SwingMentalist ← Back to home

Privacy Policy

Last updated: June 3, 2026 · Effective date: June 3, 2026

This Privacy Policy explains what personal information we collect, how we use and share it, and the choices you have. It applies to the SwingMentalist website and web app (and, once released, our native Android and iOS applications) - together, the "Service" - operated by Amit Shlomo, a sole proprietor based in Israel ("SwingMentalist," "we," "us").

We are committed to processing your data lawfully, fairly, and transparently. We sell software, not your data.

Note: SwingMentalist is currently in a closed beta. Some features described in this policy may be experimental, subject to change, or temporarily unavailable. We will update this policy and notify you if any change materially affects how we collect or use your data.

1. Information We Collect

1.1 Information you give us

1.2 Information collected automatically

1.3 What we do NOT collect

2. How We Use Your Information

3. Legal Bases (GDPR / UK Users)

For users in the European Economic Area, United Kingdom, or other jurisdictions with similar laws, we rely on the following legal bases under the GDPR / UK GDPR:

4. Third-Party Service Providers

We use the following providers to operate the Service. They process data on our behalf under their own privacy and security commitments:

ProviderPurposeData handled
Paddle.com Market Ltd. (UK)Payments & subscription billing (Merchant of Record)Name, email, billing address, payment method, transaction history
MongoDB Atlas (AWS us-east-1, USA)Primary database hostingAll account & workspace data described above
Hetzner Online (Ashburn VA, USA)Application server hostingServer logs, transient request data
CloudflareDNS & DDoS protection (proxied)IP addresses, request metadata
Google FirebasePush notification delivery (FCM)Device push token, notification payload
Google Sign-InOptional OAuth loginEmail, name, Google account ID. Currently disabled during closed beta.
Google (Gmail SMTP)Transactional email delivery (email verification, password reset, billing receipts, optional alert notifications)Recipient email address, sender display name, message content
Twelve Data, Inc.Market data feed (price, volume, fundamentals, earnings calendar, news headlines)No personal data - we query public ticker symbols only

We disclose your information to law enforcement or other parties only when required by valid legal process or to protect the rights, safety, and property of SwingMentalist, our users, or the public.

5. Where Your Data Is Stored

Our primary database is hosted in the United States (AWS us-east-1) by MongoDB Atlas. Our application server is also in the United States (Ashburn, Virginia). Paddle is based in the United Kingdom. As an operator based in Israel serving global customers, we transfer data internationally.

For users in the EU/UK: international transfers rely on Standard Contractual Clauses (SCCs) or equivalent safeguards offered by our providers. You can request a copy of the relevant safeguards by emailing us.

6. Data Retention

7. Your Rights

Depending on where you live, you may have the following rights:

To exercise any of these rights, email [email protected]. We will respond within 30 days. We may ask you to verify your identity first.

8. California Residents (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, including the right to know what categories of personal information we collect, the right to delete, the right to correct, and the right to opt out of any "sale" or "sharing" of personal information. We do not sell or share personal information for cross-context behavioral advertising.

9. Security

We protect your data with industry-standard measures: TLS encryption in transit (HTTPS via Let's Encrypt), encryption at rest in MongoDB Atlas, bcrypt password hashing, signed and short-lived session tokens, firewalled servers with restricted SSH access, fail2ban for brute-force protection, and the principle of least privilege for administrator accounts. No system is perfectly secure; if a breach affects you, we will notify you and the relevant authorities as required by law.

10. Children

The Service is not intended for, and we do not knowingly collect personal information from, anyone under 18. If you believe a child has provided us personal information, contact us and we will delete it.

11. Cookies and Similar Technologies

11.1 First-party cookies - none

The Service does not set any cookies of its own on your browser. Authentication is handled by an Authorization: Bearer header carrying a JSON Web Token (JWT), not by a session cookie. We do not use first-party analytics, advertising, fingerprinting, or social-tracking cookies of any kind.

11.2 Local browser storage we do use

For strictly functional purposes - without which the Service could not work the way you expect - we store small amounts of data in your browser's localStorage and in the Progressive Web App service-worker cache. This data lives on your device, is never automatically transmitted with HTTP requests (unlike cookies), and is used only by the Service itself.

Under the EU's ePrivacy Directive and the Israeli ePrivacy framework, storage that is strictly necessary for a service the user has explicitly requested does not require prior consent. All of the above falls within that exemption, which is why the Service does not display a cookie banner.

11.3 Third-party cookies on third-party domains

If you choose to use either of the following integrations, the third party may set its own cookies on its own domain. These are governed by the third party's own privacy notice, not ours, because we never receive or store them:

You can decline these integrations and still use the Service - sign up with an email and password instead of Google, and remain on the free tier instead of opening the Paddle checkout.

11.4 How to clear locally-stored data

You can erase all of the local storage described above at any time by using your browser's "Clear site data" / "Clear storage" tool for the SwingMentalist domain, or by signing out (which clears the authentication token explicitly). Clearing the data will sign you out and reset your preferences to defaults.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be announced by email or via a notice in the Service at least 30 days before they take effect. The "Last updated" date at the top reflects the most recent version.

13. Contact

Questions, complaints, or data-rights requests? Email [email protected].