Privacy Policy
Effective February 13, 2026
1. Introduction
Welcome to TimeToBuyBitcoin.com ("we," "us," "our," or "the Service"). We are committed to protecting your privacy and ensuring you have a positive experience on our website. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website and use our services.
Please read this Privacy Policy carefully. If you do not agree with our policies and practices, please do not use our Service. Your continued use of the Service following the posting of revised Privacy Policy means that you accept and agree to the changes.
2. Data Controller & Contact Information
The Data Controller responsible for your personal data is:
- Name: Bela Varga
- Tax Identification Number: HU91627676
- Email: [email protected]
- Phone: +1 (940) 603-1770
- Address: Budapest, Hungary
If you have questions about this Privacy Policy or our privacy practices, please contact us using the information above.
3. What Data We Collect
We collect personal data that you provide directly and data collected automatically through your use of the Service. Below is a comprehensive table of all data categories processed:
| Data Category | Type | Purpose |
|---|---|---|
| Email Address | Provided directly | Account creation, magic link authentication, report notifications, communication |
| Stripe Customer ID | Generated by Stripe | Payment processing, subscription management, billing history |
| Stripe Subscription ID | Generated by Stripe | Track active subscription status and plan tier |
| Session Tokens | Generated by us | Maintain user sessions, authentication across requests |
| Magic Link Tokens | Generated by us | Passwordless authentication (single-use, 15-min expiry) |
| Theme Preference | User selection | Store light/dark mode preference for user experience |
| Preview Usage Cookie | Automatic tracking | Track whether free preview was accessed (enables paywall logic) |
| Device Fingerprint | Automatic collection | Session validation, fraud detection, abuse prevention |
| Last Login Timestamp | Automatic recording | Account security monitoring, session management |
| IP Address | Automatic collection | Security, abuse prevention, rate limiting, legal compliance |
| User Agent / Browser Info | Automatic collection | Device compatibility, performance optimization, security |
| Interaction Logs | Automatic collection | Error tracking, performance monitoring, service improvement |
3.1 What We Do NOT Collect or Store
- Credit card numbers (Stripe handles PCI-DSS Level 1 compliance)
- Passwords (we use passwordless magic link authentication)
- Personally identifiable information beyond email address (unless voluntarily provided)
- Biometric data
- Health data
- Financial account credentials
4. How We Collect Data
4.1 Data You Provide Directly
- Account Registration: When you create an account, we collect your email address
- Authentication: When you log in via magic link, we receive your email and generate a temporary authentication token
- Payment Information: Payment details are sent directly to Stripe and never transmitted through our servers
- Communication: When you contact us or opt-in to notifications, we collect the information you provide
4.2 Data Collected Automatically
- Cookies: HTTP cookies (including httpOnly session tokens) to maintain authentication and preferences
- Server Logs: IP address, timestamps, request types, responses, error messages
- Device Information: Browser type, operating system, device fingerprint for security purposes
- Usage Analytics: Pages visited, features used, click patterns for service improvement
- Technical Data: Performance metrics, errors, API response times
4.3 Third-Party Sources
We receive limited data from third-party processors:
- Stripe: Customer ID, subscription status, payment method type (not card details)
- Mailgun: Email delivery status (bounces, opens for engagement purposes)
5. Legal Basis for Processing (Article 6, GDPR)
We process your personal data based on the following legal grounds under GDPR Article 6:
5.1 Contractual Necessity (Article 6(1)(b))
- Email address for account creation and authentication
- Stripe customer/subscription IDs for billing and service delivery
- Session tokens to provide the Service
- Interaction logs required to maintain system functionality
5.2 Legitimate Interests (Article 6(1)(f))
- Security & Fraud Prevention: Device fingerprints, IP addresses, rate limiting, abuse detection
- Service Improvement: Usage analytics, error tracking, performance optimization
- Legal Compliance: Retaining billing records for tax obligations (7 years)
- Communication: Account notifications, service updates (for existing customers)
5.3 Consent (Article 6(1)(a))
- Report Notifications: Email delivery of power law analysis reports (opt-in, easy to opt-out)
- Marketing Communications: Optional newsletters or announcements
5.4 Legal Obligation (Article 6(1)(c))
- Retention of billing records for tax compliance (EU/Hungarian tax law requires 7-year retention)
- Law enforcement requests subject to applicable legal processes
6. Purpose of Processing
Your personal data is processed for the following specific purposes:
- Service Delivery: Creating and maintaining your account, delivering analysis reports, managing subscriptions
- Authentication: Verifying your identity through magic link authentication (no passwords stored)
- Billing & Payments: Processing payments through Stripe, maintaining subscription status, issuing invoices
- Communications: Sending report notifications, service announcements, and support responses
- Security: Detecting and preventing fraud, abuse, unauthorized access, and rate limit violations
- Service Improvement: Analyzing usage patterns, identifying bugs, optimizing performance
- Legal Compliance: Maintaining records for tax purposes, responding to legal authorities when required
- User Experience: Remembering theme preferences, session management, personalizing interface
7. Data Retention Periods
We retain your personal data only as long as necessary for the purposes stated in this Privacy Policy, subject to applicable legal obligations:
- Magic Link Tokens: 15 minutes (automatically expired, single-use)
- Session Tokens: Until logout or browser close; maximum 30 days for persistent sessions
- Theme Preference & Preview Cookies: Until user clears cookies or expires (typically 1 year)
- Device Fingerprint: Per session, cleared after logout
- Account Data (active users): Until account deletion
- Account Data (after deletion): 30 days (grace period for account recovery), then permanently deleted
- Billing & Payment Records: 7 years (Hungarian tax law requirement for business records)
- Email Delivery Logs: 30 days (Mailgun retention policy)
- Server Logs & Analytics: 90 days (automatic rotation)
- Last Login Timestamps: Kept until account deletion
If you request account deletion, we will delete your personal data except where retention is required by law (billing records, 7 years) or where we have a legitimate interest in maintaining it (fraud detection, conflict resolution).
