This Privacy Policy explains what personal data Tracefour ("we", "us") collects about visitors and signed-in users of tracefour.com (the "Service"), how we use it, who we share it with, and what rights you have. We aim for the minimum necessary data to run the Service. No profiling, no ad targeting, no sale of personal data.
1. Data controller
Tracefour is the data controller for personal data processed via the Service. Contact: [email protected]. Tracefour does not currently have an EU representative or a designated Data Protection Officer; the operator handles privacy enquiries directly via the contact email.
1a. Public regulatory filings: third-party personal data
Tracefour publishes information about company insiders (directors, executives, persons in leading positions) that they themselves were legally required to disclose to a public regulator. Source feeds:
- U.S. Securities and Exchange Commission (SEC) EDGAR: Form 4 / 13F / 13D / 13G filings. Public records under U.S. federal law.
- Finansinspektionen (FI) Insynsregistret: PDMR transactions ("Personer i ledande ställning") published under MAR Article 19 and the Swedish Act on Reporting of Insiders' Transactions (lag 2016:1306). For each filing we display the same fields FI publishes: issuer name, notifier (employer), PDMR name, position, transaction date and type (acquisition or disposal), volume, price, currency, venue, and whether the transaction is a closely-associated-person filing or a correction. We do not collect addresses, national identity numbers, or any data beyond what FI itself makes public.
- Financial Conduct Authority (FCA) National Storage Mechanism (NSM): UK PDMR transactions published under UK MAR Article 19 (Statutory Instrument 2019/310) and AIM Rule 17. Public records under UK law; the schema and submission rules are governed by FCA Policy Statement PS24/19 (effective 3 November 2025).
- Bundesanstalt für Finanzdienstleistungsaufsicht (BaFin) Directors' Dealings: PDMR transactions ("Eigengeschäfte von Führungskräften") published under MAR Article 19. Public records under EU / German law.
- Autoriteit Financiële Markten (AFM) Meldingenregister: PDMR transactions ("transacties van leidinggevenden") published under MAR Article 19 by the Dutch financial-markets authority. Public records under EU / Dutch law. Each filing displays the same fields AFM publishes: issuer name (uitgevende instelling), notifier (PDMR) name, issuer LEI, position (functie), instrument type, ISIN, transaction category (verwerving / vervreemding), transaction type, stock-option programme flag, trading place, quantity, price, and currency. Reuse posture follows the EU Open Data Directive (2019/1024). National Competent Authority disclosures carry a strong reuse presumption with the sui generis Database Directive rights disapplied.
- Financial Modeling Prep (FMP): proxy for Senate and House Periodic Transaction Reports (PTRs) under the U.S. STOCK Act of 2012. Public records.
For data subjects who appear in these filings (insiders, PDMRs, members of Congress), our legal basis for processing is GDPR Article 6(1)(f): legitimate interests (and the equivalent UK GDPR Article 6(1)(f) + Data Protection Act 2018 §15 / §45 for UK data subjects): transparent functioning of financial markets (MAR Recital 23), investor protection, journalistic and statistical research (Article 89). The data has been made public by the regulator themselves, and these individuals have reduced privacy expectations on transactions they voluntarily disclosed as a condition of their senior role.
Erasure requests (GDPR Article 17): if you appear in our published filings data and would like us to consider de-listing or de-indexing your historical entries, write to [email protected]. We assess each request within the Article 12(3) 30-day window and balance the legitimate-interest factors against your specific circumstances. The right to erasure does not apply where processing is necessary for the public interest (Art 17(3)(b)) or for archiving / journalistic purposes (Art 17(3)(d)), but we will document the assessment and respond.
2. What we collect
From Google when you sign in. Your Google account ID (the stable sub identifier), your email address, your display name, and your profile-picture URL. We request only the minimum OpenID Connect scopes (openid email profile) and we do not call any other Google API after sign-in.
From you while using the Service. Your tracked tickers, your tracked insiders, and any preferences you set on the Settings page.
Diagnostic, while you have an active session. A salted SHA-256 hash of your IP address (we never store the raw IP), a truncated user-agent string, and the session creation, last-used, and expiry timestamps. These are used to invalidate stolen sessions and to rate-limit abuse; they are deleted when the session expires.
Anonymous traffic metrics. Cloudflare delivers the Service via its CDN and produces aggregate, IP-based traffic stats (no Cloudflare cookies are set by us). We also use Google Analytics 4 for aggregate page-view and feature-usage analytics; GA4 sets first-party cookies (_ga, _ga_*) in your browser. See §6.
3. How we use your data · Legal basis
For users in the European Economic Area and the United Kingdom, the GDPR / UK GDPR legal bases for processing are:
- Performance of a contract (Art. 6(1)(b)): authenticating you via Google, maintaining your session, storing your tracked items, and rendering the Service. Without these we cannot deliver the service you signed up for.
