Privacy Policy

1. PERSONAL DATA WE COLLECT

Identity and Contact Data

• Name, email address, and contact details
• Username or login credentials (hashed passwords; we do not store plaintext passwords)

Billing and Financial Data

• Billing address (including residential address where required for payment verification)
• Payment card type and last four digits (we do not store full card numbers; all card data is processed directly by our payment provider under PCI DSS compliance standards)
• Transaction history and subscription tier

Usage and Technical Data

• IP address, browser type, device identifiers, and operating system
• Pages visited, features used, time spent, and clickstream data
• Screener preferences, watchlist items, and filter settings

Communications Data

• Email open rates and click-through data from newsletters sent via Brevo
• Support or feedback messages you send us

2. LEGAL BASES FOR PROCESSING (GDPR)

Where the GDPR applies (e.g. for users in the EEA, UK, or Switzerland), we process your personal data on the following legal bases:

• Contract performance (Art. 6(1)(b)): processing necessary to provide our screener services and manage your subscription.
• Legitimate interests (Art. 6(1)(f)): improving our platform, preventing fraud, and sending service-related communications.
• Consent (Art. 6(1)(a)): where we ask for your consent, for example for marketing emails. You may withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)): where processing is required to comply with applicable law.

For Singapore users, processing is conducted in accordance with the purposes notified under the PDPA and applicable exceptions including business improvement and legitimate interests under the 2021 PDPA amendments.

3. COLLECTION, USE AND DISCLOSURE OF PERSONAL DATA

We collect personal data only when you provide it voluntarily, or where we are permitted or required to do so by law. We use your personal data for the following purposes:

• Providing, maintaining, and improving our stock screening services
• Processing payments and managing your subscription through our payment provider
• Responding to queries, requests, applications, complaints, and feedback
• Sending service notifications, account alerts, verdict change alerts, and trial expiry reminders
• Sending our weekly newsletter and market briefs (with your consent; you may unsubscribe at any time)
• Conducting analytics to improve screener algorithms, UI, and content relevance
• Detecting and preventing fraudulent transactions and unauthorised access
• Complying with legal, regulatory, or governmental obligations

4. THIRD-PARTY SERVICE PROVIDERS AND DATA SHARING

We may share your personal data with the following categories of third parties, solely to the extent necessary for the purposes described in this Notice:

• Payment processors: our third-party payment provider — for secure payment card processing under PCI DSS compliance standards.
• Email and marketing platforms: Brevo (formerly Sendinblue) — for transactional emails and newsletter delivery, under a Data Processing Agreement with us.
• Cloud hosting and database providers: Supabase, Inc. and Render, Inc. — for database hosting, authentication, and application hosting.
• Analytics providers: anonymised or aggregated usage data may be shared with analytics tools.
• Regulatory authorities: where required by law, court order, or governmental direction.

We require all third-party service providers to maintain appropriate technical and organisational security measures and to process personal data only on our documented instructions.

5. COOKIES AND TRACKING TECHNOLOGIES

Our website uses session cookies and similar technologies to maintain your login state and preferences. We do not currently use third-party advertising cookies. You may control cookie settings through your browser; however, disabling certain cookies may affect the functionality of our services.

Where applicable laws require consent for non-essential cookies, we will seek your consent before placing such cookies.

6. WITHDRAWING YOUR CONSENT

The consent you provide for collection, use and disclosure of your personal data remains valid until withdrawn in writing. To withdraw consent, contact our Data Protection Officer at the details below. We will process your request within seven (7) business days.

Please note that withdrawing consent may affect our ability to continue providing services to you. Withdrawal of consent does not affect processing that was lawful prior to withdrawal, or processing conducted under other legal bases.

