Privacy policy

1. General provisions

At TradePirate, we take the privacy of our readers seriously. The protection and confidentiality of your personal data is of particular importance to us. This Privacy Policy (the Policy) applies to the website at tradepirate.io and the digital books, volumes, and related services published under the name The Field Guides (together, the Service). It explains what categories of personal data we collect about you, how we use that data, the legal bases on which we rely, with whom we share it, how long we keep it, how you may exercise your rights, and our overall commitment to protecting your privacy when you interact with the Service.

Pursuant to Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the GDPR), we hereby provide you with the information concerning the processing of your personal data set out below. Personal data are processed in accordance with the GDPR, the Bulgarian Personal Data Protection Act, Directive 2002/58/EC (the ePrivacy Directive) as transposed into Bulgarian law, and any other applicable legislation in connection with the protection of personal data (together, the Applicable legislation).

By accessing, registering for, or using any part of the Service, you agree to be bound by this Policy and our Terms of Use (available at tradepirate.io/en/terms-of-use) and by all applicable laws, rules, and regulations. If you do not agree with this Policy, please stop using the Service.

We may modify this Policy in whole or in part at our discretion, including for changes in functionality, new product releases, regulatory changes, or any other necessary reason. When changes are made we will update the version on the Site and make reasonable efforts to notify Users of material modifications. The Last updated date at the top of this Policy indicates the effective date of the current version. It is your responsibility to stay informed of our practices by reviewing the current version on the Site. Your continued use of the Service after a change has taken effect constitutes your acceptance of the revised Policy. If you do not agree, you must stop using the Service.

2. Data controller

The personal data collected through the Service is processed by Tunemind, Ltd., a Bulgarian limited liability company registered in the Commercial Register and the Register of NPLE at the Registry Agency under UIC 207152429, having its registered seat and address of management at Bul. Vitosha no. 1, fl. 3, 1000 Sofia, Bulgaria, trading under the name TradePirate, in its capacity as data controller (the Controller, we, us, our).

Contact details:

Tunemind, Ltd.
UIC 207152429
Registered seat: Bul. Vitosha no. 1, fl. 3, 1000 Sofia, Bulgaria
Email: hello@tradepirate.io

Given our scale and the nature of our processing, we are not required to appoint a Data Protection Officer under Article 37 of the GDPR. Privacy enquiries are handled by the Controller at the address above.

3. Definitions

In this Policy, the following defined terms have the meanings set out below; other terms used in the GDPR have the meanings given to them in Article 4 of the GDPR.

Applicable legislation has the meaning given in clause 1.

Consent means any freely given, specific, informed, and unambiguous indication of your wishes by which you, by a statement or by a clear affirmative action, signify agreement to the processing of personal data relating to you.

Controller means the entity identified in clause 2.

Personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Processing means any operation or set of operations performed on personal data or on sets of personal data, whether or not by automated means.

Processor means a natural or legal person, public authority, agency, or other body that processes personal data on behalf of the Controller.

Recipient means a natural or legal person, public authority, agency, or another body to which personal data is disclosed, whether a third party or not.

Special categories of personal data means data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation.

Third party means a natural or legal person, public authority, agency, or body other than the data subject, the Controller, the Processor, and persons who, under the direct authority of the Controller or Processor, are authorised to process personal data.

You, your, and User mean the individual whose personal data is being processed.

4. Scope of this Policy

This Policy covers personal data we process as Controller through the Service. It does not cover the practices of third-party services to which the Service links or with which it interoperates; those services are governed by their own privacy notices. Where this Policy describes processing carried out by a third-party Processor on our behalf, the Processor processes that data under a written data-processing agreement compliant with Article 28 of the GDPR.

5. What information we collect

We aim to collect only what we need to provide the Service, to comply with the law, and to keep the Service safe. Where the information is not necessary for compliance with a legal obligation, for the performance of a contract to which you are a party, for taking steps at your request before concluding a contract, for our legitimate interests, or to protect your vital interests, we will ask for your Consent and inform you of the consequences of any refusal.

