π Privacy Policy
Effective: May 2026 Β· Version 1.0
The US Aktien Screener is provided solely for informational and analytical purposes. No license under the Austrian WAG 2018.
1. Controller (Art. 4 No. 7 GDPR)
Robert Thalhammer Β· Sole proprietor
Grabengasse 13/3/2 Β· 2630 Ternitz Β· Lower Austria, Austria
Email: info@us-aktien-screener.com
Website: https://us-aktien-screener.com
No legal obligation to appoint a Data Protection Officer.
2. What data is processed?
2.1 Login data (6-digit code)
- Email address (required)
- Internal user ID (UUID)
- Login code / OTP token (max. 60 minutes lifetime)
- Access/refresh JWT tokens (in Streamlit session)
2.2 Usage data (table screening_usage)
user_id, used_at, tier_at_use, stocks_scanned, hits_count. Purpose: free-tier limit check, abuse prevention.
2.3 Subscription & payment data (table user_profiles)
tier, payment_subscription_id, payment_transaction_id, timestamps. Credit card data is never stored β all payment via Lemon Squeezy or Paddle.
2.4 Server log files
IP address, timestamp, page, referrer, browser. Auto-deleted after max. 7 days.
3. Legal bases
| Purpose | Legal basis |
|---|---|
| 6-digit code login | Art. 6 (1) (b) GDPR (contract performance) |
| Subscription + tier | Art. 6 (1) (b) GDPR |
| Payment processing | Art. 6 (1) (b) GDPR |
| Free-tier limit check | Art. 6 (1) (b) GDPR |
| Server log files | Art. 6 (1) (f) GDPR (legitimate interest, IT security) |
| Invoice retention | Art. 6 (1) (c) GDPR (BAO Β§ 132) |
4. Recipients and processors
Supabase β database + auth, server region Frankfurt (eu-central-1), DPA in place. supabase.com/privacy
Lemon Squeezy / Paddle β payment Merchant of Record. lemonsqueezy.com/privacy Β· paddle.com/legal/privacy
Streamlit Community Cloud (Snowflake Inc. / Streamlit) β web-app hosting, servers in the USA. Only technical connection data (e.g. IP address on page load) is processed in the USA; personal usage data (email, watchlist) stays with Supabase in Frankfurt, EU. US transfer based on the EU-US Data Privacy Framework (DPF) / Standard Contractual Clauses (SCCs), Art. 46 GDPR. streamlit.io/privacy-policy
IONOS β landing page + email, Germany. ionos.de/terms-privacy
Alpha Vantage, Wikipedia β external stock-data sources. The stock metrics (price, P/E, EPS, analyst ratings, price targets) come from Alpha Vantage Inc. (USA), the S&P 500 company list from Wikipedia. These sources are queried exclusively by an automated background process of the provider, not when the user loads the page. Only stock ticker symbols (e.g. "AAPL", "MSFT") are transmitted β no personal user data. Since no personal data is transmitted to these providers, no transfer of personal data to a third country takes place in this respect. When the app itself is used, the stock data is only read from the database (Supabase, Frankfurt).
GitHub Actions (GitHub Inc. / Microsoft Corporation, USA) β the automated background process described above runs on GitHub Actions. It fetches the stock data from Alpha Vantage several times a day and stores it in the database (Supabase, Frankfurt). Only stock tickers and public market data are processed β no personal user data. github.com/privacy
5. Retention periods
| Category | Retention |
|---|---|
| Email, user ID | as long as account exists |
| Active subscription | as long as active |
| Closed subscriptions / invoices | 7 years (BAO Β§ 132) |
| Usage logs | 12 months rolling |
| Login code (OTP) | max. 60 minutes |
| Server logs | max. 7 days |
6. Third-country transfer
Personal usage data (Supabase) and IONOS are processed in the EU (Frankfurt). App hosting via Streamlit Community Cloud (technical connection data, e.g. IP address) and, where applicable, Lemon Squeezy (payment) process data in the USA β based on the EU-US Data Privacy Framework (DPF) / Standard Contractual Clauses (SCCs), Art. 46 GDPR. Streamlit (Snowflake) and Lemon Squeezy are DPF-certified.
7. Your rights as a data subject
- Access (Art. 15), rectification (Art. 16), erasure (Art. 17)
- Restriction (Art. 18), portability (Art. 20), objection (Art. 21)
- Withdraw consent at any time
To exercise: simple email to info@us-aktien-screener.com. Response within 30 days.
8. Right to lodge a complaint
Austrian Data Protection Authority
Barichgasse 40β42, 1030 Vienna, Austria Β· www.dsb.gv.at
9. No automated decision-making (Art. 22 GDPR)
No automated decision-making or profiling within the meaning of Art. 22 GDPR. The filters are pure data displays based on user-chosen metrics.
10. Cookies and tracking
No tracking or advertising cookies. Only technically necessary Streamlit session cookies (no consent required under Β§ 165 (3) TKG 2021). No Google Analytics, Meta Pixel etc.
11. Data security
- HTTPS / TLS for all connections
- Row Level Security in Supabase β users only see their own data
- Passwordless authentication (6-digit login code)
- EU data storage (Frankfurt) for email + watchlist; app hosting in the USA via DPF/SCC
12. Changes to this Privacy Policy
Material changes are communicated by email. Current version always available via the "Privacy" footer link.
Effective: May 2026 Β· Version 1.0