Privacy Policy

1. About Us

MySentiMap (ABN 98 716 278 583) is a community-driven gamified prediction platform for entertainment purposes. We are committed to handling your personal information responsibly and in compliance with Australian privacy law.

This Policy applies to information collected through the MySentiMap website, web application, and any associated services. It does not apply to third-party websites linked from our Platform. Where MySentiMap employees or contractors also hold user accounts for testing or personal use, their account data is covered by this Policy in the same way as any other user; separate employment-related privacy notices apply to HR and payroll data held about staff.

For any privacy enquiries, contact us at hello@mysentimap.com.

2. Information We Collect

We collect personal information only where reasonably necessary to operate the Platform. This includes:

Category	Examples	Collected How
Account Information	Username, email address, hashed password	Provided by you on registration
Profile Information	Bio, avatar, location (optional), social links	Provided by you voluntarily
Platform Activity	Predictions submitted, ratings, comments, watchlist	Generated through your use of the Platform
Technical & Device Data	IP address, browser type, operating system, session identifiers	Collected automatically via server logs and analytics
Subscription & Billing	Plan type, billing history (payment card details are NOT stored by us — handled by our payment processor)	Collected through our payment provider
Communications	Emails and messages sent to our support team	Provided by you directly

We do not collect sensitive information as defined by the Privacy Act, including government identifiers, health information, financial account details, or biometric data.

3. How We Use Your Information

We use your personal information to:

Provide, operate, maintain, and improve the MySentiMap Platform
Create and manage your account and verify your identity
Display your public profile, community predictions, and activity to other users (only where you have opted to make content public)
Process subscription payments and issue invoices or receipts
Send service-related notices (account alerts, security notifications, product updates)
Send marketing communications where you have given explicit consent — you may withdraw consent and unsubscribe at any time
Analyse aggregated, anonymised usage patterns to improve Platform features
Aggregate and anonymise community prediction and sentiment data to create and operate commercial data products and APIs made available to authorised third-party business partners ("API Partners"). Aggregated data distributed externally does not identify individual users. Where your profile is set to public, your username and game statistics may appear in leaderboard data provided to enterprise-tier API Partners — you can prevent this by setting your profile to private
Detect and prevent fraud, abuse, and violations of our Terms & Conditions
Comply with our legal and regulatory obligations

We will not use your personal information for any purpose materially different from those described above without first notifying you and, where required, obtaining your consent.

4. Disclosure of Your Information

We do not sell, rent, or trade your personal information. We may share it only in the following circumstances:

Service Providers: Third-party vendors who assist with hosting (Supabase), analytics (Google Analytics, Microsoft Clarity), email delivery, and payment processing (Stripe), each bound by confidentiality agreements and restricted from using your data for any other purpose
Other Platform Users: Predictions, ratings, and profile information you elect to make public are visible to registered users of the Platform. You control your privacy settings
Authorised API Partners: We may share aggregated, anonymised community sentiment and prediction data with authorised business partners via our commercial data API. This data does not identify individual users. Where your profile is set to public, your username and game statistics (level, prediction count, accuracy) may be shared with enterprise-tier API Partners in leaderboard responses. You can prevent your username from appearing in partner-facing data by setting your account to private in Settings
Legal Authorities: Where required by law, court order, subpoena, or to protect the rights, property, or safety of MySentiMap, its users, or the public — including disclosures to ASIC, AUSTRAC, or other regulators
Business Transfers: In connection with a merger, acquisition, or sale of all or substantially all of our assets, your information may be transferred to a successor entity. We will provide notice before any such transfer occurs

5. Overseas Transfers

MySentiMap uses third-party service providers that store and process data outside Australia, including in the United States. Specifically:

Supabase Inc. (database and authentication) — servers located in AWS regions, potentially including the United States and Asia-Pacific
Google LLC (Google Analytics) — United States
Microsoft Corporation (Microsoft Clarity) — United States
Stripe Inc. (payment processing) — United States

We take reasonable steps to ensure that overseas recipients handle your personal information in accordance with the Australian Privacy Principles. Some of these providers self-certify under the EU-US Data Privacy Framework or maintain equivalent safeguards. By using the Platform, you consent to your information being transferred to these countries.

