Privacy Policy

What we collect, why, and your rights.

Effective May 31, 2026. Version 1.0. This policy describes how Aurum handles your personal data. The short version: we collect only what we need to deliver the service, we do not sell or rent data, we do not run advertising trackers, and you can delete your account at any time.

1. Who is the controller

The data controller is [TODO: registered entity name], a company registered in [TODO: jurisdiction], registered address [TODO: address]. References in this policy to "Aurum," "we," "us," and "our" mean that company.

Privacy contact: privacy@aurum-markets.com.

EU representative. Where Aurum processes personal data of subjects in the European Union under Article 27 GDPR, our representative is [TODO: EU rep firm and address]. UK representative. Under Article 27 UK GDPR, our representative is [TODO: UK rep firm and address].

2. Scope

This policy covers the public marketing site, the subscriber dashboard, the API, and any direct communications with us (email, support). It does not cover third-party sites linked from Aurum; those have their own policies. It does not cover what your broker or trading platform does with your trading activity.

3. Personal data we collect

We collect the following categories:

Account data

Email address, account ID, the tier you are subscribed to, the date you signed up, the API key we issued you (stored as a SHA-256 hash, not in plaintext). Legal basis: contract performance (Article 6(1)(b) GDPR).

Billing data

Handled by Stripe. We never see or store your card number, CVC, or expiry. We store the Stripe customer ID, subscription ID, invoice history, and current billing status. Legal basis: contract performance plus legal obligation to retain accounting records.

Usage data

Which signals you viewed, which API endpoints you called, when you signed in, and standard server access logs: IP address, user agent, request path, response status, timestamp. IP addresses are stored for 30 days for security and abuse-prevention purposes, then truncated to the /24 (IPv4) or /48 (IPv6) network prefix. Legal basis: legitimate interest (Article 6(1)(f) GDPR) in operating a secure service.

Communications

Email correspondence you send us and our replies, retained for the duration of the support or dispute matter plus 2 years. Legal basis: legitimate interest in responding to inquiries and resolving disputes.

Cookies and local storage

See the full inventory at the cookie policy. We only set strictly necessary cookies by default. Analytics and marketing cookies require your explicit consent and are off by default. Legal basis: consent (Article 6(1)(a) GDPR; ePrivacy Directive Article 5(3)) for non-essential cookies.

What we do not collect

We do not collect your real name unless you voluntarily provide it (e.g. for a tax invoice). We do not collect government IDs, biometrics, brokerage credentials, or trading account balances. We do not collect data about you from advertising networks, data brokers, or social media.

4. Why we process it

For each purpose, the relevant legal basis under GDPR is shown.

  • Provide the service. Account creation, sign-in, signal delivery, dashboard display. Basis: contract (Article 6(1)(b)).
  • Process payments. Charge subscriptions, issue invoices, handle refunds. Basis: contract, plus legal obligation (Article 6(1)(c)) for invoice retention.
  • Operate securely. Detect abuse, prevent fraud, debug outages, comply with security standards. Basis: legitimate interest (Article 6(1)(f)).
  • Communicate with you. Send service emails (signal delivery, billing notices), respond to support. Basis: contract for service emails; legitimate interest for support.
  • Improve the product (analytics). Aggregate page-view counts, feature usage. Basis: consent.
  • Comply with law. Respond to lawful requests from regulators, courts, and tax authorities. Basis: legal obligation.

We do not engage in automated decision-making that produces legal or similarly significant effects on you (Article 22 GDPR). Signal generation is the same for every subscriber on a given tier; it is not a profile of you.

5. Sub-processors and recipients

We share personal data with a small number of third-party processors to deliver the service. Each is bound by a written data-processing agreement that restricts use to our instructions.

  • Stripe Payments Europe Ltd (Ireland) / Stripe Inc (USA). Payment processing. Receives card and billing data directly from you. We never see card details.
  • Anthropic, PBC (USA). LLM inference for the daily brief and Pro-tier research Q&A. Receives the prompt content we send (market data, your question on Pro tier). Does not receive your billing data, signal history, or other accounts. Anthropic does not use API customer data to train models by default.
  • Databento Inc (USA). Market data feed. Data flows from Databento to us; we send no personal data to them.
  • Email delivery: [TODO: e.g. Postmark, AWS SES, Resend]. Transactional emails (sign-up confirmation, signal delivery, billing receipts). Receives your email address and the message contents.
  • Hosting: [TODO: e.g. Fly.io, Vercel, Hetzner]. Runs our servers and stores account data at rest. Region: [TODO: e.g. eu-west-2].

