Privacy policy
Last updated 8 July 2026
Draft — pending qualified legal review
This document is a working draft prepared ahead of launch. It has not yet been reviewed or approved by qualified UK legal or compliance counsel, and must not be relied on as final, in-force terms. It will be replaced once that review is complete.
This Privacy Policy explains how Subnalysis ("we", "us", "our") collects, uses, and protects personal data when you use the Subnalysis service (the "Service"). We are the data controller for the personal data described here.
1. Data we collect
We collect the following personal data as part of operating the Service:
Account data: your email address, and an account role/tier, created when you sign up or are invited to the prototype.
Watchlist data: the assets you choose to track ("portfolio picks"), so the Service can personalise the content shown to you.
Feedback data: your responses to the "agree/disagree with the desk" prompt on individual analyses, tied to your account.
Content contributions: if you hold an administrator role, any glossary term definitions you add.
Technical data: standard web server logs (such as IP address and request timestamps) generated as part of normal Service operation, including for security purposes such as detecting repeated failed sign-in attempts.
We do not collect payment card data directly — during the prototype phase no payment is processed at all; when paid billing is introduced, card data will be handled by a third-party payment processor and will not be stored on our own systems.
2. How we use your data
We use the data described above to:
Provide, maintain, and personalise the Service, including showing you analysis for the assets you track.
Authenticate you and secure your account.
Operate feedback and product-improvement features.
Monitor and improve the security, reliability, and performance of the Service.
Communicate with you about your account or material changes to the Service.
Comply with our legal obligations.
We do not sell your personal data, and we do not use your data to serve third-party advertising.
3. Legal basis for processing
Where UK/EU data protection law applies, we rely on the following legal bases:
Performance of a contract — to provide the Service you have signed up for (account data, watchlist data).
Legitimate interests — to secure the Service, prevent abuse, and improve our product (technical data, feedback data), balanced against your rights and interests.
Consent — where we ask for it separately, such as for optional communications.
4. Who we share data with
We share personal data only with service providers who process it on our behalf, under contractual terms that require them to protect it and use it only for the purposes we specify. These currently include:
Our authentication and database provider, which stores account and watchlist data.
Our cloud hosting provider, which runs the Service infrastructure.
We do not share your personal data with other third parties for their own marketing purposes. We may disclose data where required by law, to protect our legal rights, or to protect the safety of our users or the public.
5. International data transfers
Some of our service providers may process data outside the UK or European Economic Area. Where this occurs, we take steps to ensure an adequate level of protection is in place, such as relying on providers certified under an adequacy framework or standard contractual clauses.
6. Data retention
We retain personal data for as long as your account is active and the Service needs it to function. If you delete your account, your account, watchlist, and feedback data are deleted; see "Your rights" below for how to do this. We may retain minimal records where required to comply with a legal obligation or to resolve disputes.
7. Your rights
Subject to applicable law, you have the right to:
Access the personal data we hold about you.
Correct inaccurate data (most account data can be edited directly in Account settings).
Erase your data — you can request permanent deletion of your account and associated personal data at any time from Account settings → Danger zone. Your account is scheduled for permanent erasure after a short grace period (currently 14 days), during which you can cancel; after that your account, profile, and watchlist are permanently deleted. A small number of technical logs may persist briefly for security purposes before routine deletion.
Object to or restrict certain processing.
Request a portable copy of your data.
A self-service data export tool is planned but not yet built; until then, you can request a copy of your data using the contact details below. To exercise any of these rights, contact us at the email address at the bottom of this page. If you are not satisfied with our response, you have the right to complain to the UK Information Commissioner's Office (ico.org.uk) or your local data protection authority.
8. Cookies and similar technologies
We use strictly necessary cookies to keep you signed in and to remember your session — the Service cannot function without these. We do not currently use analytics or advertising cookies. If this changes, this policy will be updated and, where required, we will ask for your consent first.
9. Children's privacy
The Service is not directed at, and must not be used by, anyone under 18. We do not knowingly collect personal data from children.
10. Security
We apply technical and organisational measures to protect personal data, including encrypted connections, access controls scoped to each user's own data, and rate-limiting on authentication endpoints. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.
11. Changes to this policy
We may update this Privacy Policy from time to time. We will update the "Last updated" date above and, for material changes, provide reasonable notice.
Questions about this document? Contact legal@subnalysis.com.