Privacy Policy.

This Privacy Policy explains how EDGR ("we," "us," or "our"), a sole-proprietor financial news aggregation service, collects, uses, shares, and protects information about you when you use our web application at https://edgr.news and related services (collectively, the "Service"). Please read this Policy carefully. By creating an Account or continuing to use the Service, you agree to the practices described here.

If you have questions or concerns, contact us at info@edgr.news.

We collect only the information necessary to operate the Service securely and effectively. Specifically, we collect:

• Email address — provided at signup and verified before Account activation.
• Password — stored exclusively as an Argon2id cryptographic hash. We never store or transmit your plaintext password.
• TOTP secret — if you enroll a TOTP authenticator app, the secret is stored encrypted at rest using Fernet symmetric encryption.
• Recovery codes — stored as Argon2id hashes. Plaintext codes are shown only once at enrollment and never retained.
• Watchlist names and ticker symbols — the lists of securities you create and manage within the Service.
• Schedule preferences — your chosen IANA timezone and preferred email delivery times.
• IP addresses and user agents — logged for security monitoring, fraud prevention, and audit purposes.
• Login attempts, timestamps, and lockout state — recorded to detect and prevent unauthorized access.
• Audit log of state-changing actions — including logins, password changes, email changes, 2FA changes, and account deletions.
• Email open and click metadata — delivery confirmation data provided by our email delivery provider (Resend). This is used only to verify successful delivery and diagnose delivery failures; it is not used for marketing analytics.

We do not collect payment card information, Social Security numbers, government-issued identification, biometric data, or precise geolocation.

We use the information we collect for the following purposes:

• Service operation — to authenticate your identity, maintain your Account, generate personalized newsletter digests based on your watchlist, and deliver those digests on your preferred schedule.
• Security and fraud prevention — to detect unauthorized login attempts, enforce rate limits and lockouts, verify your password has not appeared in known data breaches (via the HaveIBeenPwned k-anonymity API), and protect the integrity of the Service.
• Transactional communications — to send you newsletter digests, security alerts (e.g., new login from an unrecognized device), and service-related announcements. We do not send promotional or marketing email unless you explicitly opt in.
• Legal compliance — to meet any legal obligations, respond to lawful requests from government authorities, and enforce our Terms of Service.

We do not use your data for behavioral advertising, interest-based targeting, or the sale of personal information to third parties.

We do not sell, rent, or trade your personal information. We share data only with the third-party service providers listed below, each of whom processes data strictly as necessary to perform their service on our behalf:

We may also disclose information if required to do so by law, court order, or government authority, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of EDGR, our users, or the public.

We use a minimal number of cookies necessary for the Service to function:

• edgr_session — a signed session cookie used exclusively for authentication. Set with HttpOnly, Secure, and SameSite=Lax flags. Expires after 30 days of inactivity. This cookie is strictly necessary and cannot be disabled without breaking the Service.
• Cloudflare Turnstile challenge cookies — short-lived cookies set by Cloudflare's CAPTCHA service on authentication pages to verify that login and registration requests originate from a human. These expire shortly after the challenge is completed.

We do not use advertising cookies, third-party tracking pixels, or any cookies for analytics purposes. We use Plausible Analytics (see Section 4) to measure aggregate page-view traffic without setting any cookies and without collecting or storing any personal data or IP addresses; this is what allows us to operate without a cookie consent banner. We may add affiliate link tracking in the future, and if we do, we will update this Policy and provide notice before activating such tracking.

We retain your personal data for as long as your Account is active. If you delete your Account, your personal information (email, hashed password, watchlist data, schedule preferences, TOTP secret, and recovery codes) will be permanently deleted.

Audit logs — records of login events, password changes, and other state-changing actions are retained for 12 months following Account deletion for fraud prevention and security purposes. After 12 months, they are permanently purged.

Email delivery records — Resend may retain delivery metadata for a period consistent with their own data retention policies.

We take the security of your data seriously and implement the following technical measures:

• Passwords and recovery codes are hashed using Argon2id, a memory-hard hashing function designed to resist brute-force and GPU-accelerated attacks.
• TOTP secrets are encrypted at rest using Fernet symmetric encryption.
• Two-factor authentication is required for all Accounts; there is no option to disable it.
• All data in transit is encrypted using HTTPS/TLS enforced by Cloudflare.
• Rate limiting and account lockout are enforced on authentication endpoints to prevent credential stuffing and brute-force attacks.
• Password breach checking is performed via the HaveIBeenPwned k-anonymity API at the time of password creation or change.

