Version 0.1 (draft pending counsel review) · Last updated June 12, 2026
This Privacy Policy describes how [OPERATOR LEGAL ENTITY NAME] (“we,” “us”) handles personal information in connection with the data platform at app.basisdata.dev, including its web application, API, and MCP endpoint (the “Service”). The Service is a business-to-business product; we process personal information of account holders and of individuals named in public records (see §3). Questions: [CONTACT EMAIL].
Account data. Name, email address, hashed password (we never store plaintext passwords), and, if enabled, two-factor authentication enrollment data. Billing data. Payments are processed by Stripe, Inc.; we receive subscription status, plan, and the billing identifiers Stripe assigns, but card numbers are collected by and stored with Stripe, not us (see Stripe’s privacy policy). Usage data. First-party product telemetry recorded server-side in our own database: event type (e.g. page view, search issued, API/MCP call), the page path or search query, a timestamp, and your account identifier. We do not record your IP address or browser fingerprint in telemetry, we use no third-party analytics service, and we set no cookies other than those strictly necessary for sign-in (see §5). Support and correspondence. Anything you send us.
The product itself contains information sourced from public regulatory filings (e.g. SEC filings), public-pension disclosures and records released under freedom-of-information laws, and other publicly available sources. This can include names and professional details of individuals acting in a professional capacity (for example, principals of investment managers named in a regulatory filing). We process this information on the basis of legitimate interest in organizing public records, we attribute it to its source, and we do not enrich it with private or consumer data. If you believe information about you in the dataset is inaccurate or should not be displayed, contact [CONTACT EMAIL] and we will review the source record.
We use account, billing, and usage data to provide and secure the Service (authentication, abuse and rate-limit enforcement, audit logging); to operate subscriptions and billing; to understand aggregate product usage and improve the Service; to communicate with you about the Service (transactional email such as verification, password reset, and billing notices); and to comply with law. We do not sell personal information, we do not share it for cross-context behavioral advertising, and we do not use it to train machine-learning models.
The Service sets only strictly necessary cookies: the session cookie that keeps you signed in (and, where applicable, short-lived security cookies that support the sign-in flow). There are no analytics, advertising, or third-party cookies. Because we use no non-essential cookies, the Service does not show a cookie-consent banner.
We share personal information only with service providers acting on our instructions: Stripe (payments), our transactional email provider ([EMAIL PROVIDER]), Cloudflare (network delivery and DDoS protection in front of our servers), and our hosting infrastructure. Application data, including telemetry, is stored on servers we operate. We may disclose information if required by law or to protect the rights, safety, or property of us, our users, or others, and in connection with a merger, acquisition, or sale of assets (with notice to you).
Account data is retained while your account is active. When you delete your account, authentication records are deleted, API keys are revoked, any subscription is cancelled, and telemetry events are disassociated from your identity (the account identifier on past events is removed; anonymous aggregate counts are retained). Billing records are retained as required by tax and accounting law. Backups roll off on a fixed schedule of [BACKUP RETENTION PERIOD].
Passwords are stored hashed; API keys are stored as one-way hashes and shown only once at creation; traffic is encrypted in transit (TLS); access to production systems is restricted. Authentication-sensitive endpoints are rate limited. No system is perfectly secure; we will notify affected users of a personal-data breach as required by applicable law.
Depending on where you live, you may have rights to access, correct, delete, or export your personal information, and to object to or restrict certain processing. You can exercise most of these directly (account settings, account deletion) or by contacting [CONTACT EMAIL]. We do not discriminate against you for exercising privacy rights. If you are in a jurisdiction with a supervisory authority, you may also lodge a complaint there. The Service is operated from the United States; if you access it from elsewhere, your information will be processed in the United States. [COUNSEL: confirm whether GDPR/UK-GDPR/CCPA apply at GA and add the corresponding sections — legal bases table, SCCs/DPF status, “shine the light,” etc.]
The Service is not directed to anyone under 18, and we do not knowingly collect personal information from children.
We may update this policy; material changes will be notified via the Service or email before they take effect. The “Last updated” date above reflects the current version. See also the Terms of Service.