Privacy Policy

Last updated: May 4, 2026 — Version 1.0

This Privacy Policy describes how personal data is processed when users access mab-arreca.com (the "Site") and the related services (the "Service"), in compliance with the EU Regulation 2016/679 ("GDPR") and Italian data protection law.

1. Data Controller

The Data Controller is:

Matteo Barreca (acting as a private individual, author and licensor of the Service under Italian Copyright Law)
Email: [email protected]
Location: La Spezia, Italy (full mailing address available on request via email)

2. Categories of Data Collected

The Service collects the following categories of personal data:

2.1 Data provided by the user

Registration data: email address and password (stored exclusively in cryptographically hashed form, never in plain text)
Whop OAuth data: Whop user ID, email, subscription status, products purchased. This data is received from Whop at login or at each session refresh

2.2 Data collected automatically

Technical data: IP address, browser type, operating system, pages visited, access timestamp (collected in server logs for security purposes)
Technical cookies: session token used to keep the user authenticated (essential cookie, see Section 8)

3. Purposes and Legal Bases

Purpose	Legal basis	Data processed
Providing the Service (authentication, access to macro analyses, subscription management)	Performance of contract (Art. 6.1.b GDPR)	Email, password hash, Whop ID, subscription status
Site security (fraud prevention, abuse detection)	Legitimate interest (Art. 6.1.f GDPR)	IP address, access logs
Tax and accounting compliance (handled by Whop as merchant of record)	Legal obligation (Art. 6.1.c GDPR)	Payment data (collected and processed directly by Whop)
Responding to support requests	Performance of contract (Art. 6.1.b GDPR)	Email, content of communication

4. Recipients and Third-Party Processors

The following providers act as Data Processors under Art. 28 GDPR:

Provider	Service	Location and transfer
Supabase, Inc.	Database and authentication backend	USA — transfer based on Standard Contractual Clauses (SCC)
Whop, Inc.	Subscription management and payment processing (merchant of record)	USA — SCC. Whop processes payment data independently under its own privacy policy
Cloudflare, Inc.	CDN, DNS, DDoS protection, domain registrar	USA — SCC
Anthropic, PBC	AI-generated macro analysis via Claude	USA — SCC. Only public market data is sent; no user personal data
Groq, Inc.	AI-generated market context	USA — SCC. Same principle: no user personal data is transmitted
VPS hosting	Application server	[INSERT PROVIDER AND LOCATION — e.g. Hetzner, Germany]

5. Data Retention

Account data: retained for the duration of the user's subscription. After account deletion, data is removed within 30 days
Session tokens: maximum 30 days from creation, then automatically expired and deleted
Access logs: maximum 90 days for security purposes, then deleted or anonymized
Payment-related data: retained by Whop according to its own policies and applicable tax law (typically 10 years under Italian law)

6. Your Rights (GDPR)

As a data subject, you may exercise the following rights under Articles 15-22 GDPR at any time:

Access: obtain confirmation of the existence of personal data and receive a copy
Rectification: request correction of inaccurate data
Erasure ("right to be forgotten"): request deletion when the data is no longer necessary
Restriction: request limitation of processing in specific cases
Portability: receive your data in a structured, machine-readable format
Objection: object to processing based on legitimate interest
Withdrawal of consent: withdraw any previously given consent at any time

To exercise these rights, write to [email protected]. Requests will be answered within 30 days.

You also have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali, www.garanteprivacy.it) or with your local supervisory authority.

7. Data Security

Appropriate technical and organizational measures are in place to protect personal data, including:

HTTPS encryption across the entire Site
Passwords stored exclusively in cryptographically hashed form
Session cookies marked HttpOnly, Secure and SameSite=Lax
Rate limiting to prevent automated attacks
Administrative access protected by separate authentication
Regular security updates of all systems

8. Cookies

The Site uses only essential technical cookies, necessary for the Service to function. Under Italian law (Art. 122 D.Lgs. 196/2003) and ePrivacy Directive guidance, no prior consent is required for these cookies.

Cookie	Purpose	Duration
`session`	Keep the user authenticated	30 days
`oauth_pkce`	Whop OAuth security flow (PKCE + CSRF)	10 minutes

The Site does not use profiling cookies, marketing cookies, third-party trackers, or analytics tools.

9. Children's Data

The Service is not intended for individuals under 18 years of age. Data of minors is not knowingly collected. If we become aware of any such processing, we will delete the data promptly.

10. Changes to this Privacy Policy

This Privacy Policy may be updated. Material changes will be communicated by email to registered users with at least 15 days' notice. The last update date is shown at the top of this page.

11. Contact

For any questions regarding the processing of personal data, write to [email protected].