1. Data Controller

The data controller responsible for the processing of your personal data on this platform is:

Arsalan Amiri
Burgstraße 67
60389 Frankfurt am Main
Germany

Email: info@krentium.com
Phone: +49 176 85971034

(“Krentium”, “we”, “our”, or “us”)

Krentium does not currently employ a Data Protection Officer (DPO), as the conditions under Article 37 GDPR requiring the appointment of a DPO are not met. For all data protection inquiries, please contact us at the email address above.

2. Introduction

Krentium respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our platform at krentium.com (the “Platform”), in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation / GDPR), the German Federal Data Protection Act (BDSG), and the Telecommunications Digital Services Data Protection Act (TDDDG).

3. Personal Data We Collect

We collect and process the following categories of personal data:

Account Information:

Email address (required for registration)
Password (stored in hashed/encrypted form only — we cannot read your password)
Authentication tokens and session identifiers

Usage Data:

Watchlist selections, portfolio holdings, alert preferences, and application settings
Signal interaction history (which stocks you view)

Technical Data:

IP address (collected in server logs, automatically deleted after 30 days)
Browser type and version, device type, operating system
Access timestamps

Payment Data (when subscribing):

Payment processing is handled entirely by Stripe, Inc. We do not store credit card numbers, bank account details, or other payment instrument data on our servers. Stripe provides us with a subscription status, customer ID, and billing email only.

4. Legal Basis for Processing (Article 6 GDPR)

We process your personal data on the following legal bases:

Contract Performance (Article 6(1)(b) GDPR):

Processing your account data, watchlists, portfolios, and alerts is necessary to provide the services you have requested by creating an account.

Legitimate Interests (Article 6(1)(f) GDPR):

We process technical data (IP addresses, browser information, access logs) for the purposes of ensuring platform security, preventing abuse, and improving our services. Our legitimate interest is the secure operation and improvement of the Platform. We have assessed that this processing does not override your fundamental rights and freedoms.

Consent (Article 6(1)(a) GDPR):

For optional features such as email notifications, marketing communications, and non-essential cookies, we rely on your explicit consent. You may withdraw consent at any time with future effect by adjusting your account settings or contacting us.

5. How We Use Your Data

We use your personal data for the following purposes:

To provide, operate, and maintain the Platform and its features
To manage your account and authenticate your identity
To process and manage your subscription through Stripe
To send you service-related notifications (e.g., alert triggers, account changes)
To detect, prevent, and address security threats, fraud, and technical issues
To comply with legal obligations

We do not use your personal data for profiling, automated individual decision-making, or targeted advertising. The Platform uses automated algorithms to generate market analysis signals, but these are general outputs displayed to all users viewing the same stock — they are not personalized recommendations based on your individual data.

6. Cookies and Tracking Technologies (§ 25 TDDDG)

The Platform uses the following categories of cookies:

Strictly Necessary Cookies:

These cookies are essential for the Platform to function. They include authentication session cookies set by Supabase Auth to keep you logged in. These do not require your consent under § 25(2) TDDDG as they are technically necessary.

Optional/Analytics Cookies:

The Platform does not currently use third-party analytics, advertising, or tracking cookies. If this changes in the future, we will update this policy and obtain your consent before setting any non-essential cookies.

7. Data Processors and Third-Party Services

We use the following third-party service providers who process personal data on our behalf. We have entered into or are in the process of entering into Data Processing Agreements (DPAs) with these processors in accordance with Article 28 GDPR:

Supabase, Inc. (San Francisco, USA)

Purpose: Database hosting, user authentication, backend functions
Data processed: Email address, hashed password, authentication tokens, watchlists, portfolios, signals data, application settings
Server location: EU (Frankfurt, Germany) — your data is stored in the EU region
Safeguard: Standard Contractual Clauses (SCCs); Supabase offers a DPA with EU SCCs

Vercel, Inc. (San Francisco, USA)

Purpose: Frontend hosting and content delivery
Data processed: IP addresses, browser data (in transit/CDN logs only)
Safeguard: Standard Contractual Clauses (SCCs); EU-U.S. Data Privacy Framework

Stripe, Inc. (San Francisco, USA)

Purpose: Payment processing and subscription management
Data processed: Email address, payment information (handled entirely by Stripe), subscription status
Safeguard: EU-U.S. Data Privacy Framework; Standard Contractual Clauses (SCCs)
Note: Stripe is an independent data controller for payment data it processes. See Stripe’s privacy policy at stripe.com/privacy

Resend, Inc. (San Francisco, USA)

Purpose: Transactional email delivery (account notifications, alert emails, contact form responses, cancellation confirmations)
Data processed: Email address, email content
Safeguard: Standard Contractual Clauses (SCCs)
Note: See Resend’s privacy policy at resend.com/legal/privacy-policy

Twelve Data, Inc.

