schmatz
Try free →
Last updated · 2026-05-19

Privacy policy

What Schmatz collects, why, where it lives, who can see it, and how to ask for it back or have it deleted. We collect the minimum data necessary to deliver the service and never sell any of it to third parties.

Plain-English SummaryWe store your email and (optionally) your phone number so we can send you the daily brief and account notifications. We log which pages you open so we can tell which features are getting used. We don't sell anything to anyone. You can ask for your data or ask us to delete it at any time. Authentication is self-hosted (Auth.js + magic links via Resend); no third party sees your account credentials.

Scope

This policy applies to your use of the Schmatz website, dashboard, daily brief, case files, email notifications, and any other Schmatz-branded interface. It covers data we collect directly from you, data our email provider (Resend) processes to deliver magic-link sign-in messages, and data we infer from your interactions with the service.

What we collect

Account information you provide

  • Email address — required to create a Schmatz account; used for sign-in and notifications
  • Phone number — optional; if provided, we use it solely to deliver the daily brief via SMS gateway
  • First and last name — optional; populated from your Google account if you sign in via Google SSO

Authentication metadata

Schmatz uses Auth.js (the open-source library, formerly NextAuth) running on our own server. We generate and store a unique user ID for your account in our SQLite database; nothing is shared with a third-party identity provider. Magic-link sign-in emails are delivered via Resend, which processes the recipient address and message body solely to deliver the email — see resend.com/legal/privacy-policy. If you sign in with Google, Google's OAuth flow transmits your email + name + profile photo URL to us; nothing otherwise.

Service-use telemetry

To understand how Schmatz is being used, we log:

  • Which pages and case files you open, with timestamps
  • Whether and when each daily brief you were sent was opened
  • Aggregated counts (e.g., total brief opens this week) used to debug delivery failures

This telemetry is stored in our user_events table on infrastructure we operate. It is not sent to third-party analytics services.

Information from the providers you connect

Schmatz currently carries every upstream data subscription on its own infrastructure — users do not supply third-party API keys. If a future feature lets you connect an external account (e.g. a brokerage for portfolio sync), keys for that would be stored encrypted on our infrastructure and used only to make outbound API calls on your behalf. The data returned by those calls is rendered to you and is not aggregated into our broader corpus without your separate consent. (Bring-your-own-key infrastructure is planned for a future release; if you don't see a key-management page on your account, this section does not yet apply to you.)

Information we do NOT collect

  • Your investment positions, brokerage account information, or trading history — Schmatz does not connect to your brokerage and cannot see what you actually hold
  • Your social security number, driver's license, or other government identifiers
  • Health or biometric data
  • Geolocation beyond what is inherent in an IP address
  • Information from children under 13

Why we collect it

We collect each category of data for one of the following specific purposes:

  • Operate the service — deliver the daily brief, generate case files, authenticate you when you sign in, attribute the right invitation code to your account
  • Evaluate the beta — understand which features beta participants actually engage with, prioritize improvements
  • Security and integrity — detect and respond to abuse (rate-limit violations, scraping attempts), maintain audit logs
  • Legal compliance — respond to lawful requests from authorities, exercise our legal rights, and comply with applicable law

Where data lives

Account and telemetry data is stored in a SQLite database on infrastructure operated by Schmatz. Authentication is self-hosted (Auth.js); magic-link emails are delivered via Resend, which processes recipient addresses solely for delivery. SMS gateway messages transit via your mobile carrier's email-to-SMS gateway and are subject to that carrier's privacy practices. We use no other third-party data processors for personal information.

How long we keep it

  • Account data — for as long as your account is active. If you stop using Schmatz, we will retain the account record but stop sending you communications.
  • Behavioral telemetry — stored indefinitely to support longitudinal evaluation of how features are used. We will publish a clearer retention schedule as the product matures.
  • Communications logs — kept for at least 90 days for delivery debugging; not longer than 18 months unless required by law.
  • Backups — periodic database backups may retain copies for up to 90 days beyond the deletion date.

Your rights

Regardless of where you live, you can ask us to:

  • Tell you what data we hold about you
  • Correct any inaccuracies
  • Delete your account and associated personal data (subject to limited retention for backups and legal requirements)
  • Stop sending you SMS or email

Send requests through the beta channel by which you received your invitation. We will respond within 30 days.

California residents — CCPA / CPRA

The California Consumer Privacy Act of 2018 ("CCPA"), as amended by the California Privacy Rights Act of 2020 ("CPRA"), grants California consumers additional rights with respect to their personal information. Schmatz does not currently meet the statutory thresholds that trigger CCPA coverage (annual gross revenue under $25 million, fewer than 100,000 California consumers, less than 50% of revenue from selling/sharing personal information). We nevertheless offer the following rights as a matter of practice to California residents:

  • Right to know what categories of personal information we collect and how we use them
  • Right to access the specific personal information we hold about you
  • Right to deletion, subject to permitted exceptions
  • Right to correct inaccurate information
  • Right to opt out of the sale or sharing of personal information — we do not sell or share personal information within the meaning of the CPRA, so there is currently nothing to opt out of
  • Right to limit the use of sensitive personal information — we do not knowingly collect sensitive personal information
  • Right to non-discrimination for exercising any of the above rights

To exercise any of these rights, contact us through the beta channel by which you received your invitation. We will verify your identity by reference to the email on file before responding to substantive requests.

Children's privacy

Schmatz is not directed to children under the age of 13 and we do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected information from a child under 13, contact us and we will delete it. This commitment is consistent with the Children's Online Privacy Protection Act (COPPA).

Cookies & tracking

Schmatz uses only strictly necessary cookies — primarily, the Auth.js session cookie that keeps you signed in. We do not use third-party analytics cookies, advertising trackers, or fingerprinting. See our cookies notice for the full inventory.

International users

Schmatz is operated from the United States. By using Schmatz, you consent to the transfer of your information to, and storage of your information in, the United States. If you are accessing Schmatz from the European Economic Area or United Kingdom, please be aware that U.S. privacy protections may differ from those provided under EU/UK law, and that Schmatz has not been designed to satisfy GDPR requirements. Schmatz is targeted at U.S. residents.

Security

We take reasonable measures to protect your information against unauthorized access, alteration, disclosure, or destruction. See our security overview for specifics. No system is perfectly secure, and we cannot guarantee the security of your information. In the event of a breach affecting Washington residents' personally identifiable information, we will notify affected users consistent with Washington's data-breach notification statute (RCW 19.255).

Changes to this policy

We may update this policy from time to time. When we do, we will revise the "Last updated" date at the top of this page and, for material changes, will notify active beta participants by email at least 14 days before the change takes effect. Your continued use of Schmatz after a policy change constitutes acceptance of the revised policy.

Contact

Privacy questions, data-access requests, and deletion requests should be sent through the beta channel by which you received your invitation.