NovaStation Privacy Policy
Plain-language summary (not a substitute for the full policy below).
- NovaStation Lite needs no account and no card. If you only ever use Lite, you never create an account with us and we hold no personal data about you.
- Your trading stays on your computer. Charts, signals, paper trades, watchlists, strategy settings and history are written to your own machine. They are never uploaded to us — there is no sync, no telemetry, and no analytics in the app.
- Paid Premium does use a server. When you subscribe, we create an account record, issue a license key, and check that license when you activate. That is a real backend, and this policy explains exactly what it stores.
- We never see your card. Stripe handles payment details end to end.
- We don't sell your data and we run no advertising or behavioural tracking.
- 1. Who operates NovaStation
- 2. Checkout & payment
- 3. Your account & sign-in
- 4. Subscription & entitlement records
- 5. License keys (storage, reveal, resend)
- 6. Device activations
- 7. Email we send you
- 8. Support correspondence
- 9. Website & server logs
- 10. Data on your own computer
- 11. What we do not collect
- 12. How we use your information
- 13. Service providers
- 14. Data retention
- 15. Cookies & browser storage
- 16. Security
- 17. Access, correction & deletion
- 18. Contact
- 19. Changes to this policy
1. Who operates NovaStation
NovaStation is a Windows desktop application with a small website in front of it, operated by NovaStation Labs ("we", "us"). This policy covers both the website at novastationpro.com and the desktop app. For any privacy question, email novastationsupport@gmail.com.
The free Lite tier is anonymous to us. Downloading and using NovaStation Lite requires no account, no card, and no license. If you never subscribe and never contact support, we hold no personal data about you — the sections below describe what happens once you subscribe, create an account, or write to us.
2. Checkout & payment
Premium checkout is created by our backend and completed on Stripe's hosted checkout page.
- Your email address — you enter it before checkout; we send it to Stripe to create the checkout session, and once payment succeeds we store it against your customer record so we can deliver your license key and let you sign in later.
- Card and payment credentials — your card number and the credentials you type to pay are collected and processed by Stripe, on Stripe's own pages. They are never sent to us, we never store them, and we cannot see your card number.
- Starting a checkout is itself recorded. When the checkout page is created we write an audit record containing the email you entered, plus the IP address and browser user-agent of the request. This endpoint is public, so we log its use to detect and prevent abuse. If you never complete payment, no customer account and no license are created — but that audit record remains.
- Stripe identifiers — after checkout, Stripe tells us your Stripe customer ID and subscription ID. We store those so we can keep your Premium status in sync and open the billing portal for you.
3. Your account & sign-in
Signing in at novastationpro.com/login is optional — the desktop app works without it — but it is how you view your billing, reveal or resend your license key, and see your device usage. Authentication is provided by Supabase Auth.
- Email address — used to identify your account and to send you a sign-in link.
- Password — if you set one, it is stored by Supabase Auth as a salted hash. We never see or store your password in readable form.
- Sign-in links and recovery tokens — one-time tokens emailed to you so you can sign in or reset a password.
- Sign-in metadata — Supabase Auth records account timestamps such as when the account was created, confirmed, and last signed in.
- Account link — a record connecting your signed-in identity to your customer record, so we can show you your own subscription and no one else's.
For your privacy, our sign-in page responds the same way whether or not an email belongs to a customer. It is deliberately not possible to use it to discover whether someone has an account.
4. Subscription & entitlement records
To know whether Premium should be unlocked, we keep a subscription record for you containing: the payment provider (Stripe), your Stripe subscription and price identifiers, the subscription status (for example active, past due, or canceled), the end of the current paid period, whether it is set to cancel at period end, and any trial end date reported by Stripe.
Stripe notifies us of billing events (checkout completed, invoice paid, payment failed, subscription updated or canceled) through a signed webhook. So that billing can be processed reliably, retried safely without double-charging, and audited if something goes wrong, we store each event exactly as Stripe sends it.
Being straight with you about what that means: those stored events are Stripe's own records, and they can contain the billing details Stripe collected from you — typically your email, and depending on the event, details such as your name, billing address, or phone number if you gave them to Stripe. We do not read or use those fields; they are retained as part of the billing record. They never include your full card number.
5. License keys (storage, reveal, resend)
When your subscription becomes active, our backend generates an NSP license key and emails it to your checkout address. About that key we store:
- A one-way hash of the key, which is what activation is checked against.
- An encrypted copy of the key, so that you can reveal it again in My Account or have it re-sent to you. It is stored encrypted at rest and is only ever returned to you, over an authenticated request, after you sign in.
