Privacy Policy

Last updated: 10 May 2026

This policy explains what personal data spreadprofit.pro ("we", "us", "the service") collects, why we collect it, who we share it with, and what rights you have over it.

Reading time: about 4 minutes. We've written this in plain English on purpose.

1. Who we are

spreadprofit.pro is a subscription-gated dashboard that surfaces real-time funding-rate spreads across centralised crypto exchanges. We're a small operator and you can reach us anytime via Telegram (@al1ex2).

2. What we collect

Account data

When you sign in, we receive a small set of identifiers from your chosen auth provider:

• Telegram: numeric user ID, username, first/last name, optional photo URL.
• Discord: numeric user ID, username, display name, optional avatar URL.
• Google: numeric user ID ("sub"), email address, name, optional picture URL.
• Email magic-link: just your email address (used as your account identifier).

We never receive or store your password from any of these providers - they're all token-based.

Subscription data

If you subscribe, we record the plan you picked, the chain you paid on, the transaction hash you submitted, and the dates of payment + activation + expiry. We do not see or store the cryptocurrency wallet you sent from.

Server logs

Like every web service, our hosting provider (Railway) records standard request metadata: IP address, user agent, request path, response status, and timestamp. We use these for debugging and security only. They're rotated automatically and we don't link them to your account.

Cookies

We set a small number of cookies, all functional or marketing:

• fsaas_session - signed cookie holding your user ID. Lets you stay signed in for 30 days. HttpOnly + Secure + SameSite=Lax.
• _fbp, _fbc - set by the Meta Pixel (see below) for ad attribution.

Marketing & ad analytics (Meta Pixel)

We run Meta (Facebook) Pixel on the public landing page and the paywall page. It fires three events: PageView on every visit, Lead when you click an auth button, and Purchase when you submit a payment. The pixel sends Meta a hashed version of your visit (referrer, page URL, our pixel ID) plus the cookies above. We use this strictly to measure how our Facebook ads perform - we don't run remarketing on individual users.

You can block this entirely with any tracking-protection extension (uBlock Origin, Brave Shields, Safari ITP). The site still works fully without it.

3. How we use your data

• To authenticate you and keep you signed in.
• To verify and activate your subscription after you submit a payment.
• To run the live spread feed and personalise your dashboard view.
• To measure conversion from our ads (in aggregate).
• To debug bugs and prevent abuse.

4. Who we share data with

We use these third parties to operate the service. We do not sell, rent, or trade your data.

• Railway - our hosting provider. Stores the database (your account row + subscription history). Has standard data-processing terms.
• Meta (Facebook) - receives Pixel events when you visit pages with the pixel installed (landing + paywall). See section 2.
• Resend - delivers the magic-link sign-in emails. Receives only the destination email address and the link contents.
• Cloudflare - DNS / proxy. Sees request metadata (IP, host, path) inherent in routing traffic.
• Telegram, Discord, Google - if you sign in with these, you authenticate against their servers. We only receive the data listed in section 2.

5. Data retention

• Account row: kept for as long as your account exists.
• Sessions: 30-day rolling expiry.
• Subscription history + payment records: retained indefinitely (we need them for accounting and to honour future re-subscriptions).
• Server logs: rotated by Railway, typically 7-14 days.
• Meta Pixel cookies: governed by Meta's own retention rules.

6. Your rights

Depending on where you live (GDPR in the EU, CCPA in California, etc.) you may have legal rights over your personal data. In every case we'll respect these:

• Access - request a copy of what we have on you.
• Deletion - request that we delete your account and associated data (subscriptions kept for accounting unless you request specific erasure).
• Correction - if anything's wrong, we'll fix it.
• Opt-out of marketing tracking - block the pixel via your browser; nothing else changes.

To exercise any of these, message us on Telegram. We respond within 7 days.

7. Security

Data in transit is over TLS 1.2+. Sessions are signed with HMAC and cookies are HttpOnly + Secure. We don't store passwords (there are none to store). Subscription payments are made directly on-chain to wallets we publish on the paywall - we never custody your funds.

8. Children

This service is not directed at people under 18. If you believe a minor has signed up, message us and we'll close the account.

9. Changes to this policy

If we change anything material, we'll update the "Last updated" date at the top and, where reasonable, notify you in-app the next time you sign in.

10. Contact

Questions about this policy or your data? Message us on Telegram (@al1ex2) - we read everything.