We do not collect Special categories of personal data through the Service, and we do not ask you to provide any. If you voluntarily include Special categories of personal data in communications with us, you understand that we may need to process such data to respond to your communication, on the basis of your explicit Consent under Article 9(2)(a) of the GDPR.

5.1 Information you provide to us

Account information. When you register for an Account, we collect your email address and a password. The password is stored only as a salted, irreversibly hashed value by our authentication provider; we do not have access to your plain-text password. If you sign in using Google, we receive your email address, display name, profile picture, and a Google account identifier from Google's OAuth response. For every Account we also store a unique internal user identifier, the sign-in providers linked to the Account, the timestamps of Account creation, last sign-in, and any password reset, and basic session metadata used to keep you signed in securely.

Payment information. If you choose to purchase a Volume or Book, you complete payment on a hosted checkout page operated by our Payment Processor on the Payment Processor's own domain. Card numbers, card-verification values, bank-account details, and other full payment-instrument data are collected directly by the Payment Processor and do not pass through or land on our servers. From the Payment Processor we receive a purchase record containing: the email address used at checkout; the product purchased; the price, currency, and date of purchase; the country and, where required for tax reporting, the billing- address fields you provide to the Payment Processor; the last four digits and brand of the payment instrument (for receipt and dispute purposes only); the Payment Processor customer identifier; and the Payment Processor session and charge identifiers.

Communication and support information. If you contact us by email or through any other channel, we process your message, your contact details, any attachments, the Services you used, and our correspondence with you. To assist you with technical issues you may voluntarily share details about your device, operating system, and browser.

Feedback information. If you send us comments, suggestions, ideas, error reports, or other feedback about the Service, we collect the information you choose to include, which may include your name, email address, Services used, and the substance of your message.

Marketing-consent information. If you opt in to marketing emails, we record the fact, the time, and the source of your opt-in, your unsubscribe status, and basic delivery and engagement metadata from our email-delivery provider.

5.2 Information we collect automatically when you use the Service

Entitlement data. We store which Volumes and Books are unlocked for your Account and the date on which each entitlement was granted. When you open paid Content, our authentication system verifies your entitlement on a cloud function before the Content is streamed to your browser. Each such verification creates a short, transient server log.

Technical, security, and log data. Our hosting, authentication, database, and cloud-function providers automatically generate logs in the ordinary course of their operation. Those logs may contain your IP address, user-agent string and basic device information, the URL or endpoint requested, HTTP status codes and response times, referrer headers, timestamps, and a coarse geographic location derived from the IP address. We use these logs to operate and secure the Service, to investigate abuse and fraud, to debug incidents, and to satisfy regulatory or law-enforcement obligations.

Preference data. We store a small theme-preference cookie that records whether you prefer light or dark colour mode so that the Service does not flash on reload. It is a strictly functional cookie that contains no identifier we can use to recognise you across sites or devices.

Analytics data. We do not load Google Analytics, advertising trackers, social-media pixels, session-replay tools, or behavioural-advertising software, and we do not engage in cross-site tracking or build behavioural profiles. We use Umami, a privacy-respecting analytics tool configured to operate without cookies and without collecting personal identifiers. We record only aggregate page-view counts, referrers, and approximate country information derived from anonymised IP addresses. See clause 9.4 for further details.

5.3 Information we receive from third parties

We may also receive information about you from third parties, including: the Payment Processor (the purchase records described in clause 5.1); social-media platforms, if you contact us through them (your handle, display name, and the content of your message); and identity-providers used for sign-in (in particular Google's OAuth response, as described above).

6. How we use your information and our legal bases

We process your personal data only for the purposes for which it has been collected, and only where one of the legal bases set out in Article 6 of the GDPR applies. Our purposes and the corresponding legal bases are:

(a) Account creation and operation; authentication; keeping you signed in; allowing you to access and manage your Account. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

(b) Order processing and delivery of purchased Content; issuing invoices and durable-medium confirmations; granting and verifying entitlements; providing customer support. Legal basis: performance of a contract (Art. 6(1)(b) GDPR).

