Privacy & data protection
How Finance Monitor Lab handles personal data, the legal bases for it, and your rights under the GDPR.
Last updated 2026-06-20.
1. Who is responsible (data controller)
Finance Monitor Lab operates this Finance Monitor Lab instance and is the data controller for the personal data described here. For any privacy question or to exercise your rights, contact noreply@financemonitorlab.com.
2. What data we collect and why
We collect only what the service needs. Concretely, this instance stores:
| Data | Why we hold it | Legal basis (GDPR Art. 6) |
|---|---|---|
| Account — email address, hashed password, role, account status, sign-up and last-login times, email-verification status | To create and secure your account and let you sign in | Contract — Art. 6(1)(b) |
| Your watchlist, portfolio (holdings, cost basis), per-stock notes and alert rules | The core features you signed up to use | Contract — Art. 6(1)(b) |
| Alert history (which signals fired and when) | To show your Signals feed and avoid repeat notifications | Contract / legitimate interests — Art. 6(1)(b)/(f) |
| Notification channels — Discord/webhook URL, Telegram chat id, digest frequency | To deliver alerts where you ask us to | Consent — Art. 6(1)(a) (you add these yourself) |
| Two-factor secret (if you enable 2FA) | To protect your account with a second factor | Consent / legitimate interests — Art. 6(1)(a)/(f) |
| Security logs — failed/successful login attempts with IP address and time; an admin audit log of configuration and account changes | To prevent abuse, rate-limit attacks and keep the service accountable | Legitimate interests — Art. 6(1)(f) |
We do not collect special-category data, we do not profile you for advertising, and we do not sell personal data. Market data (quotes, news, ratings) is general information about companies, not about you.
3. Cookies
This site sets a single, strictly necessary session cookie to keep you logged in and to carry an anti-forgery (CSRF) token. It is not used for tracking or advertising, and there are no third-party analytics cookies — so no cookie-consent banner is required for it. If you don't log in, no cookie is needed.
4. Who we share data with (processors)
We don't sell or rent your data. We share the minimum necessary with service providers that process data on our behalf:
- Email provider (e.g. Brevo, when email is enabled) — receives your email address and the alert/verification message content in order to deliver it.
- Market-data provider (e.g. Finnhub, in live mode) — receives the ticker symbols being looked up. These requests are not linked to your identity.
- Messaging platforms you opt into (Telegram, Discord, or your own webhook) — receive your alert content and the destination you configured.
- Our hosting provider — stores the database and serves the site.
Some providers may process data outside EU/EEA. Where that happens, transfers should be covered by an appropriate safeguard (e.g. Standard Contractual Clauses). The operator should confirm this with each provider.
5. How long we keep it (retention)
Under the storage-limitation principle (GDPR Art. 5(1)(e)) we keep personal data only for as long as there is a valid legal basis and a genuine purpose for it — and no longer. In practice that means we keep your data for the maximum period the law permits for each purpose, which is:
| Data | Kept for | Why this is the lawful maximum |
|---|---|---|
| Account & service data (watchlist, portfolio, notes, alert rules, channels) | For the life of your account | Necessary to provide the service for as long as you have an account; deleted when you delete the account |
| Alert history | For the life of your account | Supports your Signals feed and de-duplication while you use the service |
| Security logs (login attempts, IP) | 90 days, then deleted | A bounded period proportionate to fraud/abuse prevention — keeping them longer would no longer be necessary |
| Admin audit log | A limited period for security and accountability | Retained only while needed to investigate issues and demonstrate compliance |
If a specific legal obligation ever requires us to keep certain records longer (for example a retention duty that applies to the operator), we will keep only what that obligation requires, for only as long as it requires, and then delete it. You can ask us to delete your data sooner (see your rights below), and we will do so unless we are legally required to retain it.
6. Your rights
If you are in EU/EEA, the GDPR gives you the right to: access your data (Art. 15), correct it (Art. 16), erase it (Art. 17), restrict or object to processing (Arts. 18, 21), data portability (Art. 20), and to withdraw consent at any time for anything based on consent. You can exercise the main rights yourself in the app:
- Access & portability — sign in and use “Download my data” on the Settings page.
- Erasure — sign in and use “Delete account” on the Settings page; this removes your account and associated personal data.
- Rectification & consent — edit your watchlist, portfolio, notes and notification channels at any time in the app, or remove a channel to withdraw that consent.
For anything you can't do in the app, contact noreply@financemonitorlab.com. You also have the right to lodge a complaint with your local data-protection authority.
7. Security
Passwords are stored only as salted hashes (never in plain text), the site protects forms with anti-CSRF tokens, supports optional two-factor authentication, and rate-limits repeated failed logins. No system is perfectly secure, but we aim to apply reasonable, proportionate measures.
8. Changes
We may update this notice as the service evolves; the “last updated” date above always reflects the current version.
This page is a configurable template provided with the software and is not legal advice. The operator is responsible for ensuring it is accurate and complete for their circumstances and jurisdiction, and should seek professional advice where needed.