Legal

Privacy Policy

Oscar Rojas et al ("we", "us", or "our") are committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and protect information when you use the Yieldbard platform. It applies to all users, including those on the waitlist and registered members.

Controller

Oscar Rojas et al

Quartiersweg 7, 10829 Berlin, Germany

contact@insightfol.io

If you have questions about this policy or wish to exercise your rights, please contact us at the email above.

Data we collect

Waitlist registrations: full name, email address, language preference, and technical submission metadata (page path, query string, referring URL, browser user agent, submission timestamp).

Account registrations: email address, hashed password, and the timestamp at which you accepted our Terms of Service and Privacy Policy.

IBKR account data (member area only): when you connect your Interactive Brokers account via SnapTrade, we access and display your account identifiers, balances, and position data in read-only mode. We do not copy or persistently store raw position data beyond what is needed to render your dashboard.

Usage data: server logs may capture IP address, browser type, pages visited, and timestamps for security and diagnostics purposes.

Legal basis (GDPR Art. 6)

Art. 6(1)(a) — Consent: waitlist sign-up and cookie consent banner.

Art. 6(1)(b) — Contract performance: account registration, IBKR connectivity, and delivery of the calculator service.

Art. 6(1)(f) — Legitimate interests: security logging, fraud prevention, and service improvement, where these interests are not overridden by your rights.

Where we rely on consent as the legal basis, you have the right to withdraw that consent at any time without affecting the lawfulness of processing before withdrawal.

Third-party processors

Amazon Web Services (AWS) — Hosting, static asset delivery (S3 + CloudFront), and transactional email (SES). All our AWS resources are provisioned in the eu-central-1 (Frankfurt) region; your data does not leave the European Economic Area for these services. AWS acts as a data processor under a Data Processing Addendum.

SnapTrade Inc. — Read-only connectivity to your IBKR account (member area only). SnapTrade acts as a data processor on our behalf. SnapTrade is a Canadian company with infrastructure in North America; data may be processed outside the EEA. We rely on Standard Contractual Clauses (SCCs) and SnapTrade's security certifications as the appropriate safeguard.

Stripe Payments Europe Ltd. — Subscription billing and one-off charges. Stripe processes card data on its own servers; we never see your card number. Stripe is the controller for the payment data it collects; for the customer record we share with Stripe (email, plan, billing country) we act as joint controller. Stripe transfers data outside the EEA under SCCs.

Plausible Analytics (Plausible Insights OÜ) — Privacy-by-design web analytics. Plausible is hosted in the European Union, sets no cookies, stores no personal data, and does not track visitors across sites or sessions. No IP address, fingerprint, or persistent identifier is retained.

Databento Inc. — Market data feed for the box-spread quote engine. Databento receives no personal data — only anonymous server-to-server requests for option chains and snapshots.

Google LLC (Google Identity Services) — Optional 'Continue with Google' sign-in. The Google Sign-In script is loaded only on the login/signup pages, and only after you click the Google button do any tokens reach Google. Data transfers to the United States are covered by Google's SCCs and the EU-US Data Privacy Framework.

We do not sell your personal data to third parties. We do not use your data for targeted advertising. We do not load Google Fonts, Google Analytics, or any third-party CDN that would expose your IP address to an external provider during normal browsing.

International data transfers

As noted above, data processed via the SnapTrade API may be transferred to servers outside the EEA, primarily in Canada and the United States.

Canada has been granted an adequacy decision by the European Commission for certain data transfers. For US-bound transfers, we rely on Standard Contractual Clauses (SCCs) as the appropriate safeguard.

You may request details about the specific safeguards in place by contacting contact@insightfol.io.

Data retention

Waitlist entries: retained until the early-access programme is concluded or until you request deletion, with a maximum retention period of 3 years from the date of submission.

Account data: retained for the duration of your account and for up to 12 months after account closure for legal and compliance purposes.

Server logs: retained for a maximum of 90 days for security and diagnostic purposes.

SnapTrade connection tokens: revoked immediately upon disconnection and no longer processed by us.

Your rights under GDPR

Right of access (Art. 15): you may request a copy of the personal data we hold about you.

Right to rectification (Art. 16): you may request correction of inaccurate data.

Right to erasure (Art. 17): you may request deletion of your personal data, subject to legal retention obligations.

Right to restriction (Art. 18): you may request that we restrict processing in certain circumstances.

Right to data portability (Art. 20): where processing is based on consent or contract and carried out by automated means, you may receive your data in a structured, machine-readable format.

Right to object (Art. 21): you may object to processing based on legitimate interests.

To exercise any of these rights, contact us at contact@insightfol.io. We will respond within 30 days.

Supervisory authority

You have the right to lodge a complaint with a supervisory authority. The lead supervisory authority for Yieldbard is the Berliner Beauftragte für Datenschutz und Informationsfreiheit (BlnBDI), Alt-Moabit 59–61, 10555 Berlin.

You may also contact the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI) or the supervisory authority in your country of residence.

Cookies

We use a small number of strictly necessary cookies: a session cookie set on login, a CSRF cookie required for any form submission, and small functional cookies that remember your language and currency choice. None of these cookies track you across other sites, and none are set for advertising or analytics purposes — our analytics provider, Plausible, is cookieless by design.

Because we set no non-essential cookies, no cookie consent banner is required under ePrivacy.

Changes to this policy

We may update this Privacy Policy to reflect changes in our practices or applicable law. We will notify you of material changes by posting a notice on the platform or by email.

Last updated: May 2026