Effective date: September 1, 2025
Legal entity: Valyou LLC (“Banana Farmer,” “we,” “us,” “our”)
Contact: info@bananafarmer.app
Services covered: bananafarmer.app (landing/waitlist) and app.bananafarmer.app (web app) (together, the “Service”).
Territory: United States only. The Service is intended for U.S. residents physically located in the U.S.

Plain-English snapshot (not a substitute for the policy below)

• We collect the minimum needed to run a US-only analytics app (account details, email, payment via Stripe, basic device/usage info, referral/UTM parameters).

• We do not collect brokerage credentials or trade on your behalf.

• Market/crypto/social metrics come from vendors and public sources; we use them to compute scores/badges.

• We use Cloudflare to enforce US-only access and security.

• You can access, correct, or delete your data; opt out of marketing; and export your waitlist/account info.

• We don’t sell your personal information.

1) Scope & Relationship to the Terms

This Privacy Policy explains how we collect, use, disclose, and protect information in the Service. By using the Service, you agree to this Policy and our Terms of Service.

2) What We Collect

We collect information in three ways: (A) you provide it, (B) we collect it automatically, and (C) we obtain it from third parties.

A) Information you provide

• Waitlist & referrals (Prefinery): email address; consent; optional name; referral link data; anti-fraud signals (e.g., duplicate sign-ups).

• Account & profile (app): email, password (hashed), state or ZIP (optional), preferences (e.g., watchlist, notification settings).

• Support & surveys: messages, feature requests, bug reports, survey answers.

• Billing (Stripe): name, email, billing address, last4/brand/expiry of card via Stripe (we don’t see full card numbers).

• Consent records: timestamps and IP related to opt-in/out, ToS acceptance.

B) Information collected automatically

• Device & log data: IP address, approximate region/country, user-agent, device type, browser, OS, referrer, pages viewed, timestamps.

• US-only gate signals: IP-based geolocation country code, WAF challenge/allow/deny results, VPN/proxy flags.

• Session/usage metrics: feature clicks (e.g., toggles All/Stocks/Crypto), score views, time on page, error telemetry, rate-limit events.

• Cookies & similar tech:

  • Strictly necessary: session/auth, CSRF, WAF/edge cache, referral attribution.

  • Analytics (low-privacy/aggregated) if enabled (e.g., self-hosted or privacy-friendly analytics): page events, conversion funnels.

  • No third-party ad pixels at launch. If we add them later, we’ll update this Policy and provide an opt-out.

C) Information from third parties

• Payment processor (Stripe): payment status, fraud screening results, subscription state.

• Waitlist/referrals (Prefinery): referral counts, rank, unique invite code usage, anti-fraud scoring.

• Infrastructure & security (Cloudflare): IP reputation, bot score, threat intel, edge logs.

• Market & crypto data (vendors such as Polygon and CoinGecko): quotes, OHLCV, metadata; not your brokerage/exchange data.

• Public social-signal sources (e.g., Reddit/X aggregations): public counts/velocity/trends only; we do not connect to or store your personal social-media accounts.

3) How We Use Information (Purposes)

We use information to:

1. Provide and operate the Service (auth, sessions, dashboards, paywall, trials).

2. Compute analytics (scores, badges, explanations) from vendor/public data.

3. Enforce US-only access and protect against abuse (WAF, IP geofence, rate limits, anti-fraud).

4. Process payments & subscriptions (Stripe).

5. Run the waitlist & referral program (unique links, leaderboards, anti-fraud via Prefinery).

6. Measure performance and improve the product (aggregated analytics, A/B tests).

7. Communicate with you (transactional emails, product updates, build-in-public milestones; you can opt out of marketing).

8. Comply with law, taxation, accounting, and to assert or defend legal claims.

We do not sell, broker, or share your personal information for cross-context behavioral advertising. If that changes, we will update this Policy and provide required opt-outs.

4) Our Legal Basis (transparency)

While we are US-only, we explain our bases in GDPR-style terms for clarity:

• Contractual necessity: running your account, providing the Service/trial, processing payments.

• Legitimate interests: security, fraud prevention, US-only enforcement, product analytics, improving features.

• Consent: marketing emails, optional cookies/analytics where applicable.

• Legal obligations: tax/financial recordkeeping, responding to lawful requests.

5) How We Share Information

We share information with service providers/processors under contracts that limit their use to our instructions:

• Framer (site/hosting for LP), Cloudflare (WAF, CDN, IP geofence), Prefinery (waitlist/referrals), Stripe (payments),
  email service provider (e.g., Loops/Beehiiv or similar), error/performance monitoring (if used), and market-data vendors (Polygon/CoinGecko).

• Professional advisors (legal, accounting, compliance) under confidentiality.

• Law enforcement or regulators when required by law or to protect rights/safety.

• Business transfers: if we explore or complete a merger, acquisition, or asset sale, data may be transferred under this Policy.

We do not publish user lists. Aggregate, de-identified analytics (e.g., “% of users favor Stocks toggle”) may be shared publicly.

