Privacy Policy
Last updated: 7 July 2026.
1. Controller
The controller responsible for data processing on this website is:
CVI Technology, Germany Managing Director: Stefan Mauch Email: privacy@computationalvalueinvesting.com
2. Overview of what we process, and why
We only process personal data where there is a legal basis under Art. 6 GDPR.
| Data | Purpose | Legal basis (Art. 6 GDPR) |
|---|---|---|
| Account: email, name, password (stored only as a salted hash) | Provide the account and the gated terminal | (b) performance of the contract |
| Login sessions (signed cookie) | Keep you logged in, secure the paywall | (b) contract / (f) legitimate interest (security) |
| Subscription & billing data (via Stripe) | Process payments, manage the subscription | (b) contract; (c) legal (tax/accounting retention) |
| Google account ID + email (if you use “Continue with Google”) | Optional single sign-on | (b) contract; (a) consent to use the option |
| Newsletter email + opt-in log | Send the weekly newsletter | (a) consent (double opt-in) |
| Price-alert rules | Send the alerts you configured | (b) contract / (a) consent |
| “Ask CVI” chat messages | Answer your in-app questions | (b) contract / (f) legitimate interest |
| Server & access logs (incl. IP address, user agent, timestamps) | Operate, secure and debug the service | (f) legitimate interest (security & stability) |
| Analytics / marketing cookies | Understand usage, measure campaigns | (a) consent (via the cookie banner) |
We do not sell personal data, and we do not use it for automated decision-making with legal effect on you.
3. Cookies and similar technologies (§ 25 TDDDG)
- Strictly necessary cookies — the login session cookie and the cookies Stripe sets during checkout. These are required to operate the service (§ 25 (2) TDDDG) and are set without consent.
- Analytics / marketing cookies — set only after you consent via our cookie banner. You can withdraw consent at any time via “Cookie settings” in the footer.
4. Hosting and where data is stored
The website and database are hosted by Render (Render Services, Inc.) in the EU. Data may also be processed on servers operated by our processors listed below, some of which are in the USA.
5. Recipients / processors and third-country transfers
We use the following service providers. Where data is transferred outside the EU/EEA (e.g. to the USA), the transfer is safeguarded by the EU Standard Contractual Clauses and/or the provider’s certification under the EU–US Data Privacy Framework.
- Render — hosting, database, logs (EU / USA).
- Stripe (Stripe Payments Europe, Ltd. / Stripe, Inc.) — payment processing and subscription management (EU / USA). Stripe acts as an independent controller for payment data; see stripe.com/privacy.
- Google (Google Ireland Ltd.) — optional “Continue with Google” sign-in (EU / USA).
- Anthropic (Anthropic, PBC) — powers the “Ask CVI” chat; your chat messages are sent to Anthropic’s API to generate a reply (USA). Anthropic does not train its models on API data; see anthropic.com/legal/privacy.
- Our email service provider — sends account, newsletter and alert emails.
Where analytics cookies are enabled with your consent, the corresponding analytics provider processes usage data on our behalf.
6. Newsletter (double opt-in)
If you subscribe to the newsletter, we send a confirmation email; only after you confirm the link do you receive it (double opt-in). We log the opt-in as proof of consent. You can unsubscribe at any time via the link in every email, which withdraws your consent going forward.
7. Retention
We keep account and subscription data for the duration of the contract and then for the statutory retention periods (up to 10 years for invoicing/tax records under the HGB/AO). Server logs are kept for up to 30 days. Newsletter data is kept until you unsubscribe.
8. Your rights
Under the GDPR you have the right to: access (Art. 15), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20), and to object (Art. 21) to processing based on legitimate interest. Where processing is based on consent, you may withdraw it at any time with effect for the future (Art. 7 (3)). To exercise any right, contact us at the address in Section 1.
Right to lodge a complaint (Art. 77): you may complain to a supervisory authority, e.g. the competent authority for Bavaria — Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 18, 91522 Ansbach, Germany.
9. Security
We use TLS encryption, hashed passwords (scrypt), access controls and reputable processors. No online transmission is 100 % secure, but we take appropriate technical and organisational measures under Art. 32 GDPR.
10. Changes
We may update this policy to reflect changes in the service or the law. The current version is always available at /privacy. Material changes affecting you will be communicated appropriately.