(c) Transactional communications — Order Confirmations, password-reset emails, security alerts, service announcements material to your use of the Service, and complaint responses. Legal basis: performance of a contract (Art. 6(1)(b) GDPR) and, where relevant, our legitimate interests in operating the Service safely and lawfully (Art. 6(1)(f) GDPR).

(d) Marketing communications — sending you newsletters, launch announcements, and reading suggestions, where you have opted in. Legal basis: your Consent (Art. 6(1)(a) GDPR), which you may withdraw at any time without affecting the lawfulness of prior processing.

(e) Compliance with legal obligations, including accounting, tax, consumer-protection, anti-fraud, and anti-money- laundering obligations, responding to lawful requests from authorities, and handling data-subject rights requests. Legal basis: compliance with a legal obligation (Art. 6(1)(c) GDPR).

(f) Security, fraud prevention, and abuse handling — detecting, preventing, and responding to fraud, payment disputes, unauthorised access, abuse, scraping, credential sharing, and other misuse, and enforcing our Terms of Use. Legal basis: our legitimate interests (Art. 6(1)(f) GDPR) in keeping the Service safe, protecting our intellectual property, and defending against claims, balanced against your rights and freedoms.

(g) Service improvement and aggregate analytics — understanding which Content is read and improving the Service through cookieless, non-identifying analytics, when and if introduced as described in clause 5.2. Legal basis: our legitimate interests (Art. 6(1)(f) GDPR) in improving the Service.

(h) Establishment, exercise, or defence of legal claims — bringing or defending legal proceedings and enforcing our rights. Legal basis: our legitimate interests (Art. 6(1)(f) GDPR) and, where applicable, compliance with a legal obligation (Art. 6(1)(c) GDPR).

(i) Corporate-transaction support — sharing personal data with a counterparty or successor in connection with a potential or completed sale, merger, reorganisation, or transfer of the business. Legal basis: our legitimate interests (Art. 6(1)(f) GDPR) in conducting our business, subject to appropriate safeguards.

Where we rely on legitimate interests, you have the right to object on grounds relating to your particular situation under Article 21 GDPR (see clause 14).

Where the processing of your personal data is based on your Consent, you may withdraw your Consent at any time by writing to hello@tradepirate.io. Your personal data processed on the basis of that Consent will be deleted from our systems within one (1) month of receipt of your withdrawal request, except where we are required or permitted to retain it under clause 12. The withdrawal of Consent does not affect the lawfulness of processing carried out before the withdrawal. Where you wish to withdraw Consent only for direct-marketing purposes, please see clause 10.

7. Cookies and similar technologies

We use only technologies that are strictly necessary for the Service to function or that are limited functional preferences:

(a) a first-party theme preference cookie (functional; stores only "light" or "dark"; expires after twelve months);

(b) the local-storage entries that Firebase Authentication uses to maintain your sign-in session (strictly necessary for the sign-in feature you have requested);

(c) short-lived security tokens used during the hosted Stripe checkout flow (strictly necessary for payment processing).

None of these are advertising, profiling, or cross-site tracking cookies. Because we use only strictly necessary and functional technologies, no cookie-consent banner is displayed. If we ever introduce non-essential cookies, we will request your prior Consent through a clear consent interface, in line with Article 5(3) of the ePrivacy Directive.

8. Sharing of your information

Access to your personal data within our organisation is limited to the Controller and to any contractors authorised by the Controller and bound by confidentiality obligations, in each case on a need-to-know basis.

We do not sell or rent your personal data and we do not disclose it for any third party's independent direct-marketing purposes. We share personal data only with the categories of recipient set out below:

(a) Service Providers — third-party providers we rely on for essential functions such as web hosting, authentication, database storage, cloud functions, payment processing, and email delivery. Service Providers are contractually obligated to adhere to strict security and privacy terms when handling your personal data and only for the purpose of delivering their service to us. The specific Service Providers we use are listed in clause 9.

(b) Professional advisers outside of TradePirate, such as lawyers, accountants, tax advisers, and auditors, who are bound by duties of confidentiality, where it is necessary for our legitimate interest to provide us with a particular service and to the extent that the information is necessary for the performance of the functions assigned to them.