We cannot guarantee that foreign laws will provide the same level of protection as Australian law. If you do not consent to this transfer, you should not use the Platform.

6. Third-Party Services & Analytics

We use the following third-party services which may collect information about your use of the Platform:

Google Analytics (Google LLC): Collects anonymised usage statistics — pages visited, time on site, and device type — to help us understand Platform behaviour. Data is processed in the United States. You can opt out via the Google Analytics Opt-out Browser Add-on.
Microsoft Clarity (Microsoft Corporation): We use Microsoft Clarity for behavioural analytics. Clarity records session replays (mouse movements, clicks, scrolls, and page interactions) and generates heatmaps showing aggregate interaction patterns across our pages. This allows us to identify usability issues and improve the Platform experience.

What is collected: Interaction data including mouse position, clicks, keystrokes in non-password fields, scroll depth, and page navigation. Clarity applies automatic masking to input fields marked as sensitive (e.g. passwords). However, content typed into other form fields may be captured unless explicitly masked.

Data processing: Session data is processed and stored by Microsoft Corporation on servers which may be located in the United States or other countries outside Australia. Microsoft may use this data to improve their own products in accordance with their privacy policy.

Your rights: You can opt out of Clarity by blocking the www.clarity.ms domain in your browser settings or using a content-blocking browser extension. You may also manage your Microsoft advertising preferences via the Microsoft Privacy Dashboard.

See Microsoft's full Privacy Statement for details on how Microsoft handles this data.
Stripe (Stripe, Inc.): Processes subscription payments. Payment card details are submitted directly to Stripe's secure servers and are never transmitted to or stored on MySentiMap servers. See Stripe's Privacy Policy.

These services operate under their own privacy policies. We encourage you to review them. Where data is transferred outside Australia, we rely on the recipient's compliance with equivalent privacy protections.

Managing analytics consent: Google Analytics and Microsoft Clarity are loaded only with your explicit consent via our cookie banner. To withdraw consent at any time: go to Settings → Privacy → Usage Analytics and toggle the switch off. Changes take effect on the next page load; no further analytics data will be collected. You may also re-enable analytics at any time from the same toggle.

7. Market Data

ASX market data, company announcements, and stock prices displayed on the Platform are sourced from the ASX and authorised third-party data providers (including Financial Modeling Prep and Yahoo Finance). This information is subject to the intellectual property and terms of those providers and is displayed for informational purposes only.

Community-generated predictions, ratings, and sentiment scores are expressions of personal opinion by individual users. They are not verified or endorsed by MySentiMap and do not constitute financial advice or securities research.

8. Data Retention

We retain your personal information for as long as necessary to provide the Platform and comply with our legal obligations:

Data Type	Retention Period
Account and profile data	For the life of your account, plus 2 years after deletion (for fraud prevention and legal compliance)
Transaction and billing records	7 years (Australian tax law requirement)
Server logs and technical data	Up to 12 months
Support communications	3 years from last interaction
Anonymised analytics data	Indefinitely (cannot identify individuals)

When you request account deletion, we will remove or anonymise your personal data within 30 days, subject to the retention periods above and any legal holds.

9. Security

We implement industry-standard security measures to protect your personal information including:

Encrypted data transmission via HTTPS/TLS for all Platform connections
Hashed and salted password storage (never stored in plain text)
Role-based access controls limiting internal access to personal data to authorised personnel
Two-factor authentication (2FA) available for user accounts
Regular security assessments and monitoring
Payment card data handled exclusively by PCI-DSS compliant third parties

No transmission over the internet is 100% secure. While we take all reasonable precautions, we cannot guarantee the absolute security of your information. Please notify us immediately at hello@mysentimap.com if you believe your account has been compromised.

10. Cookies & Local Storage

We use browser local storage and session storage (and, for analytics only, cookies) to operate the Platform. No third-party cookies are set without your explicit consent. The specific items stored are listed below.

