Privacy Policy

Scope

This Privacy Policy explains what personal data the Market Scanner platform ("the platform", "we", "us") collects, why we collect it, how we use and share it, and the rights you have over it. It applies to your use of the platform as an account holder or visitor.

Data we collect

• OAuth profile (email, display name, avatar) from Google or GitHub.
• Tickers added to your watchlist.
• Scan / job history and the resulting reports.
• Approximate signup country, derived from your IP at signup.
• Per-request LLM telemetry (internal cost-tracking; not surfaced).
• Records of your consent to these documents (which version, when).

We do not store the contents of the third-party API keys you supply beyond what is needed to run your analyses; see "Bring-your-own-key" below.

Why we collect it

We process the data above for the following purposes: account management, scan execution, library access, internal cost tracking, and sanctions enforcement. We also process limited data as required to comply with legal obligations and to protect the platform and its users against misuse.

The specific legal bases under GDPR Art. 6 (for example, performance of a contract, legitimate interests, legal obligation, or consent) will be set by counsel before publication of this document.

How we use your data

• To create and maintain your account and authenticate you at sign-in.
• To run the analysis pipeline you request and store the resulting reports so you can revisit them.
• To make reports you choose to publish available in the library.
• To track internal usage and cost, and to operate, secure, and improve the platform.
• To screen signups against sanctions and screening lists and to enforce the eligibility terms in the Terms of Service.

We do not sell your personal data, and we do not use it for third-party advertising.

Staff and moderator access

Authorised platform staff and moderators may access your reports and account data where it is necessary to operate the service — for example, to investigate and resolve refund or feedback requests, to monitor the analysis queue, to maintain the quality and security of the platform, and to detect, prevent, or respond to fraud, abuse, or breaches of the Terms of Service. Moderator access extends to reports you have kept private, not only to reports you have published.

This access is limited to what each task requires. Moderators identify your account by an internal account identifier rather than your name or email, and every report a moderator views, and every administrative action they take, is recorded in an internal audit log. We do not use this access to share or sell your reports; see the Terms of Service for how published versus private reports are treated.

Sub-processors

The platform shares limited operational data with: the LLM providers you bring keys for (BYOK), the database host, and (when payments ship) the payment processor. Each acts as a sub-processor handling data on our instructions. A formal sub-processor list will be published with the counsel-finalised version of this document.

Bring-your-own-key

To run analyses you supply your own API keys for third-party large-language-model and market-data providers. When a scan runs, the platform sends the necessary request data to the provider whose key you supplied. That provider processes the request under its own privacy terms, which apply to you directly and are outside our control. Review the privacy terms of any provider before adding its key.

Data retention

We retain your account data for as long as your account exists. Scan history, reports, and consent logs are retained while they remain associated with your account. When you delete your account, per-user data is removed as described under "Your rights"; limited records may be retained where we are required to keep them by law.

For abuse prevention we retain a one-way hash of the email address and OAuth provider identifier associated with promotional token grants (for example, the welcome bucket new users receive on signup). These records do not allow us to re-identify a deleted account; their sole purpose is to detect repeated grant requests from the same identity. We rely on the legitimate-interest lawful basis (GDPR Art. 6(1)(f) — fraud and abuse prevention) for this limited retention.

Your rights

You may export or delete your account data at any time. The export returns a JSON file of the per-user records we hold — your account, watchlist, scan and job history, report-access records, token balances, stored memories, and consent logs. Stored third-party API keys are included in metadata form only; the encrypted key material itself is never exported. Deleting your account removes your per-user records — your account, watchlist, saved keys, token balances, stored memories, and consent logs. Reports are system-owned and contain no personal data of the publisher; they remain on the platform, and any report you published stays available to other users in the library.

Depending on your location, you may also have rights to access, correct, restrict, or object to certain processing, and to lodge a complaint with your local data-protection authority. The full set of rights and how to exercise them will be confirmed by counsel.

Security

We apply technical and organisational measures designed to protect personal data against unauthorised access, loss, or disclosure. No system is perfectly secure; you are responsible for keeping your account credentials and your third-party API keys confidential.

International transfers

Operating the platform may involve transferring data to sub-processors located in other countries. Where that occurs, appropriate safeguards for international transfers will be described in the counsel-finalised version of this document.

Children

The platform is not directed to children and is intended for users who are at least 18 years old. We do not knowingly collect personal data from children.

Changes and contact

We may update this Privacy Policy from time to time. Material changes will be published and, where they affect documents covered by the consent gate, you will be asked to re-accept. For privacy questions or to exercise your rights, contact the platform operator using the details published on the platform.