Command Center

Privacy Policy

Effective: April 22, 2026 · Last updated: April 22, 2026

This Privacy Policy explains how [LEGAL_ENTITY](“Command Center,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal information when you use our website, web application, and related services (collectively, the “Service”).

We are based in Montréal, Québec, Canada. This Policy is designed to comply with the strictest applicable standards, including:

  • Québec Law 25 (An Act respecting the protection of personal information in the private sector, CQLR c P-39.1)
  • PIPEDA(Canada’s Personal Information Protection and Electronic Documents Act)
  • GDPR (EU Regulation 2016/679) and UK GDPR
  • CCPA / CPRA (California Consumer Privacy Act, as amended)

Contents

1. Who we are and how to contact us

The data controller responsible for your personal information is [LEGAL_ENTITY], with a registered office at [BUSINESS_ADDRESS], Montréal, Québec, Canada.

General privacy inquiries: privacy@cmdctr.cc.

2. Our Privacy Officer

In accordance with Québec Law 25, we have designated a Person in Charge of the Protection of Personal Information (our “Privacy Officer”):

  • Name: [PRIVACY_OFFICER_NAME]
  • Title: [PRIVACY_OFFICER_TITLE]
  • Email: privacy@cmdctr.cc
  • Postal: [LEGAL_ENTITY] — Attn: Privacy Officer, [BUSINESS_ADDRESS], Montréal, QC, Canada

You may contact the Privacy Officer to exercise any of your privacy rights, to ask questions about this Policy, or to file a complaint.

3. Personal information we collect

We collect personal information in the following categories:

3.1 Information you provide directly

  • Account data: email address, hashed password, display name, locale (English/French), preferred currency (CAD, USD, EUR).
  • Profile preferences: theme (dark/light), dashboard layout, notification settings.
  • Portfolio and watchlist data: tickers, share quantities, cost basis, transaction dates, notes you attach to holdings.
  • Support communications: messages you send to us and any attachments.

3.2 Information we collect automatically

  • Technical data: IP address, device type, operating system, browser type and version, language, timezone, referring URL.
  • Usage data: pages viewed, features used, session duration, timestamps, error logs.
  • Strictly necessary cookies and tokens: session identifiers needed to keep you logged in and to protect against CSRF. See our Cookies Policy.

At launch we do not use analytics, advertising, or third-party tracking cookies. If that changes, we will update this Policy, add a consent banner, and ask for your consent before activation.

3.3 Information we collect from third parties

  • Payment metadata (from Stripe): subscription status, billing country, card brand and last four digits, invoice history. We never receive or store full card numbers — Stripe handles PCI-regulated data directly.
  • Market and news data providers: information we display on the dashboard (prices, news headlines, indices) is fetched from third-party data feeds and is not personal information about you.

3.4 Sensitive information

We do notknowingly collect special categories of personal data under GDPR Article 9 (e.g., health, race, political views), “sensitive personal information” under CPRA (e.g., government IDs, precise geolocation, account credentials), or financial account credentials. Please do not send us this information.

Your portfolio holdings may indirectly reveal financial circumstances. We treat this information as confidential and restrict access accordingly.

4. Why we use your information (purposes & legal bases)

Under GDPR and Law 25, we process personal information only for specific, explicit, and legitimate purposes. The table below lists each purpose, the categories of data involved, and our legal basis.

PurposeData categoriesGDPR legal basis
Create and secure your account; authenticate sessionsAccount data, technical dataContract performance (Art. 6(1)(b))
Provide the dashboard: show holdings, watchlists, quotes, newsPortfolio data, technical dataContract performance (Art. 6(1)(b))
Bill you and manage your Pro subscriptionAccount data, payment metadataContract performance (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)) for tax records
Generate AI market analysis and briefings (Pro tier)Portfolio data, watchlist dataContract performance (Art. 6(1)(b)); consent for AI features that are optional (Art. 6(1)(a))
Respond to support requestsAccount data, support messagesContract performance; legitimate interests (Art. 6(1)(f))
Detect and prevent fraud, abuse, and security incidentsTechnical data, usage dataLegitimate interests (Art. 6(1)(f)); legal obligation (Art. 6(1)(c))
Comply with tax, accounting, and legal obligationsAccount data, payment metadataLegal obligation (Art. 6(1)(c))
Send transactional emails (receipts, security alerts, service notices)Account dataContract performance (Art. 6(1)(b))
Send marketing emails (only if you opt in)Account dataConsent (Art. 6(1)(a)); CASL express consent for Canadian recipients

We will not use your personal information for a new, materially different purpose without informing you and, where required, obtaining your consent.

