Back to MarketHand·Privacy Policy

Legal

Privacy Policy

MarketHand · markethand.ch

Effective date: 24 March 2026  ·  Last updated: 24 March 2026

1. Introduction and Scope

Welcome to MarketHand ("we", "our", or "us"). MarketHand is an AI-powered financial literacy application — a trading card game that transforms investment education into an engaging, measurable journey.

This Privacy Policy describes how we collect, use, store, and share your personal data when you use the MarketHand mobile application ("App"), visit our website at markethand.ch, or interact with any of our services (collectively, the "Services").

We are committed to protecting your privacy and processing your personal data in compliance with the General Data Protection Regulation (GDPR) (EU) 2016/679, the Swiss Federal Act on Data Protection (nFADP / revDSG), and all other applicable data protection laws.

Please read this policy carefully. By using our Services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this policy, you must discontinue use of our Services.

2. Data Controller

The data controller responsible for processing your personal data is:

MarketHand

Switzerland

Email: hello@markethand.ch

For all questions relating to the processing of your personal data, or to exercise your rights, please contact us at the address above.

3. Categories of Personal Data We Collect

We collect personal data that you provide directly to us, data generated automatically through your use of the Services, and data received from third-party service providers.

3.1 Account and Registration Data

When you create a MarketHand account, we collect the following information:

  • Email addressUsed as your unique account identifier and for transactional communications.
  • UsernameA display name (up to 50 characters) you choose, visible on leaderboards and in multiplayer.
  • PasswordStored exclusively as a bcrypt-hashed value. We never store your plaintext password.
  • Account role and subscription tierWhether your account has user or administrator privileges, and your subscription level (normal, pro, or admin).
  • Email verification statusWhether your email address has been confirmed.
  • Account creation timestampThe date and time your account was created.

3.2 Authentication and Session Tokens

To keep you securely signed in, we generate and process:

  • Access tokens (JWT)Short-lived tokens (60-minute expiry) used to authenticate API requests.
  • Refresh tokens (JWT)Longer-lived tokens (30-day expiry) used to issue new access tokens without requiring you to log in again.
  • Password reset tokensSingle-use, time-limited tokens (1-hour expiry) sent via email when you request a password reset.

3.3 Gameplay and Behavioural Data

The core purpose of MarketHand is to build your investor intuition through gameplay. To do this, we record detailed information about your in-game decisions:

  • Card interactionsFor each card you interact with: the card shown, your decision (swipe left, swipe right, or hold), the resulting reward, the timestamp, and your capital before and after the action.
  • Investor Persona VectorA high-dimensional numerical vector representing your investor personality traits — risk appetite, FOMO sensitivity, loss aversion, patience, diversification bias, and overconfidence. This vector is updated with every swipe.
  • Persona snapshotsHistorical snapshots of your persona vector taken every 10 cards, allowing us to track how your investment thinking evolves over time.
  • Portfolio stateYour simulated portfolio: current capital, net worth (all-time and current), stage of progression, investor rank, portfolio asset allocation weights, and total cards played.
  • Net worth snapshotsDaily records of your simulated net worth and capital, used to power your performance graphs.
  • Topic masteryA per-topic mastery score tracking your comprehension of investment topics (e.g., equities, bonds, index funds, alternatives, macroeconomics).
  • Market stateA five-dimensional simulation state (sentiment, inflation, greed index, volatility, and fundamentals) that reflects the cumulative effect of your card decisions on the virtual market.
  • Income streakA record of consecutive days on which you claimed your daily income reward.
  • Game sessions (legacy)Session-level data including stage, progress, and persona state at the time of the session.

3.4 Learning Progress and Unlocks

We track your progression through the game's educational framework:

  • Unlocked and enabled investment strategiesWhich of the five strategy categories (Savings & Cash, Fixed Income/Bonds, Equities/Stocks, Index Funds, Alternatives) you have unlocked and activated.
  • Unlocked and enabled card decksWhich specialist card decks (e.g., Great Depression, COVID Era, Financial Statements Lab, Macro Events) you have unlocked.

3.5 Achievement Data

When you reach in-game milestones, we record:

  • Achievement unlocksWhich achievements you have earned and the exact timestamp at which each was unlocked.