7. YOUR DATA PROTECTION RIGHTS

Depending on your jurisdiction, you may have the following rights in relation to your personal data:

• Right of access: request a copy of personal data we hold about you.
• Right to correction: request correction of inaccurate or incomplete personal data.
• Right to erasure (GDPR Art. 17): request deletion of your personal data, subject to our legal retention obligations.
• Right to restrict processing (GDPR Art. 18): request that we limit how we use your data in certain circumstances.
• Right to data portability (GDPR Art. 20): receive your personal data in a structured, machine-readable format.
• Right to object (GDPR Art. 21): object to processing based on legitimate interests, including for direct marketing.
• Right to withdraw consent: withdraw it at any time without affecting the lawfulness of prior processing.
• Right not to be subject to automated decision-making (GDPR Art. 22): we do not make solely automated decisions with significant legal effects on individuals.

To exercise any of these rights, submit your request in writing to our Data Protection Officer. We will respond within thirty (30) days. You also have the right to lodge a complaint with your local supervisory authority (e.g. the PDPC in Singapore, or the relevant EU supervisory authority).

8. DATA BREACH NOTIFICATION

In the event of a data breach that is likely to result in significant harm to affected individuals, we will:

• Notify the Personal Data Protection Commission (PDPC) within three (3) calendar days of becoming aware of a notifiable breach (PDPA 2021).
• Notify affected individuals as soon as reasonably practicable where the breach is likely to result in significant harm.
• Where GDPR applies, notify the relevant supervisory authority within seventy-two (72) hours of becoming aware of the breach.

9. PROTECTION OF PERSONAL DATA

We have implemented appropriate security measures including:

• Encryption of data in transit (TLS/HTTPS) and at rest
• Hashed password storage with salting; we never store plaintext passwords
• Role-based access controls and principle of least privilege
• Payment card data handled exclusively by our payment provider under PCI DSS compliance — we do not store full card numbers
• Regular review of information security measures

10. ACCURACY OF PERSONAL DATA

We rely on personal data provided by you. To ensure your data is current and accurate, please notify our Data Protection Officer of any changes. You may also update your account details via your account settings.

11. RETENTION OF PERSONAL DATA

We retain personal data for as long as necessary to fulfil the purposes for which it was collected, or as required by law:

• Account and subscription data: retained for the duration of your subscription and for seven (7) years thereafter for tax and accounting compliance.
• Payment transaction records: retained for seven (7) years as required under applicable financial regulations.
• Usage and analytics data: retained in anonymised or aggregated form after account closure.
• Marketing consent records: retained until you withdraw consent, plus a reasonable period thereafter.

12. TRANSFERS OF PERSONAL DATA OUTSIDE SINGAPORE

Our service providers (including Brevo, Supabase, and Render) may process personal data outside Singapore, including in the United States and the European Union. Where we transfer personal data outside Singapore, we ensure:

• The recipient country provides a comparable standard of data protection; or
• Appropriate safeguards are in place, such as contractual clauses approved by the PDPC or equivalent; or
• Your consent has been obtained for the transfer.

Your personal data is stored on database servers located in Tokyo, Japan (Supabase) and on application servers located in the United States (Render). Where GDPR applies, international transfers are conducted under Standard Contractual Clauses (SCCs) approved by the European Commission.

13. CHILDREN'S DATA

Our services are not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have collected personal data from a minor without appropriate parental consent, we will take steps to delete it promptly. If you believe we may have collected data from a minor, please contact our Data Protection Officer.

14. MARKETING COMMUNICATIONS

We may send you our weekly newsletter and market briefs where you have opted in or where we have a legitimate interest to do so under applicable law. You may unsubscribe from marketing emails at any time by clicking the unsubscribe link in any email, or by contacting us directly. Unsubscribing from marketing does not affect service or transactional communications.

15. DATA PROTECTION OFFICER

For enquiries, requests, or feedback regarding this Notice or our data protection practices, please contact:

• Email: connect@finwealthytech.com
• Website: www.finwealthytech.com

16. CHANGES TO THIS NOTICE

We may revise this Notice from time to time. Changes will be published on our website with an updated effective date. Material changes will be communicated to registered users by email at least fourteen (14) days before taking effect. Your continued use of our services after such notice constitutes acceptance of the revised Notice.