8. Third-Party Data Processors
We use the following third-party service providers who process personal data on our behalf under Data Processing Agreements (DPAs):
8.1 Stripe Inc.
- Location: San Francisco, USA
- Purpose: Payment processing, subscription management, billing
- Data Shared: Email address, Stripe customer ID, subscription information
- Compliance: PCI-DSS Level 1 certified, SOC 2 Type II, Privacy Shield + Standard Contractual Clauses
- Privacy Policy: https://stripe.com/privacy
8.2 Mailgun / Sinch
- Location: San Antonio, USA
- Purpose: Email delivery (magic links, report notifications)
- Data Shared: Email address, report content (anonymized data)
- Technical Note: EU API endpoint (api.eu.mailgun.net) used for enhanced data protection
- Compliance: GDPR compliant, Standard Contractual Clauses
- Privacy Policy: https://www.mailgun.com/privacy/
8.3 Anthropic PBC
- Location: San Francisco, USA
- Purpose: AI-powered analysis generation (Claude API)
- Data Shared: Market data ONLY — no personal user data sent to Anthropic
- Important: Your email address, subscription status, and account details are never shared with Anthropic
- Compliance: Standard Contractual Clauses, see Anthropic's Privacy Policy
8.4 Hetzner Online GmbH
- Location: Gunzenhausen, Germany (EU)
- Purpose: VPS hosting, database storage, infrastructure
- Data Stored: All user data (SQLite database)
- Compliance: EU-based, GDPR compliant, encrypted at rest via Hetzner disk encryption
- Privacy Policy: https://www.hetzner.com/legal/privacy-policy
8.5 CryptoCompare Ltd
- Location: United Kingdom
- Purpose: Bitcoin price data API (market data only)
- Data Shared: None — we only receive Bitcoin price data
- Compliance: UK-based, GDPR compliant
8.6 TradingView Inc
- Location: USA
- Purpose: Technical indicator data (market data only)
- Data Shared: None — we only receive technical analysis data
- Compliance: Standard Contractual Clauses
8.7 Google Fonts (Google LLC)
- Location: USA
- Purpose: Font delivery via CDN
- Data Shared: IP address (for CDN request logging)
- Compliance: Standard Contractual Clauses, Google Privacy Policy
8.8 Cloudflare / jsDelivr
- Location: USA
- Purpose: CDN for D3.js (Cloudflare), Marked and DOMPurify (jsDelivr) libraries
- Data Shared: IP address (for CDN request logging)
- Compliance: Standard Contractual Clauses
9. International Data Transfers
The European Union has not made an adequacy decision for the USA. However, we ensure that your personal data transferred outside the EU/EEA is protected through the following mechanisms:
9.1 Standard Contractual Clauses (SCCs)
We have executed Standard Contractual Clauses (EU Commission Decision 2021/915 and UK SCCs) with all third-party processors that are located outside the EU/EEA:
- Stripe Inc. (USA) — Payment processing
- Mailgun / Sinch (USA) — Email delivery (EU API endpoint)
- Anthropic PBC (USA) — AI analysis (no personal data transferred)
- Google Fonts (USA) — Font delivery
- Cloudflare / jsDelivr (USA) — CDN services
9.2 Data Storage Location
- Primary Database (SQLite): Hetzner VPS in Germany (EU) — encrypted at rest
- Billing Data: Stripe (USA) under SCCs
- Email Logs: Mailgun (USA) under SCCs, EU API endpoint used
9.3 Your Rights Regarding International Transfers
You have the right to request information about the mechanisms protecting your data in international transfers. You may contact us for more details on the safeguards in place. You also have the right to lodge a complaint with your national Data Protection Authority if you believe your rights are not being adequately protected.