3.6 Multiplayer Arena Data

If you participate in real-time multiplayer arena games, we process:

  • Room participationThe rooms you join or host, your role (host or participant), and your status within the room.
  • Round-by-round actionsYour card decisions in each round of the arena game, including the card shown, your action, the reward, and your capital before and after each round.
  • Cached usernameYour username is stored alongside your arena results for display purposes.

3.7 Companion Interaction Data

MarketHand features AI-powered companion characters. When you chat with a companion, the following context is sent to our AI provider to generate a relevant response:

  • Current card contentThe title, body text, and topics of the card currently displayed.
  • Your portfolio stateYour current capital, stage, and investor rank.
  • Market stateThe current state of the virtual market simulation.
  • Recent news headlinesUp to five recent financial news headlines retrieved via Google Search.
  • Your messageThe text of the message you send to the companion.

See Section 6 for more details on the third-party AI provider used.

3.8 Contact Form Data

If you submit our website contact form, we collect:

  • NameYour full name as provided.
  • Email addressYour email address for our reply.
  • Enquiry categoryThe type of enquiry you select.
  • Message contentThe body of your message.
  • hCaptcha verification resultA token confirming you completed the CAPTCHA challenge. No personal data from the CAPTCHA is stored by us beyond form submission verification.

3.9 Technical and Usage Data

Our website uses Vercel Analytics to collect aggregated, anonymised data about how visitors interact with our landing page. This may include:

  • Page views and referrersWhich pages were visited and from which source.
  • Device and browser typeGeneral information about the device category and browser used.
  • Geographic regionCoarse geographic information (country or region level) derived from IP address. Vercel does not store raw IP addresses.

Vercel Analytics is designed to be privacy-friendly and does not use cookies or persistent cross-site identifiers.

4. Purposes of Processing and Legal Bases

We process your personal data only where we have a lawful basis to do so under Article 6 of the GDPR. The table below sets out each purpose of processing and the corresponding legal basis.

PurposeLegal Basis (GDPR Art. 6)
Creating and managing your accountArt. 6(1)(b) — Performance of a contract
Authenticating your identity and securing your sessionArt. 6(1)(b) — Performance of a contract
Delivering core gameplay and personalisation via the AI Persona EngineArt. 6(1)(b) — Performance of a contract
Tracking your learning progress, topic mastery, and achievement milestonesArt. 6(1)(b) — Performance of a contract
Powering real-time multiplayer arena gamesArt. 6(1)(b) — Performance of a contract
Generating AI companion responses using your in-game contextArt. 6(1)(b) — Performance of a contract
Sending account-related transactional emails (verification, password reset)Art. 6(1)(b) — Performance of a contract
Displaying leaderboards and competitive rankingsArt. 6(1)(f) — Legitimate interests (community competition features)
Conducting aggregated analytics to improve the ServicesArt. 6(1)(f) — Legitimate interests (product improvement)
Responding to contact form enquiriesArt. 6(1)(f) — Legitimate interests (handling communications)
Fraud prevention and security monitoringArt. 6(1)(f) — Legitimate interests (security and integrity)
Complying with legal obligationsArt. 6(1)(c) — Legal obligation

Where we rely on legitimate interests, we have conducted a balancing test to ensure that our interests do not override your fundamental rights and freedoms. You may object to processing carried out on this basis at any time (see Section 10).

5. Data Retention

We retain your personal data only for as long as is necessary to fulfil the purposes for which it was collected, or as required by applicable law.

  • Account and profile dataRetained for the duration of your account. If you delete your account, we will delete or anonymise your personal data within 30 days, unless we are legally required to retain it for a longer period.
  • Gameplay and behavioural data (card plays, persona vectors, portfolio state)Retained for the lifetime of your account to power personalisation and progress tracking. Anonymised aggregate statistics may be retained indefinitely for research and product improvement.
  • Net worth snapshotsRetained for the lifetime of your account.
  • Arena round dataRetained for the duration of your account. Historical arena results are maintained for leaderboard integrity.
  • Access and refresh tokensAccess tokens expire after 60 minutes. Refresh tokens expire after 30 days.
  • Password reset tokensExpire after 1 hour and are invalidated on use.
  • Contact form submissionsRetained for up to 2 years to allow us to follow up on your enquiry and maintain records of communications.
  • Vercel Analytics dataGoverned by Vercel's data retention policies. We do not control how long Vercel stores aggregated analytics data on their infrastructure.

