Privacy Policy
Effective: May 23, 2026 · MarketMaster v6.5.1
The MarketMaster Chrome extension still runs locally on your device — we don't see what markets you analyze, what trades you make, or what's in your journal. We do operate a small backend at marketmaster.live that handles three specific things: account sign-in, Pro subscriptions, and license-key issuance. That backend stores your email and subscription state, nothing more. Settings + watchlist sync across your Chrome profiles via Google's built-in extension sync (we never touch it).
1. Who we are
MarketMaster is run by an individual developer (referred to as "we," "us," or "the developer"). For privacy questions, contact support@marketmaster.live or use our contact form.
2. What the Chrome extension stores on your device
MarketMaster uses two Chrome storage areas, split by sensitivity and size:
2.1 Device-local only (chrome.storage.local)
- Your API keys (PredictionHunt, optional Kalshi Access Key ID and RSA private key) — stored in plaintext locally, never sent anywhere except to the service they belong to. The Kalshi private key is used in-browser to sign requests to Kalshi's authenticated endpoints; the key itself is never transmitted.
- Your trading journal — every analysis is auto-logged with a market title and your selected side. Capped at 200 entries.
- A rolling history of prices you've viewed, for sparkline charts.
- Cached news headlines and cross-platform title matches (weekly / daily refresh).
- Your MarketMaster license key, once issued, so the extension can verify Pro entitlement.
2.2 Synced across your Chrome profiles (chrome.storage.sync)
- Your watchlist of subscribed market tickers (the "My Markets" tab).
- Your alert threshold and whether alerts are enabled.
- Your auto-fill preference and bankroll setting (used to translate Kelly % into a contract count).
- Your scanner SHOW filter selection (Arbs only, Movers, etc.).
- UI state — collapsed sections, dismissed hints.
- Your Polymarket wallet address (a public on-chain identifier — no private key).
The developer cannot read either of these stores. chrome.storage.sync is encrypted in transit and at rest by Google as part of your Chrome account. To stop syncing, sign out of Chrome or disable extension sync in chrome://settings/syncSetup.
3. What our backend stores
If you create a MarketMaster account at marketmaster.live, we store the following so that sign-in, billing, and license issuance can work:
- Email address — required for account creation, email verification, password reset, and billing receipts.
- Hashed password — we never store passwords in plain text. Hashing is handled by Supabase Auth using industry-standard bcrypt.
- Optional display name — if you set one in /profile, it's stored as account metadata. Used only to greet you in the dashboard.
- Subscription state — plan (monthly/annual), status (active, past_due, canceled), current period end, and Stripe customer/subscription IDs. We use this to determine whether to issue a Pro license.
- License keys — randomly generated strings tied to your account, plus their status (active, revoked) and issuance date. Used by the extension to verify Pro entitlement.
- Notification preferences — the toggles you set under /profile → Notifications.
- Server-side authentication logs — Supabase keeps short-lived audit records of sign-in attempts for security. We don't use these for analytics.
We do not store: your trading journal, your watchlist, the markets you view, your API keys for third-party platforms, your trade history, your IP address (beyond short-lived rate-limit and abuse-prevention records), or any analytics about how you use the extension.
4. Subprocessors we rely on
Our backend is intentionally small and uses well-known, security-audited subprocessors. Each only sees the data it needs:
- Supabase (hosted on AWS, US region) — stores your account, password hash, subscription state, license keys, and notification prefs. Supabase privacy policy.
- Stripe — processes payments and stores your billing information (card details, billing address). We never see or store full card numbers. Stripe privacy policy.
- Cloudflare Workers — runs our license-issuance API and Stripe webhook handler. Cloudflare may briefly process request metadata for DDoS protection. Cloudflare privacy policy.
- Resend — sends transactional email (account verification, password reset, billing receipts). Resend privacy policy.
- Netlify — hosts the marketing site and dashboard at
marketmaster.live. Standard web-server logs (IP, user agent) are retained briefly. Netlify privacy policy.
5. What the extension transmits to third parties
The MarketMaster extension makes direct HTTPS requests from your browser to these services so you can see live data:
- Kalshi public API (
api.elections.kalshi.com) — to fetch market prices and details. - Polymarket public API (
gamma-api.polymarket.com) — to fetch market prices and details. - PredictionHunt API (
www.predictionhunt.com) — only if you provide an API key. - Kalshi authenticated endpoints — only if you provide an Access Key ID and private key. Each request is signed locally; the private key never leaves your browser.
- Google News RSS (
news.google.com) — for the "Market Context" feature when you click it. - MarketMaster license API (
marketmaster.live) — only if you've signed into a Pro account inside the extension. The request sends your license key to confirm it's still valid.
6. Cookies and similar technologies
The marketing site at marketmaster.live uses a small number of essential cookies and browser-storage entries only for keeping you signed in (Supabase session tokens) and remembering your filter / sort choices on the dashboard. We do not use advertising cookies, third-party analytics, or cross-site trackers.
7. Chrome permissions, explained
- activeTab — to read the URL and title of the market you're viewing, so MarketMaster can analyze it.
- storage — to save your settings locally.
- tabs — to open market pages in a new tab when you click "Open."
- alarms — to schedule the background price check for subscribed markets.
- notifications — to show OS-level alerts when a subscribed market crosses your threshold.
- host_permissions (Kalshi, Polymarket, PredictionHunt, Google News, marketmaster.live) — to fetch live market data and verify your Pro license.
8. Your rights and choices
- Access & correct your data: sign into your dashboard or visit /profile.
- Change your notification preferences: Profile → Notifications.
- Delete your account: request via /contact. We'll delete your account, license keys, and subscription record within 30 days; Stripe will retain billing records as legally required.
- Cancel your subscription: use the Manage subscription / billing button on your dashboard (opens the Stripe customer portal).
- Stop using the extension: uninstall from
chrome://extensions— that removes all local data on that device.
9. California residents (CCPA/CPRA)
We don't sell or share personal information as defined by California law, and we don't use personal information for cross-context behavioral advertising. California residents have the right to know, correct, delete, and limit use of sensitive personal information — all of which can be exercised via the methods in section 8.
10. European / UK residents (GDPR / UK GDPR)
For data we hold (account, subscription, license), the developer acts as the data controller. Lawful basis is contractual necessity (to provide the service you signed up for) and, for security and fraud-prevention logs, legitimate interest. You may exercise your rights of access, rectification, erasure, restriction, and portability via the methods in section 8 or by emailing support@marketmaster.live.
11. International data transfers
Our subprocessors (Supabase, Stripe, Cloudflare, Resend, Netlify) operate globally. Data may be transferred to and processed in the United States and other countries. Each subprocessor maintains appropriate safeguards (Standard Contractual Clauses, etc.) for such transfers.
12. Children
MarketMaster isn't directed at children under 18 and isn't intended for anyone under the age of majority in their jurisdiction. We don't knowingly collect data from minors.
13. Security
All requests use HTTPS. Passwords are hashed with bcrypt. Stripe handles all card data via PCI-DSS Level 1 infrastructure. License keys are stored hashed where practical. If you suspect your account is compromised, change your password immediately and contact support@marketmaster.live.
14. Changes to this policy
We may update this policy. Material changes will be flagged on the dashboard and via email (if your notification preferences allow). The "Effective" date at the top reflects the most recent revision.
15. Contact
Privacy questions, deletion requests, or data-rights requests: email support@marketmaster.live or use our contact form.