Essential — authentication & session (cannot be disabled without breaking login)

Key	Purpose	Duration
`token` / `asx_auth_token`	Your JWT access token — keeps you logged in	Session (cleared on browser close)
`refresh_token`	Allows silent re-authentication without re-entering your password	30 days
`user` / `asx_user_data`	Non-sensitive profile data (username, ID, subscription tier) for fast display	Persistent
`msm_ref_code`	Referral code from invite link — links your registration to the referrer	30 minutes

Preferences (persist your settings across sessions)

Key	Purpose	Duration
`theme`	UI colour theme (dark/light)	Persistent
`accentColor`	Accent colour preference	Persistent
`msm_display_currency`	Preferred display currency (AUD, USD, EUR etc.)	Persistent
`msm_timezone`	Preferred timezone for market times	Persistent
`reduceMotion` / `highContrast` / `largeText`	Accessibility display preferences	Persistent
`msm_notif_mute_*`	Per-category notification mute settings	Persistent
`asx_remember_me`	"Remember me" state on the login page	Persistent

Functional — game state & cache

Key	Purpose	Duration
`msm_xp_[userId]`	XP, level, and progression data (fast local cache — authoritative copy is in our database)	Persistent
`msm_notif_feed_[userId]`	Notification feed cache (up to 50 items)	Persistent
`msm_fx_rates_v4`	Exchange rate cache from Frankfurter API — refreshed every 30 minutes	30 minutes
`tower_mode` / `tower_slot*`	Forecast Tower game preferences and unlocked slots	Persistent
`msm_analytics_consent`	Your analytics consent preference (accepted / declined)	12 months

Analytics cookies (set only with your explicit consent)

Cookie	Source	Purpose	Duration
`_ga`, `_ga_[ID]`, `_gid`	Google Analytics 4	Unique visitor and session identification for anonymised usage statistics	Up to 2 years
`clarity_*`	Microsoft Clarity	Session recording and heatmaps to understand how users interact with the Platform	Up to 1 year

Analytics are loaded only after you accept our cookie banner. You can withdraw consent at any time in Settings → Privacy → Usage Analytics. Declining or withdrawing consent has no effect on your ability to use the Platform.

You can also clear all locally stored data at any time via your browser's developer tools (Application → Local Storage → mysentimap.com → Clear all).

11. Do Not Track

Some browsers transmit a "Do Not Track" (DNT) signal. MySentiMap does not currently respond to DNT signals as there is no industry-wide standard for how they should be interpreted. We encourage you to use the opt-out mechanisms provided by our analytics partners (Section 6) if you do not wish to be tracked.

12. Your Rights

Under the Privacy Act 1988 (Cth) and the Australian Privacy Principles, you have the right to:

Access: Request a copy of the personal information we hold about you. We will provide this within 30 days of a valid request, free of charge in most circumstances
Correction: Request that we correct inaccurate, out-of-date, incomplete, or misleading personal information
Deletion: Request deletion of your account and associated personal data (subject to legal retention obligations and active investigations)
Opt-out of marketing: Unsubscribe from marketing communications at any time via the unsubscribe link in emails or by contacting us
Restrict processing: Request that we limit how we use your data in certain circumstances
Complaint: Lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au if you believe we have breached the Australian Privacy Principles

To exercise any of these rights, contact us at hello@mysentimap.com. We will acknowledge your request within 5 business days and respond substantively within 30 days.

13. Children's Privacy

MySentiMap is intended for users aged 18 and over. We do not knowingly collect personal information from individuals under 18. If we become aware that we have inadvertently collected information from a person under 18, we will take steps to delete that information promptly. If you believe a minor has provided personal information, please contact us at hello@mysentimap.com.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other reasons. When we make material changes, we will notify you via email and/or a prominent notice on the Platform prior to the change taking effect. The "Last updated" date at the top of this page indicates the most recent revision.

Continued use of the Platform after the effective date of any changes constitutes your acceptance of the updated Policy.

15. Data Breach Notification

Notifiable Data Breaches (Australia). Under the Privacy Act 1988 (Cth), if MySentiMap becomes aware of an "eligible data breach" — meaning unauthorised access to or disclosure of personal information that is likely to result in serious harm to any individual — we are required to:

Notify all affected individuals as soon as practicable.
Notify the Office of the Australian Information Commissioner (OAIC) within 30 days of becoming aware of the breach.
Include in any notification: the nature of the breach, the types of information involved, the steps we have taken in response, and recommendations for steps affected individuals should take.

