feed
S&P 500
NASDAQ
DOW
RUSSELL
VIX
US10Y
DXY
EUR/USD
GBP/USD
GOLD
WTI
BTC
ETH
LLedger
Sign up
Ledger/Privacy
Legal

Privacy policy

What we collect, why, and how to control it. GDPR + CCPA-aware.

Last updated: 2026-05-06 · Controller: albascape · Privacy contact: privacy@funddata.example

§1Who we are

Funddata is operated by albascape (“we”, “Funddata”), the data controller for personal data processed through the Service. This policy explains what we collect, why, how we use it, who we share it with, and how to exercise your rights. It applies to the Funddata website, the Ledger Terminal interface, the public API surfaces, and the AI analyst.

§2Categories of personal data we process

  • Account data — email, hashed password (Supabase Auth), display name, organization (optional).
  • Workspace state — watchlists, saved portfolios, alert rules, layout preferences. Owner-only via row-level security.
  • Telemetry — pageviews, navigation events, basic technical headers (IP-derived country, user agent, referrer).
  • AI analyst logs — prompts you send to /ask, the responses, and tool-call traces.
  • Cookies — session, theme, source preferences (see §7).
  • Billing data — if you subscribe to a paid plan: name, billing address, last 4 of card (Stripe handles the PAN; we never see it).
  • Support correspondence — emails / messages you send us and our replies.

§3What we don't collect

We do not buy or rent personal data from data brokers. We do not embed third-party advertising trackers. We do not profile you for marketers. We do not collect biometric data or precise GPS location. We do not collect sensitive categories under GDPR Article 9 (race, religion, health, etc.) and please do not submit them.

§4Purposes & legal bases (GDPR Art. 6)

  • Provide the Service — contractual necessity (Art. 6(1)(b)).
  • Authenticate, deliver workspace state, send transactional email — contractual necessity.
  • Operate, debug, secure, and improve the Service — legitimate interest (Art. 6(1)(f)) with a balancing test that prefers minimization.
  • Comply with law, respond to lawful requests, defend claims — legal obligation (Art. 6(1)(c)) and / or legitimate interest.
  • Process payments — contractual necessity.
  • Marketing email — consent (Art. 6(1)(a)); revocable any time via the unsubscribe link.

§5Sub-processors

We engage a small set of vendors to operate the Service. Each is contractually bound to handle data only as needed and to maintain appropriate technical and organizational measures.
Sub-processorPurposeRegion
SupabasePostgres + auth (account, workspace, RLS)EU / US (per plan)
VercelApplication hosting + edge cache + log drainGlobal (CDN), US primary
AnthropicClaude inference for the Ask analystUS
StripeSubscription billingUS / Ireland
Resend / PostmarkTransactional email (alerts, password reset, security notices)US / EU
FMP / EODHD / FinnhubRead-only market-data sources (we send queries, not user data)US / EU
SEC EDGAR / FRED / Polymarket / IMF / World Bank / OECD / BISRead-only public-data sources (no user data sent)Public

§6International transfers

Data may be transferred outside your country of residence to operate the Service. Where a transfer leaves the EEA / UK, we rely on Standard Contractual Clauses (SCCs) and additional safeguards under Schrems II (encryption in transit and at rest, role-based access, least-privilege, audit logging). On request we will provide the relevant SCC version and transfer impact assessment summary.

§7Cookies & similar technologies

CookiePurposeDuration
sb-access-token / sb-refresh-tokenSupabase Auth session1h / 30d
fd_themeLight / dark theme preference1y
fd_src_quote / fd_src_candles / fd_src_profile / fd_src_news / fd_src_searchPer-data-kind data-source preference (FMP / EODHD / Finnhub)1y
We do not set advertising or cross-site tracking cookies. We do not use Google Analytics. Where required by law (EU / UK), a cookie-consent banner gates non-essential cookies; today only essential cookies are in use.

§8Data retention

DataRetention
Account dataLifetime of account; deleted within 30 days of account closure
Workspace state (watchlists / portfolios / alerts)Lifetime of account; deleted within 30 days of account closure
AI prompt + response logs90 days
Telemetry / access logs30 days online, 12 months in cold storage
Billing records7 years (legal / tax requirement)
Backups30 days rolling
Security incident records2 years

§9Your rights (GDPR / UK GDPR)

  • Access (Art. 15) — a copy of your data and processing details.
  • Rectification (Art. 16) — correct inaccurate or incomplete data.
  • Erasure / right to be forgotten (Art. 17) — delete your account and personal data, subject to legal retention.
  • Restriction (Art. 18) — limit processing pending verification.
  • Portability (Art. 20) — receive your data in a machine-readable format (JSON).
  • Objection (Art. 21) — object to processing based on legitimate interests or direct marketing.
  • Withdraw consent — where processing is based on consent (e.g. marketing email).
  • Lodge a complaint — with your local supervisory authority (ICO in the UK; CNIL in France; etc.).
Requests: privacy@funddata.example. We respond within 30 days.

§10California rights (CCPA / CPRA)

California residents may request: (a) the categories and specific pieces of personal information we collected; (b) the categories of sources, purposes, and recipients; (c) deletion of personal information; (d) correction of inaccurate personal information; (e) the right to opt-out of the sale or sharing of personal information — we do not sell or share personal information for cross-context behavioral advertising; (f) the right to limit use of sensitive personal information — we do not collect sensitive personal information as defined by CPRA. Submit requests toprivacy@funddata.example. We do not discriminate against users who exercise their rights.

§11Children's privacy

The Service is not directed to and not intended for children under 18. We do not knowingly collect personal information from minors. If we become aware that we have collected such information without verifiable parental consent, we will delete it.

§12Security measures

We use industry-standard safeguards: TLS 1.2+ in transit, AES-256 at rest, encrypted backups, role-based access control, least-privilege production access, mandatory MFA for admin roles, audit logging, secret scanning, dependency scanning, and quarterly access reviews. Postgres row-level security restricts user data to its owner.

§13Breach notification

If a personal-data breach is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware (per GDPR Art. 33) and notify affected users without undue delay where the risk is high (Art. 34). Status updates will be posted at /api/health.

§14Automated decision-making

We do not engage in solely automated decision-making with legal or similarly significant effects under GDPR Art. 22. The AI analyst produces outputs you choose to act on; nothing the model says binds you or us automatically.

§15Changes to this policy

Material changes will be flagged on this page and — for paid users — via email at least 14 days before they take effect. Continued use of the Service after the effective date constitutes acceptance.

§16Contact / DPO

Privacy contact / data-protection officer (designated where required):privacy@funddata.example. Postal: albascape — c/o registered agent. EU / UK representative: appointed where required by law; details available on request. See also contact.

This document is a starting point and is not legal advice. Have qualified counsel review and adapt to your specific jurisdiction(s) (GDPR / UK GDPR / CCPA / CPRA / LGPD / PIPL / etc.) and operational footprint before publication.