- Legitimate interests (Art. 6(1)(f)): hashing session IPs to detect abuse and rate-limit traffic, and aggregate-traffic analytics to understand how the Service is used and improve it. Our balancing test concluded these uses do not override your rights and freedoms; you can object at any time (see §7).
- Consent (Art. 6(1)(a)): where required, for non-essential analytics cookies (see §6). You can withdraw consent at any time by clearing your browser cookies or using the consent controls when we ship them.
- Legal obligation (Art. 6(1)(c)): responding to valid legal requests and complying with mandatory retention.
We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects on you.
4. Third parties · International transfers
We share your personal data only with the service providers we need to operate the Service, and only to the extent strictly required:
- Google LLC (Sign-In / OAuth, GA4): authentication and analytics. Google is based in the United States. Transfers to the US rely on Google's Standard Contractual Clauses and on the EU-US Data Privacy Framework.
- Cloudflare, Inc. (CDN, edge caching, DDoS mitigation, analytics): IP address and request metadata are processed transiently to deliver pages. Cloudflare is based in the United States; transfers rely on Cloudflare's Standard Contractual Clauses.
- Resend, Inc. (email delivery, for the optional weekly digest): if you subscribe, your email address is shared with Resend solely to deliver the emails you asked for. Subscription is double opt-in: nothing is sent until you click the confirmation link, and every email carries a one-click unsubscribe. We store your address, its confirmation status, the page you subscribed from, and send timestamps; unsubscribing stops all sending immediately, and you can request full deletion of the record by contacting us. Resend is based in the United States; transfers rely on its Standard Contractual Clauses.
We do not sell or share your personal information with advertisers, data brokers, or any party for behavioural advertising. We do not serve targeted ads.
5. Retention
- Account data (profile, tracked items) is retained until you delete the account. Deletion is hard, immediate, and cascades to sessions and tracked items.
- Sessions expire 90 days after creation. Expired sessions and their hashed IPs are purged hourly by an automatic job.
- OAuth state rows (used to complete the Google sign-in handshake) are consumed in the same request and otherwise expire after 10 minutes.
- Server logs (operational, not personally identifiable) are retained for up to 30 days for security and debugging purposes.
- Public regulatory filings (§1a) are retained on a rolling window: SEC EDGAR filings for 365 days, FI Insynsregistret PDMR transactions for 180 days. Identity rows (issuer name, ticker, PDMR slug) survive that window so existing URLs continue to resolve, but the underlying transactions are pruned automatically. Erasure requests under Article 17 are handled per §1a.
7. Your rights
Subject to applicable law (GDPR, UK GDPR, CCPA / CPRA, and others), you have the right to:
- Access and portability: get a copy of the personal data we hold about you in a structured, machine-readable format. Signed-in users can self-serve via the Settings page ("Export everything") or
GET /api/me/export; or write to [email protected]. - Rectification: have inaccurate data corrected. Your name, email, and avatar are refreshed from Google on each sign-in. To change them, update your Google account and sign in again.
- Erasure ("right to be forgotten"): ask us to delete your data. The "Delete my account" button on the Settings page hard-deletes your row and cascades to all your tracked items.
- Restriction and objection: ask us to stop or limit processing where we rely on legitimate interests (§3). For analytics and rate-limit hashing, blocking cookies / clearing the session achieves the same outcome.
- Right to withdraw consent where processing is based on your consent (§3), without affecting the lawfulness of processing before withdrawal.
- Right to lodge a complaint with a data-protection supervisory authority. EEA residents may contact the authority in their country of habitual residence, place of work, or place of the alleged infringement. A list of EEA authorities is maintained at edpb.europa.eu. UK residents may contact the Information Commissioner's Office (ICO).
- California (CCPA / CPRA) rights include the right to know, the right to delete, the right to correct, and the right to opt out of "sale" or "sharing" of personal information. We do not sell or share personal information. Categories collected map to the disclosures in §2.
We will respond to verifiable requests within the timeframes required by applicable law (one month under GDPR / UK GDPR, 45 days under CCPA / CPRA, both subject to extension where the request is complex).
8. Security
We follow industry-standard practices to protect personal data: TLS on every request, server-side sessions with HMAC-signed opaque cookie IDs, parameterised SQL, scoped database access, secret values stored outside source control, and prompt patching of dependencies. No system is perfectly secure; if you suspect a vulnerability, please report it to [email protected] rather than probe live endpoints.
9. Children
The Service is intended for users aged 18 and older. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, contact us and we will delete it.
10. Changes to this Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page will reflect the most recent version. Material changes will be announced via the Service and, for signed-up users, by email at least 14 days before they take effect.
11. Contact
Privacy enquiries, data-subject requests, and complaints: [email protected].