(c) Public authorities and other parties, where disclosure is required by applicable law, court order, or request from a competent authority, or where it is necessary to establish, exercise, or defend legal claims, prevent fraud or harm, or protect the rights, property, or safety of the Service, us, our Users, or others.

(d) Successors in a corporate transaction — in the event of a sale, merger, reorganisation, dissolution, or similar transaction, the personal data we hold may be transferred to the acquirer or successor as part of that transaction, subject to the same protections set out in this Policy or notified to you in advance.

(e) Anonymised and aggregated data may be shared with partners, service providers, or the public; this data does not identify individuals and is not subject to data-protection law.

9. Third-party Service Providers

We use the following Service Providers to deliver the Service. We reserve the right to add or remove Service Providers at any point in the future. We will update this Policy in advance of any material change.

9.1 Google Firebase

We rely on Google's Firebase platform for hosting, authentication, database, cloud functions, and related infrastructure. The specific Firebase services we use include Firebase Hosting, Cloud Firestore, Cloud Functions for Firebase, Firebase Authentication, and Firebase App Check. Our contracting entity is Google Cloud EMEA Limited (Ireland), with Google LLC (United States) acting as sub-processor. Information about Firebase's privacy and security practices is available at firebase.google.com/support/privacy. Legal basis: performance of a contract (Art. 6(1)(b) GDPR) and our legitimate interests in operating the Service (Art. 6(1)(f) GDPR).

9.2 Stripe

We use Stripe to process payments, host the checkout page, issue receipts, detect fraud, and provide customer-portal features. Our contracting entity for customers in the European Economic Area is Stripe Technology Europe Limited (Ireland), with Stripe, Inc. (United States) acting as sub-processor for certain functions. Information about Stripe's privacy practices is available at stripe.com/privacy. Legal basis: performance of a contract (Art. 6(1)(b) GDPR) and our legitimate interests in offering secure payment (Art. 6(1)(f) GDPR).

9.3 Resend

We use Resend (resend.com), operated by Resend, Inc. (United States), to send transactional and, where you have opted in, marketing emails. Your email address, name (if provided), and the content and engagement metadata of the messages we send you are processed by Resend on our behalf. Information about Resend's privacy practices is available at resend.com/legal/privacy-policy. Legal basis: performance of a contract (Art. 6(1)(b) GDPR) for transactional messages; your Consent (Art. 6(1)(a) GDPR) for marketing messages.

9.4 Umami Analytics

We use Umami (umami.is) to collect aggregate usage data about the Service. Umami is configured to operate without cookies and without collecting personal identifiers. We record only aggregate page-view counts, referrers, and approximate country information derived from anonymised IP addresses. No data that could identify an individual is collected or stored. Information about Umami's privacy practices is available at umami.is/privacy. Legal basis: our legitimate interests (Art. 6(1)(f) GDPR) in understanding aggregate use of the Service.

10. Marketing communications

We send transactional messages (Order Confirmations, password resets, security alerts, complaint responses, and other messages that are necessary to perform our contract with you or to comply with the law) without separate Consent and for as long as your Account exists. You cannot opt out of these product- and security-related messages while you continue to use the Service.

We send marketing emails — such as announcements of new Volumes, launches, and occasional reading suggestions — only if you have explicitly opted in by a clear affirmative action, such as ticking an unticked-by-default checkbox at sign-up or on a dedicated subscription form. Every marketing email contains a one-click unsubscribe link in the footer. You may also withdraw your Consent at any time by writing to hello@tradepirate.io. Withdrawing Consent for marketing does not affect transactional communications or the lawfulness of any processing carried out before the withdrawal.

11. How we store your information; international transfers

We are based in Bulgaria, but we use Service Providers that operate outside the European Economic Area. You understand that your personal data may be transferred internationally to provide the Service effectively. In particular, our Firebase Hosting, Firestore, and Cloud Functions are currently deployed in Google's us-central1 region, which means that your Account data, purchase records, entitlement records, and server logs are transferred to and stored in the United States.

