Privacy notice

GDPR Articles 13 & 14 · last updated 10 June 2026 · draft pending legal review

Who we are (controller)

InsiderLens, established in Malta. Contact: privacy@insiderlens.app. Supervisory authority: the Maltese Information and Data Protection Commissioner (IDPC), with whom you also have the right to lodge a complaint.

What we process and where it comes from

We aggregate insider-trading disclosures that company executives are legally required to publish: names of reporting insiders, their roles, and their transactions (instrument, volume, price, dates). Sources: SEC EDGAR (US), Finansinspektionen (SE), BaFin (DE), AFM — Autoriteit Financiële Markten (NL), AMF (FR). We do not collect data from the persons themselves (Art 14 applies).

Why we may process this data (lawful basis)

Legitimate interest (Art 6(1)(f)): contributing to market transparency by making legally public regulatory disclosures accessible and analysable. A documented balancing test supports this basis. Statistical signals (e.g. cluster detection, track records) are derived solely from those public filings. No solely automated decision producing legal or similarly significant effects is made about anyone (Art 22).

How long we keep it (retention)

Source	Retention
SEC (US)	7 years
FI (SE)	5 years
BaFin (DE)	5 years
AFM (NL)	5 years
AMF (FR)	5 years

Who receives it (recipients / sub-processors)

Hosting and processing stay in the EEA: Neon (PostgreSQL, EU region), Railway (compute, EU region), Inngest (job orchestration). Our AI search operates on schema metadata only — personal data is never sent to AI model providers. For registered accounts (below): Stripe (payments, EU entity) and Resend (transactional email; EU sending region, account metadata stored in the United States under a data processing agreement with Standard Contractual Clauses).

Your account & billing (registered users)

If you create an account, we process — on the basis of our contract with you (Art 6(1)(b)): your name, email address, password hash, email-verification status, session tokens, your subscription state (plan, status, billing interval — synced from Stripe), and monthly usage counters for metered features (AI searches, track-record views). Sessions do not store your IP address or browser fingerprint. Payment card data never reaches our servers — it is handled entirely by Stripe.

Retention: usage counters are erased 12 months after their month; expired sessions and verification tokens are purged daily; account data lives until you delete your account. Deleting your account (from your account page, confirmed by email — Art 17) immediately cancels any subscription and erases your account, sessions and usage history. Invoices are retained by Stripe for the legally required accounting period (Art 17(3)(b)).

A subject access request (Art 15) returns your account data, your subscription state, your usage counters and the audit log of your AI search queries.

Your rights

Access (Art 15), rectification (16), erasure (17), restriction (18) and, central here, the right to object (Art 21) to the processing of your data. Use the objection form or write to privacy@insiderlens.app. We answer within one month (Art 12(3)). If an objection is upheld, your profile is removed, the page returns HTTP 410 and search engines are asked to de-index it.