We publish material changes to this list (additions, replacements) at least 30 days before they take effect. The current list is maintained here.

We do not sell or rent personal data, share data with advertising networks, or participate in cross-context behavioral advertising (the "sale" or "sharing" definitions under CCPA/CPRA).

6. International transfers

Aurum is operated from Qatar. Some sub-processors store data in the United States or the European Union. Where personal data of EU, UK, or Swiss subjects is transferred outside the European Economic Area, we rely on:

  • The European Commission's Standard Contractual Clauses (2021/914) for transfers to third countries without an adequacy decision.
  • The UK International Data Transfer Addendum where UK data is in scope.
  • The EU-US Data Privacy Framework where the recipient is self-certified (currently Stripe; Anthropic to be confirmed).

For Qatar Personal Data Privacy Protection Law (PDPPL) purposes, transfers of Qatar resident data outside Qatar are made on the basis of explicit consent during sign-up or on a documented legal basis. You may request a copy of the relevant transfer mechanism at any time.

7. How long we keep it

  • Account data: for as long as your account is active, plus 90 days after deletion (to handle billing disputes and accidental-deletion rollback).
  • Billing records: retained for the period required by the applicable accounting and tax law, typically 7 years.
  • Server logs: 30 days for raw logs, after which IP addresses are truncated. Aggregated logs may be kept for analytics in anonymized form.
  • Email correspondence: for the duration of the matter plus 2 years.
  • Signal ledger: permanent. The hash-chained ledger is an integrity record; it stores per-signal metadata but is keyed by anonymous user ID and does not include personal data beyond that.
  • Backups: retained for 35 days then overwritten. Deletion requests propagate to backups within this window.

8. Your rights

Depending on your residence, you may exercise some or all of the following rights:

GDPR (EU) and UK GDPR

  • Access (Article 15) - get a copy of the personal data we hold.
  • Rectification (Article 16) - correct inaccurate data.
  • Erasure (Article 17) - request deletion, subject to legal-retention obligations.
  • Restriction (Article 18) - limit processing during a dispute.
  • Portability (Article 20) - receive data in a structured machine-readable format.
  • Object (Article 21) - object to processing based on legitimate interest.
  • Withdraw consent at any time, without affecting prior lawful processing.
  • Lodge a complaint with your local supervisory authority. Where Aurum has an EU representative, you may also contact them.

CCPA / CPRA (California)

  • Right to know what personal information is collected, used, shared, or sold.
  • Right to delete personal information.
  • Right to correct inaccurate personal information.
  • Right to opt out of sale or sharing of personal information. Aurum does not sell or share personal information as defined under CCPA/CPRA.
  • Right to limit use of sensitive personal information.
  • Right to non-discrimination for exercising any of these rights.

Qatar PDPPL

  • Right to access and obtain a copy of personal data.
  • Right to correction.
  • Right to delete or stop processing when the lawful basis no longer applies.
  • Right to be notified of breaches affecting your data.

To exercise any right, email privacy@aurum-markets.com. We respond within 30 calendar days (extendable by 60 days for complex requests, with notice). We may ask you to verify your identity before fulfilling sensitive requests; the verification step does not generate additional retained data.

9. Security

All traffic to and from the site and API is encrypted with TLS 1.2+. API keys are stored as SHA-256 hashes at rest; the plaintext key is shown only once, at issuance. Account access events are logged for audit. Stripe handles cardholder data inside their PCI-DSS Level 1 environment; we are out of scope for PCI.

Breach notification. If we become aware of a security incident affecting your personal data, we will notify you and the relevant supervisory authority within 72 hours of discovery (Article 33 GDPR; equivalent under Qatar PDPPL), unless the incident is unlikely to result in a risk to your rights and freedoms. Notifications go to the email on your account; you may also want to monitor your inbox for messages from privacy@aurum-markets.com.

10. Children

Aurum is not for anyone under 18. We do not knowingly collect data from people under 18. If you believe an under-18 has signed up, contact us and we will delete the account.

11. Do Not Track and Global Privacy Control

Our analytics tier (when enabled) respects the Global Privacy Control signal and the legacy Do Not Track header. If your browser sends either, we treat your visit as if you had opted out of analytics cookies. The cookie consent banner still appears so you can override for that session.

12. Changes to this policy

Material changes will be notified by email at least 30 days before they take effect. The effective date and version above will increment. Older versions are kept at /privacy/v{n} for reference. Continued use of Aurum after the effective date is acceptance.

13. Contact

Questions about this policy or your data: privacy@aurum-markets.com. For accessibility issues with this page, see the accessibility statement.