Skip to main content

Privacy Policy

Last updated: February 8, 2026 • Poro-IT OÜ • Registry code: 16795817

🇪🇺 GDPR Compliance

Poro-IT OÜ is an Estonian company subject to the EU General Data Protection Regulation (GDPR). We are committed to protecting your personal data and your rights as a data subject. This policy explains what data we collect, why, how we process it, and how we handle international data transfers.

1. Data Controller

The data controller for BullishBeat.ai is:

Poro-IT OÜ
Registry code: 16795817
Country: Estonia, European Union
Email: privacy@bullishbeat.ai
Data Protection contact: privacy@bullishbeat.ai

2. What Data We Collect

2.1 Account Data

  • Email address — for authentication and communication
  • Name — for display in leagues and leaderboards
  • Password hash — stored as Argon2 hash, never in plain text
  • Account preferences — notification settings, watchlist, display options

2.2 Trading Activity Data

  • Paper trades — buy/sell/short orders, portfolio positions, P&L
  • Watchlist — stocks you follow
  • League participation — rankings, scores, trade history within leagues
  • AI query history — which stocks you asked AI advisors about

2.3 Technical Data

  • IP address — for security and rate limiting
  • Browser/device info — user agent, screen size (via PostHog analytics)
  • Usage patterns — pages visited, features used, session duration

2.4 IBKR Integration Data (Paid users only)

  • IBKR API credentials — stored encrypted (AES-256), used only to execute trades
  • Trade execution logs — records of trades sent to IBKR
  • We never store your IBKR password — only API tokens

2.5 What We Do NOT Collect

  • Payment card details (handled by payment processor)
  • Government ID or social security numbers
  • Bank account details
  • Biometric data

3. Legal Basis for Processing (GDPR Article 6)

We process your data under the following legal bases:

  • Contract performance (Art. 6(1)(b)) — to provide the services you signed up for (account, trading, leagues)
  • Legitimate interest (Art. 6(1)(f)) — analytics to improve the platform, security, fraud prevention
  • Consent (Art. 6(1)(a)) — marketing emails, optional analytics cookies (you can withdraw consent anytime)
  • Legal obligation (Art. 6(1)(c)) — tax records, regulatory requirements

4. International Data Transfers

⚠️ Important: Some of your data is processed outside the EU

While Poro-IT OÜ is an EU company, several of our infrastructure providers are based in the United States. We use appropriate safeguards for all international transfers as required by GDPR Chapter V.

Below is a complete list of third-party services that process your data:

ServicePurposeData LocationTransfer Safeguard
RailwayBackend hosting, database (PostgreSQL)USEU-US Data Privacy Framework (DPF)
Google Cloud (Vertex AI)ML model training, GCS model storageUS (us-central1)EU-US DPF + Standard Contractual Clauses (SCCs)
VercelFrontend hosting (Next.js)Global CDN (EU edge)EU-US DPF + SCCs
PostHogProduct analyticsEU (PostHog Cloud EU)EU hosted — no transfer
Polygon.ioMarket data (stock prices)USNo personal data transferred — only market data received
FinnhubFinancial data (insider trades, news)USNo personal data transferred — only market data received
Anthropic (Claude API)AI stock analysisUSSCCs — stock symbols sent, no personal data
Google (Gemini API)AI stock analysisUSEU-US DPF — stock symbols sent, no personal data
Groq (Llama API)AI stock analysisUSSCCs — stock symbols sent, no personal data
Interactive BrokersTrade execution (paid users only)USUser's own IBKR contract — we only send trade instructions
Redis (Railway)Caching, job schedulerUS (same as backend)EU-US DPF — will migrate to EU with backend

ℹ️ How we minimize EU → US data exposure

AI queries contain no personal data — we only send stock symbols, prices, and indicators to AI providers. Your name, email, and account data are never sent.
PostHog analytics runs on EU servers (PostHog Cloud EU) — your usage data stays in the EU.
Market data providers (Polygon, Finnhub) send data TO us — we don't send personal data to them.
Database + Redis + Backend are currently US-hosted on Railway. Railway supports EU regions (eu-west) on Pro plan. We plan to migrate all Railway services to EU.

