Secret Stocks Logo

Privacy Policy

Last updated: June 2026

This policy applies to secretstocks.com and is provided pursuant to Art. 13/14 GDPR (Datenschutz-Grundverordnung).

1. Data Controller (Verantwortlicher)

The data controller responsible for this website within the meaning of Art. 4(7) GDPR is:

Philipp Rall

⚠️ PLACEHOLDER — must be replaced before public launch

Privacy contact email — e.g. privacy@secretstocks.com

Full postal address is provided in the Imprint (Impressum) once finalized before public launch.

2. Data We Collect

Secret Stocks does not require user registration or account creation. We collect minimal data limited to what is technically necessary to serve the website:

  • Server logs (Vercel): IP address, browser user-agent, referring URL, timestamp, and HTTP status code — retained for up to 30 days for security and debugging purposes.
  • Anonymized analytics (Vercel Analytics): Aggregated page-view counts and Core Web Vitals without persistent identifiers. See §4 for cookie and consent details.
  • Screener inputs: Stock ticker queries entered into the search interface are processed server-side to fetch financial data. They are not stored or linked to any user identity.

Legal basis: Art. 6(1)(f) GDPR — legitimate interest in operating a secure and functional website.

3. Sub-Processors & Third-Party Services

We use the following sub-processors. Each receives only the data necessary for its specific function.

ProviderPurposeLocationLegal Basis
Vercel Inc.Website hosting, CDN, serverless functionsUSA (AWS)Art. 6(1)(f). DPA accepted on signup; SCC apply per Vercel Terms.
HostingerWordPress CMS hosting (content database)EU (LT)Art. 6(1)(f). Hostinger is an EU-based processor; no third-country transfer.
Financial Modeling PrepFinancial market data APIUSAArt. 6(1)(f). API requests contain no personal data — only stock ticker symbols and query parameters.
OpenAIAI content generation for stock analysesUSAArt. 6(1)(f). DPA via OpenAI's Data Processing Addendum. TODO(B10-LIVEGANG): verify DPA acceptance status before launch.
Google LLC (Gemini API)Gemini models (Flash + Pro) for AI text generation in newsroom pipelineUSAArt. 6(1)(f). DPA via Google's Cloud Data Processing Addendum. TODO(B10-LIVEGANG): verify DPA acceptance status before launch.
n8nWorkflow automation (content pipeline)EU (DE)Art. 6(1)(f). n8n Cloud is EU-hosted; DPA available in n8n Cloud Terms.
GitHub (Microsoft)Source code hosting (no user data processed)USAArt. 6(1)(f). DPA per GitHub Terms of Service.

For USA-based processors: data transfers rely on Standard Contractual Clauses (SCC) adopted by the European Commission (Art. 46(2)(c) GDPR) or the EU–U.S. Data Privacy Framework (Art. 45 GDPR) where applicable. Supplementary measures per Art. 49 GDPR apply where SCC confirmation is pending.

4. Cookies & Tracking

  • Strictly necessary cookies: This website does not set first-party cookies for authentication or session state, as no user accounts exist.
  • Vercel Analytics: We use Vercel Analytics for aggregated, anonymized traffic measurement (page views, Core Web Vitals). Vercel Analytics uses a hashed, rotating identifier derived from the IP address and user-agent — no persistent cookie is set. However, this still constitutes processing of personal data under GDPR and requires either a legitimate-interest assessment or explicit consent under Art. 6(1)(a).

✓ Consent Implemented

A cookie consent banner is implemented. Vercel Analytics is loaded only after explicit user consent (Art. 6(1)(a) GDPR). No analytics script is requested until you choose “Accept”; choosing “Reject” keeps it disabled.

5. Data Retention

  • Server logs (Vercel): Retained for up to 30 days, then automatically deleted by Vercel.
  • Anonymized analytics: Aggregated, non-identifiable data may be retained for up to 12 months for trend analysis.
  • Ticker queries: Not stored. Processed in memory per request only.

6. Your Rights (Art. 15–22 GDPR)

As a data subject under GDPR, you have the following rights. To exercise them, contact us at the email address listed in §1 above.

  • Art. 15 — Right of access
  • Art. 16 — Right to rectification
  • Art. 17— Right to erasure (“right to be forgotten”)
  • Art. 18 — Right to restriction of processing
  • Art. 20 — Right to data portability
  • Art. 21 — Right to object (applies to Art. 6(1)(f) processing)
  • Art. 77 — Right to lodge a complaint with a supervisory authority. In Germany: Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI).

7. Changes to This Policy

We may update this policy as the platform evolves — for example, when new sub-processors are added or when the cookie consent banner is implemented. The “Last updated” date at the top of this page reflects the most recent revision. Continued use of the platform after a material update constitutes acknowledgment of the revised policy.