained for 3 years from the date of the consent action, to comply with CNIL audit requirements and the French statute of limitations. **Server logs (IP addresses)**: retained for a maximum of 12 months, in accordance with CNIL recommendations. After the applicable retention period, data is permanently deleted or irreversibly anonymized.

Under the GDPR and French data protection law, you have the following rights regarding your personal data: **Right of access** (Article 15): you can request a copy of all personal data we hold about you. **Right to rectification** (Article 16): you can request correction of inaccurate or incomplete personal data. **Right to erasure** (Article 17): you can request deletion of your personal data. You can delete your account directly from your account settings. **Right to data portability** (Article 20): you can request your data in a structured, commonly used, machine-readable format. An export feature is available in your account settings. **Right to restriction of processing** (Article 18): you can request that we limit how we use your data in certain circumstances. **Right to object** (Article 21): you can object to processing based on legitimate interest. We will stop processing unless we demonstrate compelling legitimate grounds. **Right to withdraw consent**: for processing based on consent (such as analytics cookies), you can withdraw consent at any time via the cookie preference center. To exercise any of these rights, contact us at: privacy@momentum-saas.com We will respond to your request within one month, as required by the GDPR. This period may be extended by two additional months for complex requests, in which case we will inform you of the extension. **Right to lodge a complaint**: if you believe your data protection rights have been violated, you have the right to lodge a complaint with the French Data Protection Authority (CNIL): CNIL 3 Place de Fontenoy TSA 80715 75334 Paris Cedex 07 Website: https://www.cnil.fr Online complaint: https://www.cnil.fr/fr/plaintes

Some of our service providers (Supabase, Vercel) are located in the United States. Transfers of personal data to the United States are protected by: - The EU-U.S. Data Privacy Framework (where the provider is certified), or - Standard Contractual Clauses (SCCs) approved by the European Commission These safeguards ensure that your personal data receives a level of protection equivalent to that provided within the European Economic Area. You may request a copy of the applicable transfer safeguards by contacting us at: privacy@momentum-saas.com

Momentum SaaS is not intended for use by anyone under 16 years of age. We do not knowingly collect personal data from children under 16, in accordance with Article 7-1 of the French Data Protection Act (Loi Informatique et Libertes), which sets the age of digital consent at 16. If we become aware that we have collected personal data from a child under 16 without appropriate parental consent, we will take steps to delete that data promptly. If you believe a child under 16 has provided us with personal data, please contact us at: privacy@momentum-saas.com

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will notify you by email or through a prominent notice on the platform. The "Last updated" date at the top of this page indicates when the policy was most recently revised. We encourage you to review this page periodically.

For any questions or requests related to this Privacy Policy or the processing of your personal data, you can contact us at: Email: privacy@momentum-saas.com You can also exercise your rights directly from your account settings (data export, account deletion).