5. AI processing and automated decision-making

Command Center uses Anthropic’s Claude API to generate market briefings, trade-idea analysis, and risk commentary on the Pro tier. We believe you should know exactly how this works.

5.1 What we send to Anthropic

  • The tickers in your portfolio or watchlist (e.g., “AAPL,” “TSX:SHOP”).
  • Public market data we have retrieved (prices, fundamentals, news headlines).
  • The question or prompt you submitted, if any.

5.2 What we do not send to Anthropic

  • Your name, email address, billing information, or other account identifiers.
  • Your IP address.
  • Your password or authentication tokens.

5.3 Anthropic’s handling

Anthropic acts as our service provider (a “processor” under GDPR and Law 25) bound by a written data processing agreement. Under Anthropic’s commercial terms, inputs and outputs from our API calls are not used to train Anthropic’s models. Anthropic retains API data only as needed for abuse monitoring and legal compliance, typically for a limited period.

5.4 No automated decisions with legal or significant effects

AI-generated content on Command Center is informational only. It is not an automated decision that produces legal or similarly significant effects on you (GDPR Art. 22; Law 25 s. 12.1). We do not auto-execute trades, open or close accounts, approve or deny credit, or take any action on your behalf based on AI output.

You can avoid AI processing entirely by staying on the Free tier or by not invoking AI features on the Pro tier.

6. Who we share information with

We do not sell your personal information, and we do not share it for cross-context behavioural advertising. We share information only with:

  • Service providers (processors/subprocessors) who help us run the Service — hosting, database, payments, AI, email delivery. Each is bound by contract to confidentiality and security. See our current Subprocessor list.
  • Professional advisors (lawyers, accountants, auditors) under duties of confidentiality.
  • Authorities and third parties where required by law, court order, or to protect our rights, your safety, or the security of the Service.
  • A successor in the context of a merger, acquisition, financing, or sale of assets, subject to confidentiality obligations and with notice to affected users. Québec Law 25 requires a formal assessment before any such transfer; we will perform it.

7. International data transfers

Our providers may store and process data outside your province, country, or economic area. Specifically, data may be processed in the United States and in the European Union depending on the provider and region selected. Where data is transferred across borders, we rely on one or more of the following mechanisms:

  • EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), together with supplementary technical and organisational measures.
  • UK International Data Transfer Agreement or UK Addendum to the SCCs for transfers out of the UK.
  • Québec Law 25 privacy impact assessments before transferring personal information outside Québec, evaluating the sensitivity of the data, the purposes, the protections in place, and the legal regime of the destination.
  • EU–U.S. Data Privacy Framework where our provider is certified under it.

You may request a copy of the specific safeguards in place for a transfer by contacting our Privacy Officer.

8. How long we keep your information

We keep personal information only for as long as necessary for the purposes it was collected, unless a longer period is required by law.

CategoryRetention period
Account data, portfolio, watchlistsUntil you delete your account, plus a 30-day grace period for recovery.
Support correspondenceUp to 24 months after resolution, then deleted or anonymized.
Payment records and invoices6 years after the end of the fiscal year (Québec & federal tax law).
Security and audit logsUp to 12 months, then deleted or aggregated.
BackupsRotating backups retained no longer than 35 days.
AI prompt/response logsUp to 30 days for debugging and abuse prevention, then deleted.

When retention periods end, we delete or irreversibly anonymize the data. If deletion is not technically feasible (for example, data embedded in encrypted backups), we isolate the data and prevent further processing until it is overwritten in the normal rotation.

9. How we protect your information

We implement technical and organisational measures appropriate to the sensitivity of the data, including:

  • TLS 1.2+ encryption for all data in transit.
  • Encryption at rest for databases and backups.
  • Password hashing with a modern adaptive algorithm (bcrypt).
  • Principle of least privilege for access to production systems.
  • Multi-factor authentication for administrative access.
  • Segregation of production from development environments.
  • Logging and monitoring of access to personal information.
  • Regular security reviews and dependency patching.
  • Written data processing agreements with each subprocessor.

No method of transmission or storage is perfectly secure. Please use a strong, unique password and keep your account credentials confidential.

10. Your privacy rights

Regardless of where you live, you may contact us at privacy@cmdctr.cc to:

  • Access the personal information we hold about you.
  • Request correction of inaccurate or incomplete information.
  • Request deletion of your personal information.
  • Receive a copy of your data in a structured, commonly used format.
  • Withdraw any consent you have given.
  • Object to or restrict certain processing.
  • Opt out of marketing emails (always available in every message).

