Promo Radar
Sign in

Privacy Policy

Last updated: March 2026

1. Who we are

Promo Radar ("we", "us") is the service you are using on this website and the controller of any personal data described below. For any privacy question, data-access request, correction, or deletion request, reach us at contact@promoradar.co. We respond within 30 days, as required by GDPR and LGPD.

2. What we collect

From everyone who visits the site: a rough country derived from your IP address (used to route you to the right Amazon marketplace), your browser's user-agent string, and a "pr_country" cookie that remembers the country you chose. We also run Google Tag Manager for anonymous site analytics. From people who create an account: your email address (the only required field), your locale and country preference, the products you add to your watchlist (Amazon ASIN plus marketplace), the alert rules you create, the log of alert emails we have sent you, and a session cookie that keeps you signed in. We do not collect names, real addresses, phone numbers, payment information, or passwords — we use magic-link sign-in so there is no password to store.

3. Why we have your data (lawful basis)

Performance of a contract (GDPR Art. 6(1)(b)): to send the alert emails you asked for. Legitimate interest (Art. 6(1)(f)): to rate-limit abuse, keep the site running, and compile anonymous usage analytics. Consent (Art. 6(1)(a)): to create your account — we record the moment you completed the magic-link sign-in, which implies you accepted our terms and this policy.

4. Who sees your data (sub-processors)

We share the minimum necessary with the following services: Resend (delivers the alert and account emails, US-based), Upstash (Redis cache and rate limits, multi-region), Vercel (website hosting, US and EU regions), Microsoft Azure (PostgreSQL database that stores your email and watchlist), Google (Tag Manager and anonymous analytics). Each sub-processor has its own privacy policy and data processing addendum. We do not sell your data. We also query a third-party Amazon pricing data provider using only Amazon product identifiers (ASINs) — your email and account data are never sent there.

5. Where your data lives and international transfers

Your account data is stored in our PostgreSQL database on Microsoft Azure. Session tokens and rate-limit counters are in Upstash Redis. Email is delivered by Resend from their US infrastructure. If you are in the European Economic Area, the UK, or Switzerland, some of your data will therefore be transferred to the United States. We rely on Standard Contractual Clauses with each sub-processor to cover those transfers.

6. How long we keep it

As long as your account is active, we keep your data to operate the service. When you delete your account, your email, name, and unsubscribe token are scrubbed within 30 days. Past alert delivery records are kept in anonymized form (no email, no identity) for delivery-quality reporting. Session cookies expire 30 days after your last activity. Unused magic-link tokens expire after 10 minutes. The "pr_country" country-preference cookie persists for up to one year in your browser.

7. Your rights

Under GDPR (EU/UK) and LGPD (Brazil) you have the right to access the personal data we hold about you, correct it if it is wrong, delete it, restrict how we process it, object to processing, receive a machine-readable copy (data portability), and lodge a complaint with your local supervisory authority. Most of these you can exercise directly from your account page on this site: use "Email me a copy" to get an access/portability copy, "Delete account" to erase, the alerts toggle and pause selector to restrict or object. For a rectification (for example, correcting your email address) or anything else, email us.

8. Cookies

First-party cookies: "pr_country" remembers your chosen Amazon marketplace (one year). When you are signed in, "next-auth.session-token" keeps you signed in (30 days, httpOnly, not readable by other scripts). Third-party: Google Analytics through Google Tag Manager uses session cookies for anonymous site analytics. When you click an affiliate link to Amazon, Amazon sets its own cookies so Amazon can attribute the commission — those cookies are governed by Amazon's own privacy policy, not this one. We do not use marketing cookies and we do not sell behavioral profiles.

9. Security

We hash IP addresses and email addresses before using them as cache keys. Magic-link sign-in tokens are single-use and expire in 10 minutes. All traffic is HTTPS. All our sub-processors are named above so you can audit their own certifications. We do not store passwords, card numbers, or government IDs. If we ever have a data breach that puts your account at risk, we will notify you at the email on your account within 72 hours of becoming aware, as required by GDPR.

10. Changes to this policy

If we make a material change to this policy — for example, adding a new sub-processor or a new type of data we collect — we will email the people with active accounts before the change takes effect. The "last updated" date at the top of this page always reflects the current version. Questions: contact@promoradar.co.