Privacy Policy

This Privacy Policy describes how CandlePattern.app ("we", "us", or "our") collects, uses, stores, and protects your personal information when you use the CandlePattern.app platform and related services.

CandlePattern.app is a product of Corton Labs, a sole proprietorship operated by Anitta Corton, based in Toronto, Ontario, Canada. This policy complies with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).

We are committed to protecting your privacy and handling your data with transparency and care. By using the platform, you agree to the practices described in this policy.

Account data: email address, hashed password, display name, and profile preferences you choose to provide.

Training and usage data: drills attempted, scores, response times, pattern mastery levels, session duration, and feature interactions — used to power your dashboard, leaderboards, and progress tracking.

Device and technical data: browser type, operating system, IP address, approximate location (country/region), and crash logs — used for security, fraud prevention, and platform reliability.

Billing data: handled by our payment processor, Stripe. We store only a customer ID and subscription status. We never store your full card number on our servers.

Communications: support tickets, emails you send us, and survey responses you choose to submit.

We use your personal data for the following purposes:

• To provide the platform: authenticate you, save your training progress, and personalize your drill path
• To improve the product: aggregate analytics on which drills work, where users get stuck, and which patterns are hardest
• To communicate: send transactional emails (receipts, password resets, trial expiration notices) and, only if you opt in, product updates
• To keep the platform safe: detect bots, abuse, fraud, and policy violations
• To process payments and manage your subscription
• To comply with applicable legal obligations, including PIPEDA and Canadian tax law

We will never sell your personal information to third parties.

We process your personal data on the following grounds:

• Contract: to fulfill our obligations to you as a subscriber
• Legitimate interests: to operate, secure, and improve the platform
• Legal obligations: to comply with applicable laws including PIPEDA
• Consent: for marketing communications and any other processing where consent is required

We do not sell your personal data. We may share it only with the following categories of recipients:

• Payment processors: Stripe (stripe.com) processes checkout, subscription billing, and invoicing securely on our behalf. We intend to transition to Lemon Squeezy as our Merchant of Record in the future. You will be notified in advance of any such change.
• Hosting and infrastructure providers: Cloudflare, Supabase, and Vercel — services that host the platform and store data
• Email delivery providers: Resend or similar services used to send transactional emails
• Analytics providers: privacy-preserving tools providing aggregated, anonymised usage insights
• Error monitoring: services such as Sentry used to detect and resolve technical issues
• Professional advisers: legal, accounting, and compliance professionals where necessary
• Authorities: when required by applicable law, court order, or regulatory process

All third-party providers are contractually required to handle your data securely and only for the purposes we specify. We do not share your data with advertisers or data brokers.

Our infrastructure providers may process your data in countries outside Canada, including the United States and the European Union. Where applicable, we rely on Standard Contractual Clauses (SCCs) or other recognized adequacy mechanisms to ensure your data receives an appropriate level of protection.

We retain account and training progress data while your account is active. Financial and billing records are retained for a minimum of seven (7) years in accordance with Canadian tax law.

If you delete your account, we will delete or anonymize your personal data within 30 days, except where retention is required by law. Backups are purged on a rolling 90-day cycle.

Under PIPEDA, you have the right to:

• Access — request a copy of the personal information we hold about you
• Correction — request that inaccurate or incomplete information be corrected
• Withdrawal of consent — withdraw consent to our collection or use of your data, subject to legal or contractual restrictions
• Complaint — file a complaint with the Office of the Privacy Commissioner of Canada if you believe your rights have been violated

You can exercise most rights directly from your account settings, or by emailing privacy@candlepattern.app. We will respond within 30 days.

If you are located in the EU or UK, you also have rights under GDPR including erasure, restriction, portability, and objection. If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority.

Strictly necessary cookies: required for authentication and session management. These cannot be disabled without breaking the platform.

Analytics cookies: a small number of first-party analytics cookies used to understand aggregate product usage. Data is anonymized where possible.

We do not use third-party advertising cookies or cross-site trackers. You can clear cookies in your browser at any time; doing so will sign you out.

We implement industry-standard safeguards to protect your data, including:

• TLS encryption for data in transit
• Encryption at rest for stored data
• Hashed passwords
• Row-level access control on the database
• Rate limiting and bot protection
• Regular security scans and assessments

No system is completely secure. If we detect a breach affecting your data, we will notify you and relevant regulators as required by applicable law.

CandlePattern.app is not directed at individuals under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe a minor has created an account, contact us immediately and we will delete it.

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notice at least 14 days before they take effect. The "Last updated" date at the top reflects the current version. Continued use of the platform after changes take effect constitutes your acceptance.

Questions, requests, or complaints: email privacy@candlepattern.app.

CandlePattern.app is a product of Corton Labs — cortonlabs.com. Toronto, Ontario, Canada.

Export or delete your data any time from your account settings, or email privacy@candlepattern.app.