Security Incident Response. If you become aware of or suspect a data breach involving your account or MySentiMap's systems, contact us immediately at hello@mysentimap.com. We will investigate all reports and respond within 72 hours.

EU/UK GDPR Breach Notification. For EEA/UK users, in the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant Data Protection Authority within 72 hours of becoming aware of the breach (as required by GDPR Art. 33), and will notify affected individuals without undue delay where the breach is likely to result in a high risk (GDPR Art. 34).

16. International Users

European Economic Area, United Kingdom & Switzerland (GDPR)

If you are located in the EEA, UK, or Switzerland, EU/UK GDPR applies to our processing of your personal data. The lawful bases we rely on are:

Contract — processing necessary to deliver the Platform services you have requested.
Consent — analytics and session recording (Google Analytics, Microsoft Clarity), loaded only on explicit acceptance of our cookie banner. Consent may be withdrawn at any time in Settings.
Legitimate Interests — fraud prevention, security monitoring, and aggregate platform analytics.
Legal Obligation — retention of billing records and tax documentation.

International Transfers from the EEA/UK. Your data is transferred to and stored in Australia and the United States. Such transfers are protected by Standard Contractual Clauses (SCCs) issued by the European Commission, or equivalent mechanisms. Our key processors and their safeguards:

Supabase Inc. (database, auth) — SCCs; data stored in AWS ap-southeast-2 (Sydney) or US East where applicable. Supabase Privacy
Stripe Inc. (payments) — SCCs; Privacy Shield successor framework. Stripe Privacy
Google LLC (Analytics) — EU–US Data Privacy Framework. Google Privacy
Microsoft Corporation (Clarity) — SCCs. Microsoft Privacy
Resend Inc. (transactional email) — SCCs. Resend Privacy

Additional GDPR Rights. In addition to the rights in Section 12, EEA/UK users also have the right to: data portability (receive your data in a machine-readable format, Art. 20 GDPR); object to processing based on legitimate interests (Art. 21); restrict processing in certain circumstances (Art. 18); and lodge a complaint with your national Data Protection Authority (DPA). Contact hello@mysentimap.com to exercise any of these rights; we will respond within 30 days.

United States

California Residents (CCPA/CPRA). You have the right to: (a) know what personal information is collected; (b) know whether it is sold or disclosed; (c) opt out of sale; (d) request deletion; (e) not be discriminated against for exercising these rights. We do not sell personal information. Aggregated anonymised sentiment data shared with API Partners is not a "sale" under the CCPA. Contact hello@mysentimap.com to exercise any of these rights.

CAN-SPAM Act. All marketing emails sent to US users comply with the CAN-SPAM Act: emails identify MySentiMap as the sender, include an accurate subject line, provide a functional unsubscribe link, and include our business contact information.

COPPA. MySentiMap is not directed at children under 13. We do not knowingly collect personal information from children under 13. If we learn we have inadvertently done so, we will delete it immediately. Parents or guardians may contact us at hello@mysentimap.com.

New Zealand

If you are located in New Zealand, the New Zealand Privacy Act 2020 applies to our collection and handling of your personal information. You have the right to access and request correction of your personal information. Contact hello@mysentimap.com for any Privacy Act 2020 requests or complaints.

Other Jurisdictions

Residents of other jurisdictions retain any additional data protection rights granted by their local laws. These rights are not limited by this Policy. Contact hello@mysentimap.com for jurisdiction-specific requests.

17. Contact & Complaints

For all privacy enquiries, rights requests, and security concerns, contact us at hello@mysentimap.com. We aim to respond within 5 business days.

If you are not satisfied with our response to a privacy complaint:

Australia: Lodge a complaint with the OAIC at www.oaic.gov.au · Phone: 1300 363 992 · Email: enquiries@oaic.gov.au
EU/EEA: Lodge a complaint with your national Data Protection Authority (e.g. ICO for the UK, CNIL for France, BfDI for Germany).
United States: Contact the Federal Trade Commission (FTC) at ftc.gov/privacy or your state's consumer protection office.
New Zealand: Contact the Office of the Privacy Commissioner at privacy.org.nz.