We will respond to verifiable requests without undue delay and within the timeframes required by applicable law (generally within 30 days, extendable where permitted). We may need to verify your identity before acting on a request, and in rare cases we may refuse or limit a request where permitted by law (for example, to protect the rights of others). If we do, we will explain why in writing.

Exercising your rights is free. We will not discriminate against you for exercising them.

11. Rights specific to EEA / UK residents (GDPR & UK GDPR)

  • Right of access (Art. 15), rectification (Art. 16), erasure / right to be forgotten (Art. 17), restriction (Art. 18), data portability (Art. 20), and objection (Art. 21), including objection to processing based on legitimate interests.
  • Right not to be subject to automated decision-making with legal or significant effects (Art. 22). As explained in §5, Command Center does not make such decisions.
  • Right to withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.
  • Right to lodge a complaint with your local Data Protection Authority. In France, that is the CNIL (cnil.fr). In the UK, the ICO (ico.org.uk).

12. Rights specific to Québec residents (Law 25)

  • Right of access and right to rectification of your personal information (Law 25, ss. 27 & 28).
  • Right to data portability — to receive your computerized personal information in a structured, commonly used technological format (s. 27, in force since September 2024).
  • Right to cease dissemination, de-indexing, and re-indexing where dissemination causes serious prejudice or the information is no longer necessary (s. 28.1).
  • Right to be informed of automated decisions and of the principal factors and parameters that led to them, and to submit observations to a human reviewer (s. 12.1). As explained in §5, we do not use personal information for automated decisions with significant effects.
  • Right to file a complaintwith the Commission d’accès à l’information du Québec (cai.gouv.qc.ca).

13. Rights specific to other Canadian residents (PIPEDA)

  • Right to access the personal information we hold about you and to challenge its accuracy.
  • Right to withdraw consent, subject to legal or contractual restrictions.
  • Right to file a complaint with the Office of the Privacy Commissioner of Canada (priv.gc.ca) or your provincial privacy regulator.

14. Rights specific to California & other U.S. state residents

If you are a California resident, you have the following rights under the CCPA, as amended by the CPRA:

  • Right to know the categories and specific pieces of personal information collected, sources, purposes, and recipients.
  • Right to delete personal information we collected from you, subject to exceptions.
  • Right to correct inaccurate personal information.
  • Right to opt out of “sale” or “sharing.” We do not sell or share personal information for cross-context behavioural advertising.
  • Right to limit the use of sensitive personal information. We do not use sensitive personal information for purposes that would trigger this right.
  • Right to non-discrimination for exercising your rights.

Similar rights exist under other U.S. state laws (Virginia CDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, Texas TDPSA, and others). You can exercise any of these rights by emailing privacy@cmdctr.cc. Authorized agents may submit requests on your behalf with written authorization.

“Shine the Light” (California Civil Code §1798.83): California residents may request information about disclosures of personal information to third parties for their direct marketing purposes. We do not make such disclosures.

15. Children

The Service is intended for users 18 years of age or older. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us with personal information, contact us and we will delete it.

16. Data breach notification

In the event of a confidentiality incident (a breach) that poses a risk of serious injury, we will notify affected individuals and the relevant authorities without undue delay, in accordance with:

  • Québec Law 25 (ss. 3.5 and 3.7) — notice to the CAI and to affected persons;
  • PIPEDA — notice to the OPC and affected individuals;
  • GDPR Art. 33/34 — notice to the lead supervisory authority within 72 hours, and to individuals where the risk is high;
  • Applicable U.S. state breach-notification laws.

We maintain an internal register of confidentiality incidents as required by Law 25.

17. Cookies and similar technologies

We use only strictly necessary cookies (session authentication and CSRF protection). We do not use advertising or analytics cookies at this time. See our full Cookies Policy for details.

18. Changes to this Policy

We may update this Policy to reflect changes in law, technology, or our operations. When we make material changes, we will notify you by email and/or by a conspicuous notice on the Service at least 30 days before the change takes effect, unless immediate changes are required by law. The “Last updated” date at the top always shows when the current version took effect. Previous versions are available on request.

19. How to contact us & file complaints

Privacy Officer — [LEGAL_ENTITY]
Email: privacy@cmdctr.cc
Postal: [BUSINESS_ADDRESS], Montréal, QC, Canada

If you are not satisfied with our response, you may escalate to the regulator in your jurisdiction (see sections 11–14 above).