MarketLive

Privacy Policy

Last updated: June 22, 2026

Who we are

MarketLive is a Canadian financial information platform operated by UpCapital. Our Data Protection Officer can be reached at privacy@marketlive.ai. For postal correspondence, contact us via the email above and we will provide a mailing address.

What we collect

When you create an account, we collect:

  • Your email address and full name
  • A securely hashed copy of your password (bcrypt; we never see the plaintext)
  • Your notification preferences, watchlists, portfolio positions, price alerts, and discussion comments
  • Session cookies (essential) and optional analytics cookies
  • Basic request metadata (IP address, user-agent) in short-lived server logs for security & abuse prevention (retained ≤ 30 days)

We do not collect financial-account data, trading-account data, government IDs, or biometrics.

Lawful bases for processing (GDPR Art. 6)

  • Contract (Art. 6(1)(b)) — providing the account, watchlist, portfolio, alerts, and quote pages you signed up for.
  • Legitimate interests (Art. 6(1)(f)) — security logging, abuse prevention, fraud protection, and aggregate product analytics where you have not opted in (very limited; restricted to first-party metadata).
  • Consent (Art. 6(1)(a)) — marketing emails, analytics cookies, and any optional third-party integrations. Withdraw at any time in Settings → Notifications.
  • Legal obligation (Art. 6(1)(c)) — responding to lawful requests from regulators or law-enforcement under Canadian, EU/EEA, or UK law.

How we use it

To provide the service (display quotes, send the alerts and digests you ask for), to improve MarketLive, to keep the service secure, and to meet legal obligations. We do not sell your data, period. We do not share data with advertisers.

Subprocessors

We use a small set of vendors to operate the service. Each is bound by a Data Processing Agreement and acts only on our instructions:

  • Vercel, Inc. (US) — application hosting & edge delivery.
  • Neon Inc. (US/EU regions available) — managed Postgres for accounts and user data.
  • Resend (US) — transactional and digest email delivery.
  • Anthropic PBC (US) — large-language-model processing of publicly available stock data to generate the "Explain this move" and AI digest features. We do not send personal data to the model.
  • Yahoo Finance (US) — public market-quote, news, and fundamentals data. We send the stock ticker, not your identity.

When we add or remove a subprocessor, this page is updated and (for material changes) you are notified by email at least 30 days in advance.

International transfers

Some subprocessors above operate from the United States. Transfers from the EEA, UK, or Switzerland to such recipients are protected by the European Commission's Standard Contractual Clauses (2021/914) and supplementary measures (encryption in transit and at rest, data-minimization at API boundaries). Where available we choose Canadian or EU regions for storage.

Retention

  • Account data — kept while your account is active; deleted within 30 days of account deletion.
  • Backups — purged on a rolling 35-day cycle.
  • Server access logs — retained no longer than 30 days, then deleted.
  • Email-delivery records (Resend) — retained for the period mandated by the provider, typically ≤ 90 days.

Your rights (GDPR / PIPEDA / Quebec Law 25 / UK GDPR)

  • Access & portability — export everything you've given us in Settings → Privacy & Data → Export.
  • Rectification — update your name and notification preferences in Settings.
  • Erasure (right to be forgotten) — delete your account and associated data in Settings → Privacy & Data → Delete account. Backups containing the deleted record are purged within 35 days.
  • Object & restrict — opt out of marketing emails and optional analytics any time in Settings → Notifications. Essential service emails (security alerts, password resets) continue while the account is open.
  • Withdraw consent — you may revoke any consent at any time without affecting prior lawful processing.
  • Automated decision-making — MarketLive does not make decisions about you that produce legal or similarly significant effects via automation alone.

We respond to verified rights requests within 30 days. You can also lodge a complaint with your supervisory authority — in the EU/EEA your national DPA; in the UK the ICO; in Canada the OPC; in Quebec the CAI.

Security & breach notification

Data is encrypted in transit (TLS 1.2+) and at rest. Passwords are stored hashed with bcrypt. Should we discover a personal-data breach likely to cause risk to your rights and freedoms, we will notify our supervisory authority within 72 hours and affected users without undue delay (GDPR Art. 33–34; PIPEDA breach-reporting regulations; Quebec Law 25 § 3.5).

Children

MarketLive is not directed at users under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, write to privacy@marketlive.ai and we will delete it.

Where we store data

Account data is stored in a managed Postgres instance with Canadian or EU primary regions where available. Quotes, news, and fundamentals are fetched from Yahoo Finance and are not associated with your identity. Operational logs reside on Vercel's infrastructure.

Changes

We will email you at least 30 days before any material change to this policy. Non-material edits (typo fixes, vendor renames) are reflected here with an updated "Last updated" date.