- A short key prefix (for example
NSP-AB4K) so that you and support can identify which key is being discussed without exposing the whole key. - Status and timestamps — whether the key is active or revoked, and when it was issued.
Asking us to re-send your license email re-sends the key you already have; it does not issue a new one and does not invalidate your existing activations.
6. Device activations
A paid Premium license can be activated on up to 3 devices. To enforce that limit, the desktop app sends us, when you activate and when it re-checks your license:
- Your license key (checked against the stored hash).
- A hashed device identifier. The app derives a stable value from your machine and sends a hash of it. We do not receive — and do not store — your computer name, your Windows username, your MAC address, or your hardware serial numbers. We cannot reverse the hash back into those values.
- A device label, which is only your operating-system name, such as "Windows 10". It is not your computer's name.
For each activation we store that hashed identifier, the OS label, whether the activation is active or released, and when it was first and last seen. Re-checking from a device you have already activated does not consume another slot.
This is the part of licensing that is not local. While Premium is active, the app re-verifies your license with our server periodically (at most about once a day) so that a canceled or expired subscription stops granting Premium. Those requests reach our server and are subject to §9.
7. Email we send you
Transactional email — your license key, and re-sends of it — is delivered through Resend, an email-delivery provider. Sign-in and password-recovery emails are sent through Supabase Auth.
So that we can tell you whether your license email actually went out, we keep a delivery record alongside your license: whether the last send succeeded or failed, any error the provider returned, how many attempts were made, when the last attempt happened, and the provider's message identifier. We do not use tracking pixels and we do not track whether you opened an email or clicked a link in it.
These are service emails about your own purchase. We do not run a marketing mailing list and we do not send promotional email.
8. Support correspondence
If you email novastationsupport@gmail.com, we receive your email address and whatever you choose to write, and we keep the correspondence so we can help you and refer back to it. Support email is received in Gmail.
NovaStation can also build a diagnostic support bundle on your computer. It is written to your own disk and is never uploaded automatically — it reaches us only if you choose to attach it to an email. Before anything is written to a log, the app scrubs values such as tokens, license keys, webhook URLs and your Windows username.
9. Website & server logs
- Website request logs — our host, Cloudflare, processes standard request logs (IP address, user-agent, requested URL) as part of serving and protecting the site.
- Licensing audit records — when a licensing event happens (a key is issued, a device is activated, a license is revealed or re-sent), our backend writes an audit record. That record includes the IP address and user-agent of the request, and the app version where the app reported one, together with which customer and license it concerned. We keep these to investigate fraud, license sharing, and abuse, and to be able to reconstruct what happened to your license if you ask us.
10. Data on your own computer
Most of what NovaStation produces never leaves your machine. Stored locally under
%APPDATA%\NovaStation and %LOCALAPPDATA%\NovaStation:
- Paper trades, signal history, signal outcomes, and decision/journal records
- Watchlists, workspaces, chart drawings, strategy presets and settings
- Market-data and chart caches
- Diagnostic, runtime and crash logs
- Your trial marker, and a cached copy of your license entitlement (the key itself is encrypted at rest using Windows' own data-protection facility)
The 7-day Premium trial is handled entirely by the app on your computer.
Starting or finishing a trial sends nothing to us. The app keeps small local markers
(a file in its app-data folder and a registry key under
HKCU\Software\NovaStation) holding trial dates and a machine-code hash,
so that the one-per-device trial cannot be reset by deleting a single file. Those
markers are not transmitted.
11. What we do not collect
- No trading data. Your positions, paper trades, P&L, watchlists, signal history and strategy configuration are never sent to us.
- No analytics or telemetry in the desktop app. There is no usage tracking, no crash-reporting upload, and no "phone home". Crashes are written to a local file only.
- No behavioural analytics on the website. No Google Analytics, no advertising pixels, no tag manager, no session recording.
- No card details. Only Stripe sees those.
- No exchange API keys or credentials you configure inside NovaStation.
- No raw hardware identifiers. See §6 — we receive a hash, not your machine name, username, MAC address or serial number.
- We do not sell or rent your data, and we do not share it for marketing, advertising or profiling.
When the desktop app talks to the network it contacts: public market-data endpoints (Binance for candles and live prices; CoinGecko for coin metadata and logos; optionally Coinbase for price cross-checks); GitHub, to check whether a newer version has been published (you can turn this off); our own licensing backend, but only if you have activated a paid license (§6); and any notification destination you configure yourself (a Discord webhook, a Telegram bot, or your own webhook URL). Those market-data and update requests carry no account, license or identity information — although, like any web request, the receiving service can see your IP address.
12. How we use your information
- To take payment and manage your subscription.
- To generate, deliver, re-send and reveal your license key.
