Privacy Policy
Last updated: June 2026
This policy applies to secretstocks.com and is provided pursuant to Art. 13/14 GDPR (Datenschutz-Grundverordnung).
1. Data Controller (Verantwortlicher)
The data controller responsible for this website within the meaning of Art. 4(7) GDPR is:
Philipp Rall
⚠️ PLACEHOLDER — must be replaced before public launch
Privacy contact email — e.g. privacy@secretstocks.com
Full postal address is provided in the Imprint (Impressum) once finalized before public launch.
2. Data We Collect
Secret Stocks does not require user registration or account creation. We collect minimal data limited to what is technically necessary to serve the website:
- Server logs (Vercel): IP address, browser user-agent, referring URL, timestamp, and HTTP status code — retained for up to 30 days for security and debugging purposes.
- Anonymized analytics (Vercel Analytics): Aggregated page-view counts and Core Web Vitals without persistent identifiers. See §4 for cookie and consent details.
- Screener inputs: Stock ticker queries entered into the search interface are processed server-side to fetch financial data. They are not stored or linked to any user identity.
Legal basis: Art. 6(1)(f) GDPR — legitimate interest in operating a secure and functional website.
3. Sub-Processors & Third-Party Services
We use the following sub-processors. Each receives only the data necessary for its specific function.
| Provider | Purpose | Location | Legal Basis |
|---|---|---|---|
| Vercel Inc. | Website hosting, CDN, serverless functions | USA (AWS) | Art. 6(1)(f). DPA accepted on signup; SCC apply per Vercel Terms. |
| Hostinger | WordPress CMS hosting (content database) | EU (LT) | Art. 6(1)(f). Hostinger is an EU-based processor; no third-country transfer. |
| Financial Modeling Prep | Financial market data API | USA | Art. 6(1)(f). API requests contain no personal data — only stock ticker symbols and query parameters. |
| OpenAI | AI content generation for stock analyses | USA | Art. 6(1)(f). DPA via OpenAI's Data Processing Addendum. TODO(B10-LIVEGANG): verify DPA acceptance status before launch. |
| Google LLC (Gemini API) | Gemini models (Flash + Pro) for AI text generation in newsroom pipeline | USA | Art. 6(1)(f). DPA via Google's Cloud Data Processing Addendum. TODO(B10-LIVEGANG): verify DPA acceptance status before launch. |
| n8n | Workflow automation (content pipeline) | EU (DE) | Art. 6(1)(f). n8n Cloud is EU-hosted; DPA available in n8n Cloud Terms. |
| GitHub (Microsoft) | Source code hosting (no user data processed) | USA | Art. 6(1)(f). DPA per GitHub Terms of Service. |
For USA-based processors: data transfers rely on Standard Contractual Clauses (SCC) adopted by the European Commission (Art. 46(2)(c) GDPR) or the EU–U.S. Data Privacy Framework (Art. 45 GDPR) where applicable. Supplementary measures per Art. 49 GDPR apply where SCC confirmation is pending.
4. Cookies & Tracking
- Strictly necessary cookies: This website does not set first-party cookies for authentication or session state, as no user accounts exist.
- Vercel Analytics: We use Vercel Analytics for aggregated, anonymized traffic measurement (page views, Core Web Vitals). Vercel Analytics uses a hashed, rotating identifier derived from the IP address and user-agent — no persistent cookie is set. However, this still constitutes processing of personal data under GDPR and requires either a legitimate-interest assessment or explicit consent under Art. 6(1)(a).
✓ Consent Implemented
A cookie consent banner is implemented. Vercel Analytics is loaded only after explicit user consent (Art. 6(1)(a) GDPR). No analytics script is requested until you choose “Accept”; choosing “Reject” keeps it disabled.
5. Data Retention
- Server logs (Vercel): Retained for up to 30 days, then automatically deleted by Vercel.
- Anonymized analytics: Aggregated, non-identifiable data may be retained for up to 12 months for trend analysis.
- Ticker queries: Not stored. Processed in memory per request only.
6. Your Rights (Art. 15–22 GDPR)
As a data subject under GDPR, you have the following rights. To exercise them, contact us at the email address listed in §1 above.
- Art. 15 — Right of access
- Art. 16 — Right to rectification
- Art. 17— Right to erasure (“right to be forgotten”)
- Art. 18 — Right to restriction of processing
- Art. 20 — Right to data portability
- Art. 21 — Right to object (applies to Art. 6(1)(f) processing)
- Art. 77 — Right to lodge a complaint with a supervisory authority. In Germany: Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI).
7. Changes to This Policy
We may update this policy as the platform evolves — for example, when new sub-processors are added or when the cookie consent banner is implemented. The “Last updated” date at the top of this page reflects the most recent revision. Continued use of the platform after a material update constitutes acknowledgment of the revised policy.