Privacy Policy

We collect the minimum data necessary to provide and improve our service:

DepthSignal is a market-data analytics service. We provide visible market context and supporting analytics. We do not handle funds, execute orders, or connect to your exchange accounts. We have no access to your exchange credentials, balances, or order history. Account credentials are stored using one-way cryptographic controls and cannot be recovered in plaintext.

All payment processing is handled by our payment provider, Revolut Europe UAB. DepthSignal stores only the customer and subscription reference data needed to manage subscriptions; we do not store your full credit card number, CVV, or other sensitive payment details.

We store only a customer reference ID from our payment provider for the purpose of managing your subscription. Revolut acts as an independent data controller for payment data they process.

Under GDPR Article 6, we process your personal data on the following legal bases:

• Contract performance (Art. 6(1)(b)): Processing your account information and subscription data is necessary to provide the DepthSignal service you subscribed to. (GDPR Article 6(1)(b); contract basis)
• Legitimate interest (Art. 6(1)(f)): Processing API usage logs for abuse prevention, rate limiting, service security, and service improvement. Our legitimate interest is to maintain a secure, reliable API service. This does not override your fundamental rights. (GDPR Article 6(1)(f); legitimate interests)
• Legal obligation (Art. 6(1)(c)): Retaining certain data as required by Estonian and EU tax, accounting, and business regulations.
• Consent (Art. 6(1)(a)): Newsletter subscriptions are based on your explicit, freely given consent via double opt-in. You can withdraw consent at any time by unsubscribing. (GDPR Article 6(1)(a); consent)

We retain personal data only for as long as necessary for the purposes set out in this policy (GDPR Article 5(1)(e); storage limitation).

As a data subject, you have the following rights under the GDPR. Where possible, we provide self-service API endpoints so you can exercise these rights immediately:

• Right of access (Article 15): You can view all personal data we hold about you via the customer portal at any time. (Article 15)
• Right to rectification (Article 16): You can update your profile information (email, company name) directly via the customer portal profile settings. (Article 16)
• Right to erasure (Article 17): You can delete your account and all associated data by calling DELETE /v1/customer/me. This permanently removes your account, API keys, and usage data. Billing records are retained for 7 years as required by Estonian tax law. EU Article 16(m) consent records (per-transaction audit trail for the 14-day withdrawal-right waiver) are retained 7 years under the legitimate-interest legal basis (Article 6(1)(f)) for the same Estonian Accounting Act + EU consumer-protection enforcement window. These records survive Article 17 erasure of the linked customer account: the customer link is set to NULL, the consent record itself remains so that, if a chargeback or consumer-protection claim is filed, the original consent can still be evidenced. (Article 17)
• Right to data portability (Article 20): You can export all your data in a structured, machine-readable JSON format by calling GET /v1/customer/export. The export includes your profile, subscription details, API key metadata, and usage history. (Article 20)
• Right to restriction (Article 18): You can request that we restrict processing of your data in certain circumstances. (Article 18)
• Right to object (Article 21): You can object to processing based on legitimate interest. We will cease processing unless we demonstrate compelling legitimate grounds. (Article 21)

How to exercise your rights: For rights not available via self-service, send a request to [email protected] with the subject line "GDPR Data Request". We will verify your identity and respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) or your local supervisory authority. (GDPR Article 77)

We split cookies and comparable browser storage into three categories. The consent banner shown on your first visit lets you accept, reject, or customize them. Your choice is stored in the ds_consentcookie (and a localStorage mirror) for one year. You can revisit the banner any time via the Cookie Preferences link in the footer (ePrivacy Directive 2002/58/EC Article 5(3); GDPR Article 7(3)).

No third-party advertising networks, fingerprinting, or tracking pixels are used under any category.

With your consent we use PostHog (self-hosted by Ravenna OÜ on EU infrastructure) to understand how the product is used so we can improve it. PostHog is operated as a data processor on our own servers. No data leaves the EU and no third-party analytics vendor receives your events.

• Data collected: page views, clicks, session duration, IP address (anonymized after 90 days), user agent, screen size, and authenticated user ID for logged-in users.
• Legal basis: consent (GDPR Article 6(1)(a)). Analytics is off by default: nothing is recorded until you opt in.
• Retention: raw events are kept for up to 90 days, then anonymized or deleted by an automated nightly job.
• Third-party sharing: none. PostHog runs on our own EU servers (Hetzner, Germany/Finland).

Your rights: under GDPR you can access, rectify, erase, port, or object to this processing at any time. You can also exercise all of these from inside the app:

• Reject or customize cookies from the banner or Cookie Preferences link in the footer.
• Toggle analytics at any time from Account Settings → Privacy.
• Download your data via GET /v1/customer/export (also linked from Privacy settings).
• Delete your account (right to erasure). This also deletes your PostHog person profile.

We share personal data with the following third-party processors only, each bound by data processing agreements (GDPR Article 28):

We do not use third-party advertising networks, tracking pixels, or fingerprinting vendors. PostHog is listed above because it processes personal data on our behalf, even though the instance is self-hosted on our own EU infrastructure. Analytics is strictly opt-in. We do not share your personal data with any other third parties except where required by law.

Core DepthSignal infrastructure is hosted in the European Union. Most account and service operations run on EU-hosted systems.

Some processing involves US-based sub-processors for specialized services (for example, email delivery, AI processing, and issue tracking). Our payment processor is EU-based. Where personal data is transferred outside the EEA, we apply GDPR Chapter V safeguards, including Standard Contractual Clauses and additional contractual or technical protections where required.

For UK-restricted transfers, UK transfer addendum mechanisms are applied where legally required. For Switzerland-restricted transfers, Swiss transfer requirements are applied where legally required.

As a small company, we are not required to appoint a Data Protection Officer (DPO) under GDPR Article 37. However, for any data protection inquiries, you may contact us directly:

• Email: [email protected]
• Subject line: "Data Protection Inquiry"

You also have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) (GDPR Article 13(1)(a)-(b)):

• Website: www.aki.ee/en
• Email: [email protected]

When you use AI chat features, the following applies to your conversation data:

• Storage. Your messages and AI responses are stored in our database to provide chat history across sessions.
• Third-party processing. Conversations are sent to a third-party AI provider for processing. Current provider: OpenAI.
• No model training. AI providers process conversation data under contractual data processing commitments. Data Processing Agreements (DPAs) are in place with relevant sub-processors, including transfer safeguards where required.
• Your control. You can delete all conversation history at any time from Settings.
• Automatic deletion. Conversations are automatically deleted after 30 days (Trader plan), 90 days (Professional and Expert plans), or 1 year (Enterprise plan).

The legal basis for processing AI conversation data is contract performance (Art. 6(1)(b) GDPR): processing is necessary to deliver the AI feature you have requested as part of your subscription.

We may update this Privacy Policy to reflect changes in our practices or legal requirements. When we make material changes, we will notify you via the email address associated with your account at least 14 days before the changes take effect.

The current version of this Privacy Policy is always available at this page. Minor clarifications or formatting changes may be made without notice.