Risk Terminal is a geopolitical intelligence platform. This policy explains what personal data we collect, why we collect it, how we use it, and your rights under UK GDPR.
1. WHO WE ARE
—Risk Terminal is operated by Risk Terminal Ltd, registered in England and Wales. We act as the data controller for personal data processed through this Service.
—Data controller contact: privacy@riskterminal.io
—We process personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. WHAT DATA WE COLLECT
—Account data: email address, bcrypt-hashed password (we never store plain-text passwords), name (optional), subscription tier, account preferences, and created_at timestamp.
—Usage data: pages visited, features interacted with, session duration, and click telemetry for feature analytics. We do not log keystrokes or track mouse movement beyond click events.
—Technical data: IP address, browser user agent, and referrer URL — retained for 90 days for security, rate limiting, and abuse prevention.
—Digest / newsletter: email address, region subscription preferences, and a UUID unsubscribe token. This data is used solely to send digests and is never shared with third parties.
—Tour and theme preferences: stored in your browser's localStorage only. These values are never transmitted to our servers.
—What we do NOT collect: payment card data (handled directly by Stripe and never seen by us); biometric data; precise geolocation data.
3. HOW WE USE YOUR DATA
—Lawful basis — contract performance: providing you access to the Service, maintaining your account, and delivering the functionality you have subscribed to.
—Lawful basis — legitimate interests: security monitoring, rate limiting, anti-abuse measures, and aggregate analytics to improve the product.
—Lawful basis — consent: sending the weekly digest email. You may withdraw consent at any time via the unsubscribe link in any digest email.
—We do not use your personal data for advertising, profiling for commercial targeting, or any automated decision-making with legal or significant effects on you.
—We do not sell, rent, or trade your personal data to any third party.
4. AI AND CLAUDE
—Event summaries, risk briefings, and scenario analyses are generated using Anthropic Claude (claude.ai).
—We pass only public event text and geopolitical data to Claude — we never include your account data, email address, name, or any personally identifying information in AI inference requests.
—Anthropic's Data Processing Agreement and privacy policy apply to inference processing. You can read Anthropic's privacy policy at anthropic.com/privacy.
—All AI-generated content on the platform is clearly labelled as AI-generated.
5. THIRD-PARTY PROCESSORS
—Render (render.com) — backend hosting. Server logs processed within Render's infrastructure. Covered by EU-US DPF.
—Vercel (vercel.com) — frontend hosting and CDN. Edge request logs. Covered by EU-US DPF.
—Neon (neon.tech) — PostgreSQL database, hosted on AWS us-east-1. SOC2 Type II certified. We have a Data Processing Agreement with Neon.
—Anthropic (anthropic.com) — AI inference. Public data only; no personal data transmitted. GDPR and CCPA compliant. DPA in place.
—Resend (resend.com) — transactional and digest email delivery. GDPR compliant. DPA in place.
—We have Data Processing Agreements in place with all processors that handle personal data.
6. DATA RETENTION
—Account data: retained for the life of your account plus a 30-day grace period after deletion, to allow account recovery and fulfil legal obligations.
—Usage and access logs: 90 days, then automatically deleted.
—Event and briefing archive: indefinite — this constitutes a historical public-data record and contains no personal data.
—Email digest preference records: retained until unsubscribe plus 30 days (legal basis: proof of consent withdrawal).
—Database backups: 30-day rolling retention. Deleted backups are irrecoverable.
7. YOUR RIGHTS (UK GDPR)
—Right of access (SAR): request a copy of all personal data we hold about you. We will respond within 30 calendar days.
—Right to rectification: request correction of inaccurate or incomplete personal data.
—Right to erasure ("right to be forgotten"): request deletion of your personal data. We will comply unless retention is required for legal obligations.
—Right to restriction of processing: request that we limit how we process your data in certain circumstances.
—Right to data portability: receive your personal data in a structured, machine-readable JSON format.
—Right to object: object to processing based on legitimate interests.
—To exercise any of these rights, email privacy@riskterminal.io. You have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk if you believe we have mishandled your data.
8. INTERNATIONAL TRANSFERS
—Your data is stored in AWS us-east-1 (United States) via Neon.
—Transfers from the UK to the US are covered by the UK International Data Transfer Agreement (IDTA) or equivalent standard contractual clauses, as agreed with our processors.
—We do not transfer personal data to countries without adequate data protection unless safeguards described above are in place.
9. COOKIES
—Session cookie (httpOnly, Secure, SameSite=Strict): keeps you authenticated. Expires on session end or after 8 hours of inactivity.
—Consent cookie: stores your GDPR cookie consent choice for 12 months.
—No analytics cookies. No advertising cookies. No third-party tracking cookies.
—A cookie consent banner is shown on first visit. You may withdraw consent at any time via the banner or by clearing your browser cookies.
—Theme and tour preferences are stored in localStorage only — not in cookies, and never sent to our servers.
10. CHANGES TO THIS POLICY
—We may update this Privacy Policy at any time. The current version is always available at riskterminal.io/privacy.
—For material changes, we will notify registered users by email at least 14 days before the change takes effect.
—Continued use of the Service after the notice period constitutes acceptance of the updated policy.
11. CONTACT & DPO
—For all privacy enquiries, data requests, or to report a concern: privacy@riskterminal.io
—We aim to acknowledge all requests within 5 business days and provide a full response within 30 calendar days.
—We do not currently have a formal Data Protection Officer (DPO) but are evaluating this requirement as the service scales.