Last updated: May 2026
What we collect, why we collect it, and the rights you have over your data. See also the Terms of Service and disclaimer.
This Privacy Policy describes what personal data The Crest Ledger (the "Service") collects, why it is collected, who it is shared with, how long it is kept, and the rights you have over it. The Service is operated from the United States and serves a global subscriber base; using the Service constitutes consent to the data practices described below.
We collect the minimum data needed to operate a subscription publication. We do not sell your personal data. We do not use third-party advertising tracking. We do not profile subscribers for targeted marketing.
Account data. The email address you sign in with. We do not store passwords; sign-in is via single-use magic link. We hash sign-in tokens and session tokens before persisting them so a leaked database file cannot be used to forge sessions.
Subscription data. When you subscribe to a paid tier, Stripe (our payment processor) issues a customer identifier and a subscription identifier that we store alongside your email. We do not see, store, or process your card number, expiry date, or CVC; those are handled directly by Stripe under their own PCI-compliant infrastructure.
Service-use data. If you submit an opinion request, an alert rule, a watchlist entry, or interact with the associated Discord bot, we record what you submitted and the time of submission. Discord interactions also involve your Discord user identifier (a numeric id) and the guild identifier of the server.
Operational logs. The Service's web server records request paths, response statuses, IP addresses, and user-agent strings for debugging, abuse prevention, and security forensics. These logs are kept for a short period and rotated.
We use the data above to: authenticate sign-ins; deliver subscription content (web pages, emails, Discord posts) to subscribers entitled to receive it; process payments and prevent fraud; respond to support requests; diagnose bugs and security incidents; comply with legal obligations; and improve the Service.
We do not use your data for purposes unrelated to the Service. We do not sell, rent, or lease your data to third parties. We do not share your data with advertisers, data brokers, or third parties for their own marketing.
Stripe (Stripe, Inc.) — payment processing. Stripe receives your email, your billing information, and the transaction details required to charge your card on a recurring basis. Stripe is the source of record for card-on-file data; we never see card numbers. See stripe.com/privacy for Stripe's policies.
Resend (Resend, Inc.) — transactional email delivery. Resend receives your email address and the body of any email we send to you (magic-link sign-in messages, alert notifications, billing receipts) for the purpose of delivering it.
Anthropic (Anthropic PBC) — large language model analysis. The Service sends ticker symbols, market data, and depersonalized prompt context to Anthropic's API to generate opinion writeups and similar content. Anthropic does not receive your email, your name, or any account-identifying information; the prompts are scoped to the analytical task.
Cloud hosting. The Service runs on a virtual machine hosted by a major cloud provider. The provider has infrastructure-level access to data at rest on the machine but is contractually bound not to access it for their own purposes.
Discord (Discord Inc.) — when you interact with the Service through the associated Discord bot, your Discord identifiers are visible to Discord. Your use of Discord is subject to Discord's own Privacy Policy.
The website uses one first-party cookie to maintain your signed-in session. The cookie is HTTP-only (inaccessible to JavaScript), Secure (HTTPS-only), SameSite=Lax, and expires after a fixed period. The cookie holds an opaque session identifier; it does not encode your email or any personal data.
We do not use third-party tracking cookies. We do not embed analytics scripts that profile users across sites. We honor the Do Not Track browser signal where applicable.
Account and subscription records are kept while the account is active and for up to 90 days after closure for billing reconciliation, refund handling, and audit. Operational logs are kept for a rolling 30-day window. Opinion request and alert-rule records are kept for up to 90 days after the account is closed and then anonymized or deleted.
Closed-account data may be retained beyond these windows in summary or anonymized form (for example, aggregate subscription counts) and where required to comply with legal, tax, or regulatory obligations.
You have the right to access the personal data we hold about you, request correction of inaccurate data, request deletion of your data, request a portable copy of your data, and unsubscribe from email communications. Email-marketing communications, where applicable, include a one-click unsubscribe link in every message.
California residents (CCPA / CPRA), residents of the European Economic Area, and residents of the United Kingdom (GDPR / UK GDPR) have the same rights described above and additionally have the right not to be discriminated against for exercising them, the right to limit the use of sensitive data, and the right to lodge a complaint with their local data-protection supervisory authority.
To exercise any right, contact us using the contact address at the bottom of this page. We will respond within the time period required by applicable law (30 days under most regimes; 45 days for CCPA requests).
We protect data with reasonable administrative, technical, and physical safeguards. Sign-in tokens and session tokens are SHA-256 hashed before persistence. Magic links are single-use and expire within 10 minutes. The website is served over HTTPS with HSTS. Database files are accessible only to the operating process and the system operator.
No system is fully secure. If we discover a security incident materially affecting your data, we will notify you by email at the address associated with your account within the time required by applicable law.
The Service is not directed at, and we do not knowingly collect personal data from, individuals under the age of 18. If you believe a minor has signed up, contact us using the address at the bottom of this page and we will delete the account and any associated data.
The Service is operated from the United States, and data processed by the Service is stored on servers in the United States. By using the Service, you consent to your personal data being transferred to and processed in the United States, which may have data-protection laws different from those of your country of residence. Where applicable transfer mechanisms are required (for EEA / UK personal data, the appropriate Standard Contractual Clauses), we rely on those mechanisms with our service providers.
We may update this Privacy Policy from time to time. Material changes will be posted at /privacy and, where the change materially affects how your data is used or shared, communicated by email. The "last updated" date at the top of this page reflects the most recent revision. Continued use of the Service after the effective date of an update constitutes acceptance of the updated policy.
To exercise any right, or for any privacy question: reply to the email you signed up with — we'll respond from the same address.