6. Third-Party Service Providers and Data Sharing

We engage the following categories of third-party service providers who may process personal data on our behalf as data processors, or in their own right as independent data controllers. We only share data that is necessary for the specific service and have entered into appropriate data processing agreements where required by law.

6.1 OpenAI (Companion AI)

When you interact with an AI companion, the text of your message and relevant in-game context (current card, portfolio state, market state, recent news) are sent to OpenAI, L.L.C. via its API to generate a contextually relevant response. OpenAI processes this data as a data processor under our instructions. OpenAI may be headquartered in the United States. Data transfers are conducted pursuant to appropriate safeguards.

6.2 Google (Search API for News)

To surface relevant financial news for companion interactions, we use the Google Custom Search JSON API. Queries are sent to Google's servers. No personal user data is transmitted to Google in these requests — only the news search query.

6.3 Vercel (Hosting and Analytics)

Our landing website is hosted on Vercel, Inc. Vercel provides infrastructure and edge network services. Vercel Analytics collects the anonymised, aggregate usage data described in Section 3.9. Vercel is headquartered in the United States and processes data under its Data Processing Agreement and Standard Contractual Clauses.

6.4 hCaptcha (Bot Prevention)

Our contact form is protected by hCaptcha (provided by Intuition Machines, Inc.). hCaptcha processes information necessary to verify that form submissions are made by a human.

6.5 Email Delivery (SMTP Provider)

We use an SMTP email service to send transactional emails (account verification and password reset links). Only your email address and the content of the transactional email are transmitted.

6.6 No Sale of Personal Data

We do not sell, rent, or trade your personal data to any third party for their own marketing or commercial purposes. Personal data is shared with third parties only to the extent necessary to provide the Services to you, or as described in this policy.

6.7 Legal Disclosures

We may disclose your personal data if we are required to do so by applicable law, regulation, judicial order, or governmental authority, or where we have a good-faith belief that such disclosure is necessary to protect the rights, property, or safety of MarketHand, our users, or the public.

7. International Data Transfers

MarketHand is based in Switzerland. Some of our third-party service providers (including OpenAI and Vercel) operate from the United States and other countries outside of the European Economic Area (EEA) and Switzerland, which may not offer the same level of data protection as your home jurisdiction.

Where we transfer personal data to countries outside the EEA or Switzerland, we ensure that appropriate safeguards are in place, including:

  • European Commission Standard Contractual Clauses (SCCs)Legally binding commitments incorporated into contracts with recipients.
  • Adequacy decisionsWhere the European Commission or the Swiss Federal Council has determined that a country provides adequate protection.
  • Data Processing AgreementsContractual agreements with all processors that include appropriate data protection obligations.

You may request a copy of the safeguards we have put in place for international transfers by contacting us.

8. Cookies and Similar Technologies

Our landing website (markethand.ch) does not use persistent tracking cookies. Vercel Analytics operates without cookies or cross-site tracking identifiers.

The MarketHand mobile application does not use browser cookies. Authentication state is maintained using JWT tokens stored securely on your device.

The hCaptcha widget used on our contact form may use session-scoped technical mechanisms to verify bot prevention challenges. These are strictly necessary for form functionality and do not track you across other websites.

9. Data Security

We take the security of your personal data seriously and implement a range of technical and organisational measures to protect it against unauthorised access, accidental loss, destruction, or alteration:

  • Password hashingAll passwords are hashed using bcrypt with an appropriate cost factor. Plaintext passwords are never stored or logged.
  • Token-based authenticationJWT access tokens have a short lifespan (60 minutes). Refresh tokens (30 days) enable session continuity without re-authentication.
  • Transport encryptionAll communications between the App, website, and our servers are encrypted using TLS (HTTPS/SSL).
  • Access controlsAdministrative access to the backend systems is restricted to authorised personnel only, through a dedicated admin authentication layer.
  • Database securityData is stored in a PostgreSQL database with restricted network access. Redis is used for in-memory caching with appropriate security configurations.
  • Infrastructure isolationBackend services are containerised (Docker) with controlled network exposure.

