1. Overview
This privacy policy explains what happens to your personal data when you use Schwerelos (www.schwerelos.io). We take protecting your data seriously and process it only in accordance with applicable data protection law (GDPR) and this privacy policy.
2. Data Controller
The data controller responsible for data processing on this website is:
3. What Data We Collect
Directly from you
- Account data: email address, display name, authentication credentials — collected during sign-up via Clerk.
- Billing data: if you subscribe to a paid plan, name, billing address, VAT ID (optional), and payment card details — collected and stored by Stripe. We never see or store full card numbers.
- Watchlist & preferences: the analysts and assets you choose to track, your alert rules, your digest frequency, and your notification email address.
- Contact form submissions: name, email, subject, message.
Automatically
- Technical data: IP address, browser, operating system, timestamps — logged briefly by our hosting provider (Vercel) for security and reliability.
- Session cookies: set by Clerk to keep you signed in.
- Usage events: page views and user actions (e.g. which analyst you added) — stored in our database to power your personal dashboard. Not sold, not shared with advertisers.
Public data we process on your behalf
Schwerelos monitors public posts from a curated set of finance analysts on X (formerly Twitter). We fetch their public posts via X's official API and score them against market data. These posts are public — we do not process personal data of third parties beyond what is publicly available.
4. Service Providers (Data Processors)
We use the following service providers to operate Schwerelos. Each processes data on our behalf under a Data Processing Agreement (DPA), as required by Art. 28 GDPR.
| Provider | Purpose | Region |
|---|---|---|
Vercel Inc. 440 N Barranca Ave #4133, Covina, CA 91723, USA | Web hosting, edge functions, CDN | USA (SCCs) |
Supabase Inc. 970 Toa Payoh North #07-04, Singapore 318992 | Primary database (PostgreSQL) — user accounts, watchlists, alerts | EU (Frankfurt) |
Clerk, Inc. 660 King St, San Francisco, CA 94107, USA | Authentication, session management, user identity | USA (SCCs) |
Stripe Payments Europe Ltd. 1 Grand Canal Street Lower, Dublin 2, Ireland | Subscription billing, payment processing, invoicing, VAT | EU/USA (SCCs) |
Resend Inc. 2261 Market St #4897, San Francisco, CA 94114, USA | Transactional email delivery (alerts, billing, account) | USA (SCCs) |
Anthropic PBC 548 Market St PMB 90375, San Francisco, CA 94104, USA | AI classification of public X posts (does not process personal user data — only public analyst posts) | USA (SCCs) |
X Corp. 1355 Market St, San Francisco, CA 94103, USA | Source of public posts via X API — we read, we don't send you there | USA |
CoinGecko Gecko Labs Pte Ltd, 138 Robinson Rd #25-02, Singapore 068906 | Public crypto market price data | Singapore (public-data-only use) |
Transfers to US providers rely on EU Standard Contractual Clauses (SCCs) plus additional technical measures. We've minimised the personal data sent to each processor to exactly what they need to perform their function.
5. Legal Basis for Processing
- Art. 6(1)(b) GDPR (contract): providing you with the Schwerelos service you signed up for — authentication, data storage, alerts, billing.
- Art. 6(1)(f) GDPR (legitimate interest): secure hosting, fraud prevention, abuse rate-limiting, basic product analytics on aggregated data.
- Art. 6(1)(a) GDPR (consent): any optional analytics or marketing cookies — we only set these after you opt in.
- Art. 6(1)(c) GDPR (legal obligation): invoices and tax records kept for the legally mandated retention period (10 years in DE).
6. How Long We Keep Your Data
- Account data: as long as your account exists. Deleted within 30 days of account deletion.
- Watchlist + alerts: deleted immediately when you delete your account — cascading DB delete.
- Billing records (Stripe): retained for 10 years as required by German tax law (§ 147 AO).
- Contact form messages: retained for up to 12 months after the inquiry is resolved.
- Server logs: 30 days max, then purged by Vercel.
7. Your Rights
Under GDPR you have the right to:
- Access your data (Art. 15)
- Correct inaccurate data (Art. 16)
- Have your data deleted (Art. 17) — available instantly in Settings -> Danger Zone
- Restrict processing (Art. 18)
- Receive your data in portable form (Art. 20) — email us for an export
- Object to processing based on legitimate interest (Art. 21)
- Withdraw consent at any time, without affecting prior processing
- Lodge a complaint with your data protection authority. For Germany, this is the state DPA of your residence; for North Rhine-Westphalia (where we are based) this is LDI NRW.
8. Cookies
We use the minimum cookies needed to run the service.
| Cookie | Purpose | Duration | Type |
|---|---|---|---|
| __session, __client | Clerk auth session | Session / 7 days | Strictly necessary |
| theme | Remembers dark / light mode | 1 year | Preference |
| cookie_consent | Stores your cookie consent choice | 1 year | Strictly necessary |
| __stripe_mid, __stripe_sid | Fraud prevention on Stripe checkout | 1 year / 30 min | Strictly necessary (on billing only) |
We do not use any third-party advertising cookies, tracking pixels, or cross-site trackers.
9. Emails We Send You
We only send transactional emails that relate to the service — not marketing. These are:
- Welcome email on sign-up
- Alert digests (if you enable them) — frequency is your choice (daily / weekly / off)
- Trial-ending notice 3 days before your card is charged
- Payment-failed notice if a charge is declined
- Plan-change notifications (upgrade / downgrade / cancel)
- Replies to contact-form submissions
Every digest email contains a one-click unsubscribe link. You can also set digest frequency to 'off' in Settings at any time. Critical account emails (billing, security) cannot be unsubscribed — they're necessary for the contract.
10. Contact & Data Requests
For any privacy question — including access, correction, deletion, or portability requests — email lucka@ux-beratung.de. We respond within 30 days (most inside 48 hours).