We rely on the following legal mechanisms for these transfers under Chapter V of the GDPR:

(a) the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914), incorporated into our agreements with the relevant Processors, supplemented by additional technical and organisational measures including encryption in transit (TLS) and encryption at rest; and

(b) where applicable, the EU–US Data Privacy Framework adequacy decision of 10 July 2023, in respect of certified recipients in the United States.

You may request a copy of, or further information about, the transfer safeguards in place by writing to hello@tradepirate.io.

12. How long we keep your personal data

We process and store your personal data only for as long as necessary to fulfil the purposes for which it was collected or as required by Applicable legislation. The retention period for each category is determined by (i) the periods required for compliance with Applicable legislation, and (ii) the periods necessary for the protection of our legitimate rights and interests, including the establishment, exercise, or defence of legal claims.

(a) Account data — for as long as your Account is active. If you close your Account, we delete or anonymise your Account data within thirty (30) days, except for data we are legally required or permitted to retain under (b) or (e).

(b) Invoice, purchase, and accounting records — for the period required by Bulgarian tax and accounting law, currently up to ten (10) years for accounting registers and financial statements, and shorter periods for other categories of document. Retention runs from the end of the financial year to which the document relates.

(c) Server, security, and authentication logs — up to ninety (90) days from creation, unless retained longer for the investigation of a specific incident, in which case retention is limited to what is necessary for that investigation and any resulting proceedings.

(d) Marketing-consent records and email logs — for as long as you remain subscribed and for up to thirty-six (36) months after unsubscription, to demonstrate compliance with our Consent obligations.

(e) Records connected to legal claims or proceedings — for the duration of the relevant limitation periods under Bulgarian law and for a reasonable period afterwards, to enable us to establish, exercise, or defend legal claims.

(f) Aggregate analytics data has no individual identifier and may be retained indefinitely.

After termination of your Account, some personal data may be retained by us and our Service Providers for the periods set out above. Anonymised data may be retained and used indefinitely.

13. Security

We have implemented technical and organisational measures appropriate to the risk under Article 32 of the GDPR, including: transport-layer encryption (HTTPS) for all traffic; encryption at rest in Google Cloud and Firestore; salted, hashed password storage by Firebase Authentication; principle-of-least-privilege access controls and per-user Firebase Security Rules; server-side verification of entitlements before paid Content is delivered; restricted Stripe API keys with scope and rate limits; secret management through environment variables and secret managers; and regular software updates of our application stack and dependencies.

To help protect your Account, you are encouraged to choose a strong password, to keep your credentials confidential, and to avoid sharing or distributing them. If you suspect unauthorised access to your Account or notice suspicious activity, please contact us at hello@tradepirate.io immediately.

No system can be guaranteed fully secure. If we become aware of a personal-data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the Bulgarian Commission for Personal Data Protection without undue delay and, where feasible, within seventy-two (72) hours of becoming aware, in accordance with Article 33 of the GDPR. Where the breach is likely to result in a high risk, we will also notify affected data subjects without undue delay under Article 34.

14. Your rights regarding your personal data

Subject to the conditions set out in the GDPR, you have the following rights in relation to your personal data:

(a) the right of access — to obtain confirmation of whether we process your personal data and, if so, a copy of that data and information about the processing (Art. 15 GDPR);

(b) the right to rectification of inaccurate or incomplete data (Art. 16 GDPR);

(c) the right to erasure in the circumstances set out in Article 17 GDPR, subject to retention obligations we cannot lawfully override;

(d) the right to restriction of processing in the circumstances set out in Article 18 GDPR;

(e) the right to data portability — to receive a copy of the personal data you provided to us in a structured, commonly used, machine-readable format, and to transmit it to another controller (Art. 20 GDPR);

(f) the right to object, on grounds relating to your particular situation, to processing based on our legitimate interests; and the absolute right to object to processing for direct-marketing purposes at any time (Art. 21 GDPR);

(g) the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects (Art. 22 GDPR) — see clause 15;

(h) the right to withdraw Consent, where processing is based on Consent, at any time and without affecting the lawfulness of prior processing (Art. 7(3) GDPR); and

(i) the right to lodge a complaint with a supervisory authority (Art. 77 GDPR) — see clause 17.

