Privacy Policy

Last updated: 30 April 2026

Walnut Lens ("we", "us", "our") is a Chrome browser extension and associated web services operated by Pauli Walnuts (The Walnut Trading Company). This policy explains what data we collect, how we use it, and your rights.

1. Data We Collect

• Email address : provided at sign-up. Used for authentication (one-time passcode delivery), subscription management, and essential service communications such as trial reminders.
• Install ID : an anonymous identifier generated locally by the Chrome extension on first install. Used for device binding (maximum 2 devices per account) and session management.
• Discord username : optionally provided during checkout. Used solely to assign your subscription roles in our Discord community server.
• Subscription status : whether your account has an active subscription, which features are enabled, and your data refresh cadence. Stored in our database alongside your email.
• IP address (transient) : your IP may be checked at sign-up to enforce one free trial per network. The IP is stored in a dedicated table with a 1-year TTL and is not used for tracking or analytics.

2. Data We Do Not Collect

• Browsing history or URLs visited (beyond detecting TradingView to activate overlays)
• TradingView account credentials, chart drawings, or watchlists
• Financial data, trading activity, positions, or portfolio information
• Payment card numbers (processed exclusively by Stripe)
• Keystrokes, mouse movements, or behavioural analytics
• Data from any site other than TradingView and our own API

3. How We Use Your Data

• Authentication : your email receives one-time passcodes (OTP) for sign-in. We do not send marketing emails.
• Entitlements : your email is used to look up your subscription status and determine which overlay features (Levels, Blocks, GEX, News) are enabled.
• Device binding : your Install ID is stored to enforce the 2-device limit per account.
• Trial eligibility : your IP is checked once at sign-up to prevent duplicate free trials. It is not used for any other purpose.
• Discord roles : if you provide a Discord username, we automatically assign and remove roles matching your active subscription features.

4. Data Storage & Security

Your data is stored in AWS DynamoDB in the eu-west-2 (London) region. All data is encrypted at rest using AWS-managed encryption keys (SSE-KMS). Access is restricted to our server-side Lambda functions via IAM roles with least-privilege policies. All communication between the extension and our servers uses HTTPS/TLS.

5. Extension Permissions

The extension requests only the permissions it needs:

• storage : caches overlay data, authentication tokens, and your preferences locally in your browser.
• alarms : schedules periodic data refreshes from our API (replaces background timers under Manifest V3).
• tabs : sends data updates to open TradingView tabs so overlays refresh in real time.
• tts : powers the optional text-to-speech "Squawk" feature for market news headlines.
• Host access to tradingview.com : required to inject overlay rendering scripts onto TradingView charts.

6. Payment Processing

Payments are processed by Stripe. We never receive or store your payment card details. We store only your Stripe customer ID and subscription status.

7. Data Sharing

We do not sell, rent, or share your personal data with third parties. Data is shared only with:

• AWS : infrastructure provider (database, email delivery via SES, serverless compute).
• Stripe : payment processing.
• Discord : role assignment via the Discord Bot API (only if you provide your username).

8. Data Retention

Your account data is retained for as long as your account exists. If you cancel your subscription, your data remains until you request deletion. Trial IP records expire automatically after 1 year. Server logs are retained for 7 days.

9. Your Rights

You may:

• Sign out at any time from the extension popup, which clears all locally stored data.
• Request a copy of all data we hold about you.
• Request deletion of your account and all associated data. We will process your request and confirm deletion within 30 days.

10. Children

Walnut Lens is not directed at children under 13. We do not knowingly collect data from children.

11. Changes to This Policy

We may update this policy from time to time. The "Last updated" date at the top will reflect the most recent revision. Continued use of the extension after changes constitutes acceptance.

12. Contact

For privacy-related requests, contact us at enquiries@walnutlens.com.