CompetitiveOS

Privacy Policy

Last updated: February 21, 2026

1. Overview

CompetitiveOS ("we", "us", "our") is committed to protecting your privacy. This policy explains how we collect, use, and protect your personal data when you use our competitive intelligence platform at www.market-eagle.com (the "Service").

2. Data Controller

The data controller for the purposes of the EU General Data Protection Regulation (GDPR) is the operator identified on our Imprint page.

3. Data We Collect

We collect the following categories of data:

  • Account data: Email address and password (hashed) when you register
  • Analysis data: Competitive analyses, data points, sources, insights, and changelog entries you or your AI agents create
  • Usage data: Log data including IP addresses, browser type, and access timestamps for security and debugging purposes
  • Analytics data (with consent): If you consent to analytics cookies, we collect anonymized usage data via Google Analytics 4, including pages visited, session duration, and general interaction patterns. No personally identifiable information is collected through analytics.

4. Legal Basis for Processing

We process your personal data based on the following legal grounds:

  • Contract performance (Art. 6(1)(b) GDPR): To provide the Service, manage your account, and process payments
  • Consent (Art. 6(1)(a) GDPR): For analytics cookies and any future marketing communications. You can withdraw consent at any time.
  • Legitimate interest (Art. 6(1)(f) GDPR): For security monitoring, fraud prevention, and debugging

5. How We Use Your Data

  • To provide and maintain the Service
  • To authenticate your identity
  • To enforce access control (workspace-based permissions)
  • To process payments via Stripe
  • To debug errors and improve the Service
  • To analyze website usage in aggregate (only with your consent)
  • To communicate service updates (if you opt in)

6. Data Storage and Hosting

All application data is stored in Supabase (PostgreSQL), hosted in the EU (eu-west-1 region, Ireland). Authentication is handled by Supabase Auth with JWT tokens.

Some third-party services (Vercel, Stripe, Google Analytics) may process data in the United States. These providers are covered by the EU-U.S. Data Privacy Framework or Standard Contractual Clauses to ensure adequate data protection.

7. Data Sharing and Third-Party Processors

We do not sell, rent, or share your personal data with third parties for marketing purposes. Data is shared only with the following processors, each bound by data processing agreements:

  • Supabase Inc.: Database and authentication (EU-hosted)
  • Vercel Inc.: Frontend hosting
  • Railway Corp.: Backend server hosting
  • Stripe Inc.: Payment processing. See Stripe's Privacy Policy
  • Google LLC: Analytics (Google Analytics 4), only with your explicit consent. See Google's Privacy Policy
  • Usercentrics A/S (Cookiebot): Consent management. See Cookiebot's Privacy Policy

8. Cookies and Consent Management

We use cookies and similar technologies on our website. We distinguish between the following categories:

  • Strictly necessary cookies: Required for core functionality such as authentication, session management, and security. These cookies do not require your consent.
  • Analytics cookies: Used to understand how visitors interact with our website (e.g., Google Analytics 4). These cookies are only set after you give explicit consent.
  • Preference cookies: Used to remember your settings and choices. Only set with your consent.
  • Marketing cookies: We do not currently use marketing cookies. Should this change, they will only be activated with your explicit consent.

Consent Management (Cookiebot)

We use Cookiebot by Usercentrics as our Consent Management Platform (CMP). When you first visit our website, a cookie banner allows you to accept or reject non-essential cookies by category. Your consent choice is stored in a cookie and applies across the entire website.

You can change or withdraw your consent at any time by clicking the cookie settings icon on our website, or by visiting our Cookie Declaration.

Google Consent Mode v2

We use Google Consent Mode v2 to ensure that Google Analytics respects your cookie preferences. If you do not consent to analytics cookies, no analytics data is collected. Google may use privacy-safe modeling to estimate aggregated trends based on consenting users' data, without identifying individual users.

9. Your Rights (GDPR)

Under GDPR, you have the right to:

  • Access your personal data (Art. 15)
  • Rectify inaccurate data (Art. 16)
  • Erasure of your data (Art. 17)
  • Restrict processing (Art. 18)
  • Data portability (Art. 20)
  • Object to processing (Art. 21)
  • Withdraw consent at any time without affecting the lawfulness of prior processing (Art. 7(3))
  • Lodge a complaint with a supervisory authority (Art. 77)

To exercise any of these rights, contact us through the information on our Imprint page.

10. Data Retention

We retain your data for as long as your account is active. When you delete your account, your personal data will be removed within 30 days. Anonymized analytics data may be retained in aggregate form. Consent records are retained for the duration required by applicable law.

11. Security

We use industry-standard security measures including:

  • Encrypted connections (HTTPS/TLS)
  • Row-Level Security (RLS) at the database level
  • JWT-based authentication with ES256 algorithm
  • Hashed passwords (via Supabase Auth)

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The date at the top of this page indicates the latest revision.

13. Contact

For privacy-related questions, contact us through the information on our Imprint page.