6) Cookies & Controls

• Required cookies: auth session, CSRF, WAF, referral attribution.

• Analytics cookies: optional and privacy-respecting if/when enabled; we’ll present a banner/setting if required.

• Do Not Track (DNT): there’s no industry consensus; we treat DNT as a preference but may not respond to it.

You can clear or block cookies in your browser; required cookies are needed for the app to function.

7) US-Only Access; International Visitors

The Service is offered only in the United States. We use IP geolocation, WAF rules, and payment checks to restrict access. If you are outside the U.S., do not use the Service. If we inadvertently collect data from a non-US person, contact us to request deletion.

8) Data Retention

We retain data only as long as necessary for the purposes above:

Data TypeTypical RetentionWaitlist records (email, referral metrics)24 months after last activity or until deletion requestAccount profile & watchlistWhile account is active; 30–60 days after deletion request (backup cycles)Billing/subscription records (Stripe)7 years (tax/accounting)Security logs/WAF events90–180 days unless needed longer for investigationsSupport tickets24 months after resolutionAggregated analyticsIndefinite in de-identified form

We may retain information longer if required by law or to resolve disputes.

9) Your Choices & Rights

Regardless of your state, we provide these controls:

• Access/Export: request a copy of your personal information.

• Correction: update inaccurate information.

• Deletion: delete your account and personal information (subject to lawful exceptions).

• Marketing opt-out: unsubscribe from non-transactional emails any time.

• Opt-out of referrals leaderboard: contact us to pseudonymize or exclude your display.

How: Use in-app settings (where available) or email privacy@bananafarmer.app. We may verify your identity (e.g., email confirmation). Agents may submit on your behalf with proof of authorization.

State-specific (CA, CO, CT, UT, VA, etc.)

We do not “sell” personal information, and we do not “share” it for cross-context behavioral advertising as defined by applicable laws. If that changes, we will provide required opt-outs and disclosures. You will not be discriminated against for exercising your rights.

10) Security

We use reasonable administrative, technical, and physical safeguards, including:

• Encryption in transit (HTTPS) and hashed passwords.

• Cloudflare WAF, bot mitigation, and rate limiting.

• Access controls and least-privilege practices for staff.

• Vendor due diligence and DPAs where appropriate.

No system is 100% secure. If we detect a breach impacting your data, we will notify you and authorities as required by law.

11) Children’s Privacy

The Service is for adults (18+) and is not directed to children. We do not knowingly collect information from anyone under 13. If you believe a child provided information, contact us to remove it.

12) Automated Decision-Making & Profiling

Our product uses automated scoring models to classify assets (not people) as Ripening / Ripe / Overripe and to compute a composite score. We do not make automated decisions about you that produce legal or similarly significant effects.

13) Third-Party Links

The Service may contain links to third-party sites. Their privacy practices are governed by their own policies; we’re not responsible for their content or practices.

14) Changes to This Policy

We may update this Policy from time to time. We will post the updated version with a new Effective date and, for material changes, provide notice within the Service or via email. Your continued use constitutes acceptance.

15) How to Contact Us

• Email: privacy@bananafarmer.app (privacy requests) • hello@bananafarmer.app (general)

• Mail: [Banana Farmer, Inc., Attn: Privacy, Street, City, State, ZIP]

16) Data Map (Appendix for Transparency)

Controllers & processors we rely on (illustrative at launch):

• Controller: Banana Farmer, Inc.

• Processors:

  • Framer (LP/hosting)

  • Cloudflare (CDN/WAF/IP geofence, logs)

  • Prefinery (waitlist, referral links, anti-fraud)

  • Stripe (payments; card tokenization; charge/retry)

  • Email provider (e.g., Loops/Beehiiv; transactional + marketing)

  • Market data vendors (e.g., Polygon for U.S. equities; CoinGecko for crypto)

  • Error/performance monitoring (if enabled)

Categories of personal information (examples):

• Identifiers: email, IP, referral code, device identifiers (cookies).

• Commercial: subscription plan, billing status, limited card metadata via Stripe (we do not store full PAN).

• Internet/activity: pages viewed, UI events, timestamps, referral/UTM parameters.

• Geolocation (coarse): country/state inferred from IP (for US-only controls).

• Inferences: none about you; scoring models apply to assets, not people.

17) Your Deletion/Export Instructions (Operational)

• Waitlist only: click unsubscribe in any email or email privacy@bananafarmer.app to remove your waitlist/referral data.

• Account: use Settings → Delete account, or email us with the request from your account email. We’ll confirm and remove within 30–45 days (subject to required recordkeeping).

• Export: email us for an export of your account profile, referral metrics, and basic usage logs (in common formats like JSON/CSV).

18) US-Only Enforcement (Details)

We may deny, challenge, or revoke access based on signals that suggest non-US location or misuse (e.g., VPN/proxy, repeated geofence circumvention). We may keep limited deny-list metadata to protect the Service and our data vendors.