10. Cookies & Tracking Technologies
We use cookies and similar tracking technologies to provide our Service, maintain your session, and improve user experience. For a detailed explanation of all cookies used, please refer to our Cookie Policy.
10.1 Types of Cookies Used
- Session Tokens (httpOnly): Securely store authentication credentials; automatically expire
- Theme Preference: Remember user's light/dark mode choice
- Preview Usage: Track whether free preview was accessed (for paywall logic)
- Analytics Cookies: Understand usage patterns and improve service
10.2 Local Storage
We may use browser local storage for storing non-sensitive preferences (e.g., theme, notification preferences). This data is never transmitted to our servers.
10.3 Cookie Consent
Essential cookies for authentication and service delivery are placed without prior consent (lawful basis: contract performance). Non-essential analytics cookies are placed only with your explicit consent.
11. Your Rights Under GDPR
You have the following rights regarding your personal data under the EU General Data Protection Regulation (GDPR):
11.1 Right to Access (Article 15)
You have the right to request a copy of the personal data we hold about you. We will provide this in a structured, commonly used, machine-readable format within 30 days of your request.
11.2 Right to Rectification (Article 16)
You have the right to correct inaccurate personal data or complete incomplete information. You can update your email address by logging into your account or by contacting us directly.
11.3 Right to Erasure / "Right to be Forgotten" (Article 17)
You have the right to request deletion of your personal data, except where we have a legal obligation to retain it. Note: We must retain billing records for 7 years for tax compliance purposes. After account deletion, personal data (except billing records) will be permanently deleted within 30 days.
11.4 Right to Restrict Processing (Article 18)
You may request that we restrict how we process your personal data in certain circumstances (e.g., while you dispute accuracy). During this period, we will only store your data but not actively process it for other purposes.
11.5 Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, machine-readable format (e.g., JSON, CSV) and to transmit it to another service provider without hindrance.
11.6 Right to Object (Article 21)
You may object to processing based on legitimate interests. You can opt-out of non-essential communications and analytics at any time.
11.7 Right to Withdraw Consent (Article 7)
If you have given consent for specific processing (e.g., report notifications, analytics), you can withdraw it at any time. Withdrawal will not affect the lawfulness of processing before withdrawal.
11.8 Right to Lodge a Complaint (Article 77)
You have the right to lodge a complaint with your national Data Protection Authority. For users in Hungary, you may contact the National Data Protection Authority (Nemzeti Adatvédelmi Hivatal, NAIH):
- Website: https://naih.hu
- Email: [email protected]
- Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/C, Hungary
- Phone: +36 1 391 1400
11.9 Exercising Your Rights
To exercise any of the above rights, please send a request to [email protected] with:
- A clear description of the right you wish to exercise
- Your email address associated with your account
- Any additional information that helps us verify your identity
We will respond to your request within 30 days of receipt. If your request is complex, we may extend this period by two additional months and will notify you of the extension.
12. Email Communications & Notifications
12.1 Report Notifications
When you enable report notifications in your account settings, we send you email digests containing power law analysis reports. These are transactional communications related to your subscription.
- Sent via Mailgun (using EU API endpoint)
- You can opt-out at any time in account settings or by clicking "unsubscribe" in the email footer
- Opting out does not affect your ability to use the Service
12.2 Magic Link Authentication Emails
For security and authentication purposes, we always send magic link emails when you attempt to log in. These cannot be unsubscribed as they are essential for account access.
12.3 Service & Security Notices
We may send important security notices (e.g., suspicious login attempts, password changes, subscription updates) that cannot be opted out of, as they are necessary for account protection.
12.4 Opt-Out Mechanism
All non-essential emails include an unsubscribe link. You can also manage communication preferences in your account settings or email us at [email protected].
