SecSonar.com

Legal

Privacy Policy

Last updated: June 1, 2026

This policy may evolve as the Service develops.

1. Overview

This Privacy Policy describes how SecSonar ("we", "us") collects, uses, and shares information when you use our website and related services.

2. Information we collect

Account information

When you register, we process email and authentication data through Supabase (our auth provider). Passwords are handled by the auth provider, not stored in plain text by us.

Usage and preferences

We may store saved companies, search history, encrypted API keys you provide (bring-your-own-key), and in-browser preferences (e.g., theme, app preferences in local storage).

Technical data

We collect standard server and application logs to operate and secure the Service. These include request paths, status codes, timing, the browser user-agent string, the referring page, error details, and a truncated (anonymized) IP address — we zero the final part of the address so it does not identify an individual. We process this under our legitimate interest in security, abuse prevention, and reliability, and retain it only for a limited period. We also process your full IP address transiently to apply rate limits and prevent abuse — it is held only briefly for that purpose (in memory or a short-lived cache) and is not written to our logs.

We also use Vercel Web Analytics, which is anonymous and cookieless: it does not use cookies, local storage, or fingerprinting, does not store raw IP addresses, and does not identify individual visitors. It also records aggregate, anonymous counts of in-app actions (e.g., which features are used). It runs for all visitors.

AI interactions

AI-powered analysis features and Deep Dive analysis may send prompts and context to AI providers (e.g., OpenAI) to generate responses. Do not submit sensitive personal information you do not want processed by those providers.

3. How we use information

  • Provide and secure the Service
  • Authenticate users and enforce access controls
  • Improve reliability and fix errors
  • Understand aggregate usage (anonymous, cookieless analytics)
  • Comply with legal obligations

4. Legal bases (EEA/UK users)

Where GDPR applies, we rely on: contract (providing the Service), legitimate interests (security, improvement), and consent (non-essential cookies/analytics where required).

5. Sharing and subprocessors

We use service providers that process data on our behalf, including:

  • Supabase — authentication
  • Vercel — frontend hosting; anonymous, cookieless analytics
  • Railway (or equivalent) — API hosting
  • OpenAI — AI features
  • Financial data vendors (e.g., FMP, Polygon) — market and fundamental data

We do not sell your personal information for money.

6. Retention

We retain account-related data while your account is active and for a reasonable period afterward unless deletion is requested. Logs and backups may persist for limited periods for security and operations.

7. Security

We use industry-standard measures including HTTPS, JWT authentication, and encryption for stored API keys. No method of transmission or storage is 100% secure.

8. Your rights

Depending on your location, you may have rights to access, correct, delete, or export personal data, and to object to or restrict certain processing. Contact us to exercise these rights.

California residents may have additional rights under the CPRA/CCPA.

9. Children

The Service is not directed to children under 16. We do not knowingly collect their data.

10. International transfers

Data may be processed in the United States and other countries where our providers operate. Appropriate safeguards may apply where required by law.

11. Changes

We will update this policy by revising the "Last updated" date.

12. Contact

Contact details may be updated in future revisions.