Tickr

privacy policy

last updated: may 12, 2026

tickr is a finance-learning app built by Cyrus Emami and Michael Chun. we care about your privacy and we keep this short, plain, and honest. this page explains what we collect, why, who sees it, and how to control it.

what we collect

  • your email address (for sign-in via magic link)
  • your lesson progress, streak, and total XP
  • your avatar choice and display name
  • your Stripe customer ID, if you upgrade to Pro (we never see your card)
  • standard server logs: IP, browser, request timestamps (for security and abuse prevention)

why we collect it

to run the service. that means signing you in, saving your progress so you can pick up where you left off, sending you the magic-link to log in, and (if you upgrade) billing you. that's it.

who we share with (subprocessors)

we use a small set of trusted vendors. each one handles a specific job:

  • Supabase — database and auth, hosted in the US
  • Vercel — application hosting, US
  • Stripe — payments for Pro subscriptions, US
  • Resend — transactional email (magic links, receipts), US
  • Cloudflare — Turnstile bot-check on sign-in forms, US

what we don't do

  • we do not sell your data. ever.
  • we do not use your data for ad targeting.
  • we do not train AI on your data.
  • we do not build advertising profiles about you.

cookies

we only set cookies that are strictly necessary: an auth session cookie (so you stay signed in) and a Cloudflare Turnstile cookie (so the bot-check works). no advertising cookies. no analytics cookies. no third-party trackers.

age requirement

tickr is for users 13 and older. that's a COPPA thing — see our terms of service for the full age policy. if you're under 18, ask a parent or guardian before signing up.

children under 13

tickr is not directed at children under 13 and we do not knowingly collect data from anyone under 13. if we learn an account belongs to a child under 13, we will delete it.

your rights

you can ask us to access, correct, or delete the data we hold about you at any time. email cyrusdemami@gmail.com from the address tied to your account and we'll respond within 30 days. this applies whether you're in California (CCPA), the EU/UK (GDPR), or anywhere else.

data retention

we keep your data while your account is active. if you delete your account, we purge your data within 30 days (a brief grace window in case you change your mind). server-side backups roll off within 90 days.

security

we use TLS on every request, encryption at rest on the database (provided by Supabase), and require multi-factor authentication on every admin account. no system is perfectly secure — but we take reasonable steps.

international users

tickr is hosted in the United States. if you use it from the EU, UK, or another region, your data is transferred to and processed in the US. we honor the basic rights GDPR and CCPA give you: access, deletion, correction, and a human at the other end of the email.

changes to this policy

if we change anything material, we'll update the "last updated" date at the top and email account holders for significant changes. small wording cleanups won't get an email.

contact

questions, requests, or a polite complaint? email cyrusdemami@gmail.com.