Legal

Privacy Policy

Effective May 8, 2026. Last updated May 8, 2026.

Derivatives Insights ("we", "our", "the platform") respects your privacy. This page explains what personal data we collect, why we collect it, where it is stored, who else has access to it, and what rights you have over it under the EU General Data Protection Regulation (GDPR).

Data controller

The data controller for personal data collected through derivativesinsights.com is Derivatives Insights, contactable at [email protected].

Data we collect

When you create an account, we collect and store:

  • Email address — used as your unique identifier to log in and to send transactional emails (signup confirmation, password reset).
  • Password — never stored in plaintext. We hash it with bcrypt (rounds = 12) before writing to the database. Only the hash is stored.
  • Plan and timestamps — your current plan (free / pro / enterprise / admin), the timestamp of account creation, and the timestamp of last update.

We do not collect:

  • Your real name (unless you choose to use it as your email username).
  • Your date of birth, address, phone number, or any other identifier.
  • Tracking cookies or third-party analytics data (no Google Analytics, no Facebook Pixel).
  • Payment card data — when Stripe checkout is added, card data is handled entirely by Stripe and never touches our servers.

Why we collect it

  • Authentication — to recognise you when you sign back in.
  • Service delivery — to grant you access to the features your plan covers (free / pro features).
  • Transactional communication — to confirm signups, send password resets, and (in the future) billing receipts.
  • Operations notification — when you sign up, we send a notification email to the founder so we can welcome new users manually during the beta period.

Where data is stored

  • PostgreSQL database hosted on Railway (US-based PaaS). Backups are encrypted at rest.
  • Authentication tokens are stored client-side in your browser's localStorage. They expire after 7 days.

Sub-processors

We share the minimum data necessary with the following sub-processors, under contractual GDPR safeguards:

  • Railway (US) — application hosting and database.
  • Resend (US) — transactional email delivery (signup notifications, future password resets). Receives only your email address and the email body.
  • Cloudflare (US) — DNS, CDN, basic DDoS protection. May process your IP address as part of network-layer routing.

Your rights under GDPR

You have the right to:

  • Access the personal data we hold about you.
  • Rectify any inaccurate data.
  • Deleteyour account and all associated data ("right to be forgotten").
  • Export your data in a machine-readable format (data portability).
  • Object to specific processing activities.
  • Lodge a complaint with your national data protection authority (CNIL in France).

To exercise any of these rights, email [email protected]. We respond within 30 days.

Retention

We keep your account data for as long as your account is active. If you delete your account, we permanently delete all associated personal data within 30 days, except where retention is legally required (e.g. invoices for paid subscriptions kept 10 years for tax purposes).

Cookies

We do not use any tracking, advertising or analytics cookies. The only client-side state we set is the authentication token in localStorage, which is functionally necessary for the service.

Children

The platform is not directed at children under 16. We do not knowingly collect data from anyone under 16.

Changes to this policy

Material changes will be communicated by email at least 30 days before they take effect. The effective date at the top of this page reflects the most recent revision.