Despite these measures, no system is completely secure. We cannot guarantee absolute security of data transmitted over the internet or stored on our infrastructure. You use the Service at your own risk, and you are encouraged to use a strong, unique password and keep your 2FA device secure.

8.1 Access

You can view your email address, watchlist data, and schedule preferences at any time by logging in to the Service dashboard.

8.2 Correction

You can update your email address, password, 2FA settings, watchlist content, and schedule preferences directly from the Account page.

8.3 Deletion

You can permanently delete your Account and associated personal data by navigating to Account → Delete Account. This action is irreversible. Audit logs will be retained for 12 months as described in Section 6.

8.4 Export

To request a copy of your personal data in a portable format, email us at info@edgr.news. We will respond within a reasonable time.

The Service is intended for users who are 18 years of age or older. We do not knowingly collect or solicit personal information from anyone under 18. If we learn that we have inadvertently collected information from a minor, we will delete that information promptly. If you believe we may have collected information from a minor, please contact us at info@edgr.news.

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

• Right to Know — You have the right to request information about the categories and specific pieces of personal data we have collected about you, the categories of sources from which it was collected, the business purposes for collecting it, and the categories of third parties with whom it has been shared.
• Right to Delete — You have the right to request deletion of your personal data, subject to certain legal exceptions. Deletion can be completed directly via Account → Delete Account, or by contacting us at info@edgr.news.
• Right to Opt Out of Sale — We do not sell your personal data to third parties. You do not need to take any action to opt out of a sale.
• Right to Non-Discrimination — We will not discriminate against you for exercising any of your CCPA rights. We will not deny you service, charge different prices, or provide a different level of service quality based on your exercise of these rights.

To submit a verifiable consumer request, contact us at info@edgr.news. We may need to verify your identity before responding.

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, the following additional provisions apply.

11.1 Data Controller

EDGR (sole proprietor) is the data controller for personal data processed through the Service. Contact: info@edgr.news.

11.2 Lawful Basis for Processing

We process your personal data under the following lawful bases:

• Performance of a contract — processing necessary to provide the Service to you (authentication, newsletter delivery, watchlist management).
• Legitimate interests — security monitoring, fraud prevention, and audit logging, where our interests do not override your fundamental rights.
• Consent — you provide consent by creating an Account and accepting this Privacy Policy.

11.3 Your GDPR Rights

You have the right to:

• Access — obtain a copy of the personal data we hold about you.
• Rectification — correct inaccurate or incomplete personal data.
• Erasure — request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
• Restriction of processing — request that we limit how we use your data in certain circumstances.
• Data portability — receive your personal data in a structured, machine-readable format and transmit it to another controller.
• Object — object to processing based on legitimate interests at any time.

To exercise any of these rights, contact us at info@edgr.news.

11.4 Complaints

If you believe we have not complied with applicable data protection law, you have the right to lodge a complaint with your local data protection authority (DPA).

In the event of a confirmed personal data breach that poses a risk to your rights and freedoms, we will notify affected users within 72 hours of becoming aware of the breach, to the extent reasonably practicable. Notification will be sent to the email address associated with your Account and will describe the nature of the breach, the categories of data affected, and the steps we are taking to address it. Where required by applicable law, we will also notify the relevant supervisory authority.

Your personal data is stored and processed in the United States. Our primary infrastructure providers — Supabase and Google Cloud Platform — operate US-based data centers. If you are accessing the Service from outside the United States, including from the European Economic Area or United Kingdom, please be aware that your data will be transferred to and processed in the United States, which may not provide the same level of data protection as your home jurisdiction.

Where required by applicable law (such as GDPR), we rely on appropriate transfer mechanisms — including Standard Contractual Clauses, where applicable — to ensure that international transfers of your data are conducted in compliance with applicable data protection requirements.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service features. When we make material changes, we will notify you by email or by displaying a prominent notice within the Service. The updated Policy will indicate the revised "Last updated" date. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Policy.

For any questions, requests, or concerns about this Privacy Policy or your personal data, please contact:

EDGR
Email: info@edgr.news
Website: https://edgr.news