While we strive to use commercially acceptable means to protect your personal data, no method of transmission over the internet or method of electronic storage is 100% secure. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with Article 34 GDPR.

10. Your Data Protection Rights

Under the GDPR and applicable Swiss data protection law, you have the following rights with respect to your personal data. We will respond to all requests within one calendar month of receipt.

Right of Access (Art. 15 GDPR)

You have the right to request a copy of the personal data we hold about you, along with information about how and why we process it.

Right to Rectification (Art. 16 GDPR)

You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.

Right to Erasure / "Right to Be Forgotten" (Art. 17 GDPR)

You have the right to request the deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you withdraw consent, where you object to processing and there are no overriding legitimate grounds, or where the data has been unlawfully processed.

Right to Restriction of Processing (Art. 18 GDPR)

You have the right to request that we restrict the processing of your personal data in certain circumstances — for example, while we verify the accuracy of data you have contested.

Right to Data Portability (Art. 20 GDPR)

Where processing is based on your consent or a contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format (e.g. JSON), and to transmit it to another data controller.

Right to Object (Art. 21 GDPR)

You have the right to object to processing carried out on the basis of our legitimate interests. We will cease such processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Rights Related to Automated Decision-Making and Profiling (Art. 22 GDPR)

MarketHand's AI Persona Engine makes automated inferences about your investor personality for the purpose of personalising your gameplay experience. This profiling does not produce legal or similarly significant effects on you. You have the right to request human review of any automated assessment that you believe has a meaningful impact on you.

Right to Withdraw Consent

Where we rely on your consent as the legal basis for processing, you have the right to withdraw that consent at any time without affecting the lawfulness of prior processing.

Right to Lodge a Complaint

You have the right to lodge a complaint with a supervisory authority. In Switzerland, this is the Federal Data Protection and Information Commissioner (FDPIC). If you are in the EU/EEA, you may also lodge a complaint with the data protection authority in your country of residence.

To exercise any of these rights, please contact us at hello@markethand.ch with the subject line "Data Protection Request". We may need to verify your identity before processing your request. Exercising your rights is free of charge.

11. Children's Privacy

MarketHand is not directed at, and we do not knowingly collect personal data from, children under the age of 16 years (or the applicable minimum age in your jurisdiction). If you are under 16, please do not use the Services or provide any personal data to us.

If we become aware that we have inadvertently collected personal data from a child under the applicable age threshold without verifiable parental consent, we will take steps to delete that data promptly. If you believe we may have such data, please contact us immediately.

12. Third-Party Links and Services

Our Services may contain links to third-party websites, services, or resources. This Privacy Policy applies only to our Services. We have no control over, and are not responsible for, the content, privacy policies, or practices of any third-party sites or services.

We encourage you to review the privacy policies of any third-party services you visit.

13. Changes to This Privacy Policy

We reserve the right to update or modify this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

We will notify you of material changes by:

  • Updating the "Last updated" date at the top of this page.
  • Sending an email notification to your registered email address (for significant changes).
  • Displaying a prominent notice within the App.

Your continued use of the Services after the effective date of the revised policy constitutes your acceptance of the changes. If you do not agree with the revised policy, please discontinue use of the Services and delete your account.

14. Governing Law and Jurisdiction

This Privacy Policy is governed by and construed in accordance with the laws of Switzerland, in particular the Swiss Federal Act on Data Protection (nFADP / revDSG), without prejudice to your rights under the GDPR where applicable.

For users located in the European Economic Area, please note that the GDPR applies to our processing of your personal data where we offer goods or services to you in the EU/EEA, or monitor your behaviour within the EU/EEA.

15. Contact Us

If you have any questions, concerns, or complaints about this Privacy Policy or our data processing practices, or if you wish to exercise any of your rights, please contact our data protection point of contact:

MarketHand — Privacy

hello@markethand.ch

"Data Protection Request"

We are committed to working with you to resolve any concerns you may have. If you are not satisfied with our response, you have the right to lodge a complaint with the competent supervisory authority:

  • Switzerland: Federal Data Protection and Information Commissioner (FDPIC) — www.edoeb.admin.ch
  • European Union: Your national or regional data protection authority.

MarketHand

© 2026 MarketHand · All rights reserved.

← Back to Home