LEGAL

Privacy Policy

Plain-English summary: we collect your email so you can sign in and receive alerts. We don't sell your data. We use a small set of named infrastructure providers who can technically see your data on our behalf.

Last updated: May 22, 2026

1. What we collect

  • Email address — required to sign in and to send you watchlist alerts.
  • Watchlist items — the tickers and CIKs you've chosen to follow.
  • Session data — a session token cookie and associated row in our database.
  • Request metadata — IP address, user agent, and timestamp for each request, retained briefly by our infrastructure providers for security and operations.
  • Optional waitlist email — if you signed up for launch updates before the product opened.

2. What we do not collect

  • Trading account numbers, brokerage credentials, or any financial account data.
  • Browsing behavior beyond DEHY's own pages (no third-party tracking pixels or social-network analytics).
  • Government identifiers (SSN, tax ID, etc.).

3. How we use your data

  • Authenticate your account.
  • Deliver watchlist alerts you've configured.
  • Operate, secure, and improve the Service.
  • Communicate product updates and security notices.

4. Infrastructure providers

DEHY runs on the following providers, each of which can technically access data we send them as part of operating the Service:

  • Neon — Postgres database hosting (filing data, accounts, sessions).
  • Upstash — Redis for the job queue.
  • Vercel — web hosting, request logs.
  • Fly.io — worker process hosting.
  • Resend — transactional email delivery (sign-in links and alerts).
  • Sentry — error tracking (request metadata when something fails).
  • Axiom — structured logging.

5. Cookies

DEHY sets a single session cookie (authjs.session-token) when you sign in. It is HttpOnly and SameSite=Lax. We do not use advertising cookies or third-party analytics cookies.

6. Your rights

Depending on where you live, you may have rights under the GDPR, CCPA, or similar laws, including the right to:

  • Access the data we hold about you.
  • Correct inaccurate data.
  • Delete your account and associated data.
  • Export your data in a portable format.

To exercise any of these rights, email privacy@dehy.io. We respond within thirty days.

7. Retention

Account data is retained while your account is active. Session data is retained for thirty days after each sign-in. Public filing data (issuers, reporters, transactions) is retained indefinitely as part of the public record we surface.

8. International transfers

Our infrastructure providers operate in the United States and the European Union. Where we transfer personal data across borders, we rely on the relevant providers' standard contractual clauses.

9. Children

DEHY is not directed at children under thirteen and we do not knowingly collect data from them.

10. Changes

Material changes to this policy will be announced via email to active accounts.

11. Contact

Privacy questions or requests: privacy@dehy.io.

This policy is a starting template. We recommend reviewing it with counsel before relying on it for compliance.