Account management. You can update your account email and password at any time by signing into the Service and going to your profile settings. You can delete your Account from the profile settings, or by contacting us at hello@tradepirate.io. After Account deletion, some personal data may be retained by us and our Service Providers for the periods set out in clause 12.

Verification. To protect your data and to prevent the unauthorised exercise of rights by third parties, when you submit a rights request we may ask you to verify your identity or provide additional information to confirm that you, or your authorised representative, are entitled to submit the request. We may also ask the information provided to match the information we hold. If you fail to provide the necessary information, we may be unable to process your request.

How to exercise your rights. Write to hello@tradepirate.io. We will respond without undue delay and in any event within one (1) month of receiving your request. We may extend this period by up to two further months where the request is complex or where we receive multiple requests, and we will inform you of any extension within the first month, together with the reasons for it.

Fees. Exercising your rights is free; however, we may charge a reasonable fee or refuse to act on requests that are manifestly unfounded or excessive, in particular because of their repetitive character, as permitted by Article 12(5) of the GDPR.

Your rights regarding personal data are important but not absolute, and may be subject to limitations expressly set out in the GDPR and other Applicable legislation. Such limitations ensure a balance between individual freedoms, legal obligations, and the safety of individuals and our community.

15. Automated decision-making and profiling

We do not make decisions about you based solely on automated processing that produce legal effects concerning you or similarly significantly affect you within the meaning of Article 22 of the GDPR. Stripe operates automated fraud- detection systems on its payments platform; the consequences of those systems (such as declining a payment) flow from Stripe's own processing, and you can find more information in Stripe's privacy notice.

16. Children's privacy

The Service is directed at adults aged eighteen (18) or over. We do not knowingly collect personal data from children under this age and we do not allow them to register for the Service. If you are under 18, you may use the Service only with the involvement and the consent of a parent or legal guardian, and the parent or guardian must create and use the Account on your behalf while ensuring compliance with our Terms of Use. We are not responsible for any Account registered or used by a person who has misrepresented their age.

If you are a parent or guardian and believe that a child has provided us with personal data, please contact us at hello@tradepirate.io and we will take all reasonable steps to ensure that such information is promptly removed from our systems.

17. Complaints and supervisory authority

We hope to resolve any privacy concern directly with you. If you are not satisfied, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement. The Bulgarian supervisory authority is:

Commission for Personal Data Protection (Комисия за защита на личните данни)
Address: 2 Prof. Tsvetan Lazarov Blvd., 1592 Sofia, Bulgaria
Tel: +359 2 91 53 518
Email: kzld@cpdp.bg
Web: cpdp.bg

We would be grateful if you would contact us first, in case of a complaint, in order to try to help you.

18. Third-party services and links

The Service may contain links to third-party websites or integrate with third-party services that are not operated by us. We are not responsible for the privacy practices of those third parties. We encourage you to read their privacy notices before providing any personal data to them.

19. Governing law and jurisdiction

This Policy is governed by and construed in accordance with the laws of the Republic of Bulgaria. Disputes arising out of or in connection with this Policy shall be subject to the exclusive jurisdiction of the competent courts in Sofia, Bulgaria, without prejudice to your right under Article 79 GDPR to seek an effective judicial remedy before the courts of your habitual residence.

20. Changes to this Policy

We may update this Privacy Policy from time to time. The Last- updated date at the top of this page will be updated to reflect the change. For material changes that affect your rights or our processing in a way that would not be reasonably expected, we will take reasonable steps to notify you in advance, including by email to the address registered on your Account and by a notice on the Service. Your continued use of the Service after the changes take effect means that you accept the updated Policy, without prejudice to your rights under clause 14.

21. Contact

Questions, requests, or complaints relating to your personal data can be sent to hello@tradepirate.io. We aim to respond within the timeframes set out in clause 14.