NationsData

Privacy Policy

Effective: April 2, 2026

NationsData ("we," "us," "our") respects your privacy. This Privacy Policy explains how we collect, use, store, and protect your information when you use our platform at nationsdata.org ("the Platform").

1. Information We Collect

1.1 Account Information

When you create an account, we collect your email address and authentication credentials. Authentication is managed by our third-party provider (Supabase Auth). We do not store passwords directly — they are hashed and managed by the auth provider.

1.2 Usage Data

We automatically collect information about how you interact with the Platform, including pages visited, features used, API calls made, browser type, device information, IP address, and timestamps. This data is used to improve the service, enforce rate limits, and detect abuse.

1.3 Payment Information

Payment processing for subscriptions is handled entirely by PayPal. We never receive, process, or store your full credit card number, CVV, or banking details. We retain only your PayPal subscription ID, subscription status, and billing history metadata.

1.4 Local Storage

Certain preferences (theme, tracked countries, watchlist) are stored locally in your browser using localStorage. This data never leaves your device and is not transmitted to our servers.

2. How We Use Your Information

  • To provide, maintain, and improve the Platform
  • To manage your account and subscription
  • To enforce rate limits and prevent abuse
  • To send essential service notifications (security alerts, billing confirmations, Terms changes)
  • To analyze aggregated, anonymized usage patterns for Platform improvement
  • To comply with legal obligations

We do not sell, rent, trade, or share your personal information with third parties for marketing or advertising purposes. We do not display ads.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), UK, or Switzerland, we process your data under the following legal bases:

  • Contract performance — to provide the services you signed up for
  • Legitimate interests — to improve the Platform, prevent fraud, and enforce our Terms
  • Consent — where you explicitly opt in (e.g., marketing communications, if any)
  • Legal obligation — to comply with applicable laws

4. Data Storage and Security

  • Application data is stored on Supabase (PostgreSQL hosted on AWS) with encryption at rest (AES-256) and in transit (TLS 1.2+)
  • The Platform is hosted on Vercel with global edge delivery and DDoS protection
  • Access to production systems is restricted to authorized personnel with multi-factor authentication
  • We implement HTTPS everywhere, secure session management, CSRF protection, and input sanitization
  • We conduct periodic security reviews of our infrastructure and dependencies

While we implement industry-standard security measures, no system is 100% secure. We cannot guarantee absolute security of your data.

5. Cookies and Tracking

We use the following types of cookies:

  • Essential cookies — required for authentication, session management, and CSRF protection. These cannot be disabled.
  • Preference cookies — store your theme preference (light/dark mode). Stored locally.

We do not use third-party advertising cookies, tracking pixels, or behavioral advertising. We do not use Google Analytics, Facebook Pixel, or similar tracking services.

6. Third-Party Services

We use the following third-party services that may process your data in accordance with their own privacy policies:

  • Supabase (supabase.com) — Authentication, database hosting, and real-time services
  • PayPal (paypal.com) — Payment processing for subscriptions.
  • Vercel (vercel.com) — Application hosting, CDN, and edge compute

We do not share your personal data with any other third parties. Our data sources (World Bank, IMF) are queried server-side and do not receive any user information.

7. Your Rights

Depending on your jurisdiction (including GDPR, CCPA, and other privacy frameworks), you have the following rights:

  • Access — request a copy of the personal data we hold about you
  • Correction — request correction of inaccurate or incomplete data
  • Deletion — request deletion of your account and all associated personal data
  • Portability — request your data in a machine-readable format (JSON/CSV)
  • Restriction — request that we restrict processing of your data
  • Objection — object to processing based on legitimate interests
  • Withdraw consent — where processing is based on consent, you may withdraw at any time

To exercise any of these rights, email privacy@nationsdata.org. We will respond within 30 days (or as required by applicable law).

California Residents (CCPA)

California residents have additional rights under the CCPA, including the right to know what personal information is collected, the right to delete, and the right to opt out of the sale of personal information. We do not sell personal information.

8. Data Retention

  • Account data is retained for as long as your account is active
  • Upon account deletion, personal data is removed within 30 days
  • Anonymized usage data may be retained indefinitely for analytics
  • Billing records are retained for 7 years as required by tax/accounting obligations
  • Security logs are retained for 90 days for incident response

9. International Data Transfers

Your data may be processed in countries outside your country of residence, including the United States (where our hosting providers operate). Where data is transferred internationally, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) where required by GDPR.

10. Children's Privacy

The Platform is not intended for individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that we have collected data from a minor, we will promptly delete it.

11. Data Breach Notification

In the event of a data breach that affects your personal information, we will notify affected users via email within 72 hours of becoming aware of the breach (as required by GDPR) and notify relevant supervisory authorities as required by law.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users at least 15 days before taking effect. The "Effective" date at the top of this page indicates the latest revision.

13. Contact

For privacy-related inquiries, data requests, or complaints, contact our data protection team at privacy@nationsdata.org.

If you are in the EEA and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection supervisory authority.