13. Data Security Measures
We implement comprehensive security measures to protect your personal data from unauthorized access, alteration, disclosure, or destruction:
13.1 Transport Security
- HTTPS/TLS Encryption: All data in transit is encrypted using TLS 1.2 or higher
- HSTS Headers: HTTP Strict Transport Security enforces HTTPS connections
- Certificate Pinning: To prevent man-in-the-middle attacks
13.2 Storage Security
- Database Encryption: SQLite database encrypted at rest via Hetzner disk encryption
- WAL Mode: Write-Ahead Logging for data integrity and recovery
- Access Controls: Database access restricted to application servers only
13.3 Authentication & Session Management
- No Passwords Stored: Magic link passwordless authentication eliminates password breach risks
- httpOnly Cookies: Session tokens stored in httpOnly cookies (inaccessible to JavaScript, preventing XSS token theft)
- Secure Flag: Cookies sent only over HTTPS
- SameSite=Strict: Prevents CSRF attacks by restricting cookie transmission across sites
- Single-Use Magic Links: 15-minute expiry, one-time use tokens
13.4 Application Security
- Content Security Policy (CSP): Strict CSP headers prevent inline script injection and XSS
- Rate Limiting: Protection against brute force and DDoS attacks
- Input Validation: All user inputs validated and sanitized
- Output Encoding: Prevents injection attacks
- CORS Policy: Strict Cross-Origin Resource Sharing configuration
13.5 Data Access Policies
- Principle of Least Privilege: Access to personal data restricted to essential personnel
- No Third-Party Access: Developers cannot access production personal data except in security emergencies
- Audit Logging: All database access logged and monitored
13.6 Fraud & Abuse Prevention
- Device Fingerprinting: Detects suspicious login patterns and unauthorized account access
- IP Reputation Checking: Identifies known malicious IP addresses
- Rate Limiting: Prevents automated attacks and brute force attempts
- Anomaly Detection: Flags unusual account activity
13.7 Third-Party Security
- Stripe: PCI-DSS Level 1 certified — industry's highest payment security standard
- Mailgun: SOC 2 Type II certified email delivery service
- Hetzner: EU data center with SOC 2 compliance and automated backup systems
13.8 Regular Security Reviews
We conduct periodic security audits and testing to identify and address vulnerabilities. We stay current with security best practices and update our infrastructure regularly.
Important: While we implement robust security measures, no online system is 100% secure. If you suspect a security breach, please contact us immediately at [email protected].
14. Children's Privacy
Our Service is not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16. If we become aware that a child under 16 has provided us with personal data, we will promptly delete such information and terminate the child's account.
For users between 16 and 18, parental consent is recommended for account creation. If you are under 18 and have created an account without parental consent, please inform us immediately.
If you believe we have collected personal data from a child under 16, please contact us at [email protected].
15. Data Breach Notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will:
- Notify affected individuals: Without undue delay, and no later than 72 hours after becoming aware of the breach
- Notify the relevant Data Protection Authority: We will report the breach to the Hungarian Data Protection Authority (NAIH) within 72 hours
- Provide clear information: Details about the breach, potential consequences, and steps we are taking to mitigate harm
- Recommend protective measures: Guidance on actions you can take to protect yourself
You will be notified via email to the address associated with your account. If you suspect a security breach, please contact us immediately at [email protected].
16. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the revised Privacy Policy on this page and updating the "Effective" date.
If the changes materially affect how we use your personal data, we will provide at least 30 days' notice and may seek your explicit consent, depending on the nature of the changes.
Your continued use of the Service following the posting of changes means you accept the updated Privacy Policy. We encourage you to review this policy regularly to stay informed about how we protect your information.
17. Contact & Data Protection Authority
17.1 Contact the Data Controller
For questions about this Privacy Policy, to exercise your privacy rights, or to report a concern about our data handling practices:
- Email: [email protected]
- Phone: +1 (940) 603-1770
- Name: Bela Varga
- Tax ID: HU91627676
17.2 Contact Your Data Protection Authority
You have the right to lodge a complaint with the Data Protection Authority in your country. For users in Hungary or if we are subject to Hungarian law:
- Name: Nemzeti Adatvédelmi Hivatal (NAIH) — National Data Protection Authority of Hungary
- Website: https://naih.hu
- Email: [email protected]
- Address: 1125 Budapest, Szilágyi Erzsébet fasor 22/C, Hungary
- Phone: +36 1 391 1400
For users in other EU member states, you can find contact information for your local Data Protection Authority on the European Data Protection Board website.
18. Additional Resources
- Cookie Policy — Detailed information about our use of cookies
- Terms of Service — Our service terms and conditions
- EU Data Protection Resources — Official EU GDPR information
19. Summary of Key Points
- We collect minimal personal data (primarily email address and authentication tokens)
- We do not store payment card information — Stripe handles PCI-DSS compliance
- We do not use passwords; we employ secure magic link authentication
- Your data is stored in Germany (EU) with encryption at rest
- All international transfers are protected by Standard Contractual Clauses (SCCs)
- Session tokens are stored in httpOnly, Secure, SameSite cookies
- We comply fully with GDPR, with respect for all your data protection rights
- You can request access, correction, deletion, or portability of your data at any time
- We retain billing data for 7 years (legal requirement); personal data is deleted after 30 days
- You can opt-out of report notifications but not essential security communications
Last Updated: February 13, 2026
Version: 1.0
Language: English