4.1 Transfer Safeguards

For services that process personal data in the US, we rely on:

  • EU-US Data Privacy Framework (DPF) — for providers certified under the framework (Google, Vercel, Railway)
  • Standard Contractual Clauses (SCCs) — EU-approved contractual safeguards for providers not yet DPF-certified
  • Data minimization — we send the minimum data necessary to each provider

4.2 EU Migration Plan

Our backend, PostgreSQL database, and Redis are currently hosted on Railway (US region). We plan to migrate all Railway services to the EU:

  • Railway supports eu-west region on Pro plan
  • Migration covers: backend API, PostgreSQL database, Redis cache
  • Timeline: Migration planned for Q2 2026
  • After migration, all personal data storage and processing will be within the EU
  • In the interim, Railway operates under EU-US Data Privacy Framework certification

5. Data Retention

  • Account data — retained while your account is active, deleted within 30 days of account deletion request
  • Trading history — retained for 3 years for tax reporting purposes (legal obligation)
  • AI query logs — retained for 90 days, then anonymized
  • Analytics data — retained for 12 months in PostHog, then auto-deleted
  • Server logs — retained for 30 days for security purposes

6. Your Rights (GDPR Articles 15-22)

🛡️ Your GDPR Rights

As an EU/EEA resident, you have the following rights:

Right of access (Art. 15) — request a copy of all your personal data
Right to rectification (Art. 16) — correct inaccurate data
Right to erasure (Art. 17) — request deletion of your data (“right to be forgotten”)
Right to restrict processing (Art. 18) — limit how we use your data
Right to data portability (Art. 20) — receive your data in machine-readable format
Right to object (Art. 21) — object to processing based on legitimate interest
Right to withdraw consent — withdraw any consent you've given, at any time

To exercise any of these rights, email: privacy@bullishbeat.ai

We will respond within 30 days as required by GDPR.

7. Data Export

You can request a full export of your data at any time. We will provide:

  • Account information (JSON)
  • Complete trading history (CSV)
  • Watchlist and preferences (JSON)
  • AI query history (CSV)
  • League participation and results (CSV)

Export requests are processed within 30 days. You can also delete all your data — this is irreversible and will remove your account, trading history, and league participation.

8. Cookies & Tracking

We use minimal cookies:

  • Essential cookies — JWT session token, CSRF protection (no consent required)
  • Analytics cookies — PostHog (EU-hosted), only with your consent
  • No advertising cookies — we don't run ads and don't use ad trackers
  • No third-party tracking — no Google Analytics, no Facebook Pixel, no social trackers

You can disable analytics cookies at any time in your account settings.

9. Security Measures

  • Passwords hashed with Argon2 (memory-hard algorithm)
  • IBKR API credentials encrypted with AES-256
  • HTTPS everywhere — all data in transit is encrypted
  • JWT tokens with expiration and refresh rotation
  • Rate limiting on all API endpoints
  • 2FA available for account protection
  • Regular security audits

10. Data Breach Notification

In the event of a data breach that poses a risk to your rights:

  • We will notify the Estonian Data Protection Inspectorate (AKI) within 72 hours as required by GDPR Article 33
  • We will notify affected users without undue delay as required by GDPR Article 34
  • Notification will include the nature of the breach, data affected, and measures taken

11. Children's Privacy

BullishBeat.ai is not intended for users under the age of 18. We do not knowingly collect personal data from minors. If we discover that a user is under 18, we will delete their account and data.

12. Third-Party Links

Our platform may contain links to third-party services (IBKR, news sources, etc.). We are not responsible for the privacy practices of these services. Please review their privacy policies independently.

13. Supervisory Authority

If you believe we are processing your data unlawfully, you have the right to lodge a complaint with:

Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)
Website: www.aki.ee/en
Email: info@aki.ee
Address: Tatari 39, 10134 Tallinn, Estonia

You may also lodge a complaint with the supervisory authority in your own EU/EEA member state.

14. Changes to This Policy

We may update this policy from time to time. Significant changes will be communicated via email and/or in-app notification at least 30 days before they take effect. The “last updated” date at the top reflects the latest version.

15. Contact

Poro-IT OÜ
Registry code: 16795817
Estonia, European Union
General: info@bullishbeat.ai
Privacy: privacy@bullishbeat.ai