Privacy Policy

Last updated: 2026-05-03

This policy explains what we collect, why, how long we keep it, and your choices. We try to keep this short and honest.

What we collect

• Account info: email address, bcrypt-hashed password, subscription tier, account creation timestamp.
• API usage: which endpoints you called, when, and the HTTP status — used for quota tracking, debugging, and showing you your activity log.
• Login attempts: IP address and timestamp of each login attempt (success and failure), retained for up to 1 hour for brute-force protection.
• API keys: a SHA-256 hash of each long-lived fw_live_… key plus a name and prefix you set. We never store the plaintext key.
• Billing: handled by Stripe. We store your Stripe customer ID and subscription status; we never see or store your card number.
• Analytics: aggregated traffic stats via Google Analytics (anonymized IP). Used only to understand which pages get traffic.
• Support email: if you email us, we keep the thread to help you and to spot recurring issues.

What we don't collect

• Card numbers (Stripe handles those).
• Trading positions, broker accounts, or PII beyond your email.
• Cross-site tracking pixels or third-party advertising cookies.

Cookies

We use:

• localStorage for your JWT (so you stay logged in). Not strictly a cookie, but functionally similar — clear it by logging out.
• Google Analytics cookies (_ga, _ga_*) for traffic analytics. You can opt out via Google's opt-out add-on or any cookie-blocking browser extension.
• Google Ads cookies (_gcl_aw, _gcl_au) used solely to attribute conversions back to the ad campaign you arrived from. We do not use them for cross-site targeting and we don't sell ad audiences. The same Google opt-out add-on above blocks these.
• Stripe cookies on the Checkout page — required for payment processing.

How long we keep things

• Account info: until you delete the account.
• API usage logs: 90 days (rolling).
• Login attempt audit: 1 hour.
• Billing records: 7 years (legal/tax requirement).
• Support email: 2 years from last contact.

Who we share with

Four vendors, all required for the Service to work:

• Hostinger — hosts the application servers and database.
• Stripe — processes payments. Their privacy policy: stripe.com/privacy.
• Google Analytics (GA4) — aggregated traffic analytics.
• Google Ads — conversion measurement for the ad campaigns that brought you here. We share the fact that a signup or purchase happened, not who you are.

We don't sell your data. We don't share it with advertisers, brokers, or marketing networks.

Your rights

Depending on where you live (GDPR, CCPA, etc.), you may have the right to:

• Request a copy of the data we hold about you.
• Request correction or deletion of your data.
• Opt out of analytics.
• Withdraw consent for processing.

To exercise any of these, email support@factorweave.com. We respond within 30 days.

Security

Passwords are hashed with bcrypt. API keys are stored as SHA-256 hashes. All traffic uses HTTPS. We rate-limit login attempts to slow brute-force attacks. Despite this, no service is 100% secure — if you suspect your account is compromised, change your password and revoke your API keys immediately, then email us.

Children

Factor Weave isn't directed at children under 16. We don't knowingly collect data from anyone under 16. If you believe we have, email us and we'll delete it.

Changes

Material changes will be announced on this page with a revised "Last updated" date and, where reasonable, by email.

Contact

Privacy questions: support@factorweave.com.