- To unlock Premium on your devices and enforce the 3-device limit.
- To let you sign in and see your own account.
- To answer support requests.
- To keep the service secure and prevent fraud, abuse and license sharing.
- To meet legal, tax and accounting obligations.
13. Service providers
We use a small number of providers. Each receives only what its job requires, and each has its own privacy policy:
- Stripe — payments. Receives your email and your payment details; handles checkout, billing, the customer portal and invoices. We never receive your card number.
- Supabase — our database, authentication and backend functions. Holds your customer record, sign-in credentials, subscription and entitlement state, license records, device activations and licensing audit records.
- Resend — delivery of transactional email (your license key and re-sends). Receives your email address and the message content.
- Cloudflare — hosts this website and processes standard request logs.
- Google (Gmail) — receives support email you send to novastationsupport@gmail.com.
- Google Fonts — this website loads its typeface from Google's font service, so your browser requests a file from Google on every page you view here, and Google can see the IP address and browser of that request. It sets no cookies and receives no account information. We call it out because it is the one third party your browser contacts just by reading this page.
- GitHub — hosts the installer download and the release information the app reads when it checks for updates. GitHub sees the IP address of the download or update request; it receives no account or license information.
- Public market-data providers (Binance; CoinGecko; Coinbase when price cross-checking is enabled) — serve market data to the desktop app. They see the IP address of the request. No account, license or trading information is sent to them.
14. Data retention
- Customer, subscription and license records — kept while your account exists, and afterwards for as long as we need them for billing, tax and accounting obligations and to resolve disputes. Keeping your license record is also what lets you re-subscribe later and recover your key.
- Device activations — kept while the license exists, so the device limit can be enforced and slots can be released.
- Billing event records and licensing audit records (including the IP addresses in §9) — kept for security, fraud-prevention and billing-integrity purposes. We have not yet set a fixed automatic deletion schedule for these records; we are defining one. In the meantime you can ask us to delete data about you as described in §17.
- Website request logs — retained by Cloudflare according to its own retention periods, not ours.
- Support email — kept while it is useful for supporting you.
- Payment records held by Stripe — retained by Stripe under its own policy and the law that applies to payment processors.
- Anything stored only on your computer (§10) — under your control. Uninstalling NovaStation and deleting its data folders removes it.
15. Cookies & browser storage
This website sets no cookies at all — not for tracking, not for anything else. There is no Google Analytics, no advertising pixel, no tag manager and no session recording.
If you sign in, your browser stores your sign-in session in
local storage on your own device, under the key
novastation-auth, so you stay signed in between pages. We also store one
or two small non-identifying values there to remember whether to keep you signed in
after you close the browser, and to show the right state in the account menu. This is
storage on your machine, not tracking: it is not sent to any third party, and signing
out clears it.
Stripe's own checkout and billing pages run on Stripe's domain and may set their own cookies there, governed by Stripe's privacy policy.
16. Security
Your license key is stored hashed and encrypted, never in plain text. Payment details never reach us. Account data is only ever returned to a signed-in user for their own account. Sensitive values are scrubbed from logs before they are written.
That said, no service can promise perfect security. We cannot guarantee that our systems or our providers' systems will never be compromised, and nothing in this policy should be read as such a guarantee. You are responsible for keeping your own email account and password secure, since access to your email is enough to sign in to your NovaStation account.
17. Access, correction & deletion
You can ask us to:
- Tell you what we hold about you.
- Correct inaccurate personal data.
- Delete your data. We will delete what we are not required to keep. Your customer record, subscription record, license and device activations can all be removed, which ends Premium.
To be honest about the limits rather than promise more than we do: we retain the billing-event records Stripe sent us and the licensing audit records described in §4 and §9 — including the IP addresses in them — because we need them for billing integrity, tax and accounting obligations, and to prevent fraud and license sharing. Stripe separately keeps its own payment records under its own policy and the law that applies to payment processors, and we cannot delete those on your behalf.
Email novastationsupport@gmail.com from the address on your account and we will respond within 30 days. Deleting your account data ends Premium access; NovaStation Lite keeps working, and anything stored only on your own computer (§10) is yours to delete.
Depending on where you live, you may have additional rights under local law (for example under the GDPR or the CCPA). Nothing in this policy limits any right you have that cannot legally be waived.
18. Contact
Privacy questions, or any request under §17: novastationsupport@gmail.com.
19. Changes to this policy
We may update this policy as NovaStation changes. When we do, we will update the Effective date at the top of this page. This version replaces an earlier policy which described licensing as entirely local; that is no longer accurate for paid Premium, and §5, §6 and §9 above describe what actually happens.