Purpose: Market data provider (stock prices, OHLCV data)
Data processed: No personal data is shared with Twelve Data. API requests contain only stock ticker symbols.

8. International Data Transfers

Your personal data is primarily stored in the European Union (Supabase EU region, Frankfurt). However, some of our processors are based in the United States. Where personal data is transferred outside the EU/EEA, we ensure an adequate level of protection through:

The EU-U.S. Data Privacy Framework (where the processor is certified)
Standard Contractual Clauses (SCCs) approved by the European Commission pursuant to Article 46(2)(c) GDPR
Technical measures such as encryption in transit and at rest

You may request a copy of the relevant safeguards by contacting us.

9. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this policy:

Account data: Retained for the duration of your account. Upon account deletion, we will erase or anonymize your personal data within 30 days.
Server logs (IP addresses): Automatically deleted after 30 days.
Payment records: Retained as required by German tax law (§ 147 AO, § 257 HGB) for up to 10 years after the end of the calendar year in which the transaction occurred.
Communication records: Retained for up to 3 years for the purposes of responding to inquiries and establishing, exercising, or defending legal claims.

After the applicable retention period expires, data is securely deleted or irreversibly anonymized.

10. Your Rights Under GDPR

Under the GDPR and the BDSG, you have the following rights regarding your personal data:

Right of Access (Article 15 GDPR): You may request confirmation of whether we process your personal data and, if so, request a copy of that data.
Right to Rectification (Article 16 GDPR): You may request correction of inaccurate or incomplete personal data.
Right to Erasure (Article 17 GDPR): You may request deletion of your personal data where there is no compelling reason for its continued processing.
Right to Restriction of Processing (Article 18 GDPR): You may request that we restrict processing of your data in certain circumstances, such as while we verify the accuracy of your data.
Right to Data Portability (Article 20 GDPR): You may request to receive your personal data in a structured, commonly used, machine-readable format.
Right to Object (Article 21 GDPR): You may object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
Right to Withdraw Consent (Article 7(3) GDPR): Where processing is based on consent, you may withdraw that consent at any time with future effect. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

To exercise any of these rights, please contact us at info@krentium.com. We will respond to your request within one month, as required by Article 12(3) GDPR. This period may be extended by two further months where necessary, taking into account the complexity and number of requests.

11. Right to Lodge a Complaint with a Supervisory Authority

You have the right to lodge a complaint with a data protection supervisory authority if you believe that the processing of your personal data infringes the GDPR (Article 77 GDPR).

The competent supervisory authority for Krentium is:

Der Hessische Beauftragte für Datenschutz und Informationsfreiheit (HBDI)

Gustav-Stresemann-Ring 1
65189 Wiesbaden, Germany
Phone: +49 611 1408-0
Email: Poststelle@datenschutz.hessen.de
Website: datenschutz.hessen.de

You may also contact the supervisory authority in the EU Member State of your habitual residence or place of work.

12. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, in accordance with Article 32 GDPR. These measures include:

Encryption in transit (TLS/HTTPS for all connections)
Encryption at rest (database-level encryption)
Secure authentication with hashed passwords (bcrypt)
Row-Level Security (RLS) policies on all database tables ensuring users can only access their own data
Rate limiting and abuse detection on API endpoints
CORS restrictions limiting API access to authorized origins
JWT-based authentication with secure token handling
Regular security reviews of our infrastructure

We do not sell, rent, or trade your personal data to third parties.

13. Automated Processing

The Platform uses automated algorithms to analyze publicly available market data and generate signals, scores, and narratives. This automated processing operates on market data only — it does not process your personal data to produce outputs, and it does not produce decisions with legal or similarly significant effects on you within the meaning of Article 22 GDPR.

The signals and scores displayed are identical for all users viewing the same stock. No individual profiling or personalized investment recommendations are generated based on your personal data.

14. Children’s Privacy

The Platform is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have collected personal data from a person under 18 without appropriate parental consent, we will take steps to delete that data promptly. If you are a parent or guardian and believe your child has provided personal data to us, please contact us immediately.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the updated policy on the Platform and updating the “Last updated” date. For significant changes, we may also notify you by email.

We recommend reviewing this page periodically. Continued use of the Platform after changes are posted constitutes your acceptance of the revised policy.

16. Contact

If you have questions about this Privacy Policy, wish to exercise your data protection rights, or have concerns about how your data is processed, please contact us:

Email: info@krentium.com