Read the Markets

Privacy notice

Last updated: 2026-05-24. The operator (data controller) is Read the Markets, United Kingdom. Registered with the UK Information Commissioner’s Office under reference ZC098928. Questions: hello@read.markets.

This page describes exactly what we collect, what we don’t, where it lives, and how long we keep it. It is written from the code, not from a template — every claim corresponds to an explicit code path we’re happy to point a reviewer at.

What we collect

  • Your email address, when you sign in. We use it only to send one-time login codes.
  • An argon2 hash of each login code, plus expiry and attempt counts. The plaintext code is sent to your inbox and never written to disk on our side.
  • A signed session cookie after you verify a code. It contains your user id only and is signed so we can detect tampering. Cookie is marked Secure and HttpOnly.
  • Anonymised cost ledger of AI calls (model, tokens, cost). No portfolio or personal data is attached to ledger rows.
  • Referral linkage: if you signed up via an invite link, we record which existing user’s code you used so we can apply the agreed referral credit later.
  • Job-run telemetry: success/failure timestamps for the scheduled jobs that fetch market data and generate AI reads. No user identifiers are attached.

What we don’t collect

  • Your portfolio holdings, in any form, on the server. The portfolio feature is a browser-only composition viewer: uploaded CSVs are parsed and returned to your browser, kept in localStorage, and never sent back to or stored on the server. The server records no per-ticker aggregate of what anyone holds.
  • Third-party analytics or ad cookies. No Google Analytics, no Hotjar, no Segment, no Facebook pixel, no LinkedIn tag. (You can verify by viewing-source on any page.)
  • Browser fingerprints.
  • IP-address joins to your user identity. IP addresses are processed transiently by the reverse proxy for security and access logging, retained for up to 30 days, and not linked to your account record.

Lawful basis (UK-GDPR Art. 6)

We rely on the following lawful bases:

  • Performance of a contract (Art. 6(1)(b)) — for operating your account, the sign-in flow, and any paid features.
  • Legitimate interests (Art. 6(1)(f)) — for the anonymised cost ledger, job-run telemetry, and reverse-proxy access logs. Our interest is the secure, abuse-resistant, cost-controlled operation of a free public service, balanced against the minimal and de-identified nature of the data.

Automated decisions and profiling

The Service does not make decisions about you that produce legal or similarly significant effects in an automated way (UK-GDPR Art. 22). The strategic log and indicator summaries are general editorial commentary on public market data, not personalised assessments of you, and you remain the sole decision-maker about anything in your account.

Cookies and local storage

  • Session cookie — strictly necessary for keeping you signed in (PECR reg. 6(4)). No prior consent required.
  • Local preferences — your chosen theme (light / dark) and reading level (Novice / Intermediate) are stored in localStorage on your device. They never leave the browser.
  • Local portfolio — parsed pies live in localStorage on your device. They are not sent to or stored on the server.

Where the data lives, and international transfers

The server runs in United Kingdom. Data is stored in a MariaDB database on the same host, backed up locally.

Two flows can take personal data outside the UK:

  • SMTP for sending one-time login codes. Operator-hosted, currently inside the UK; if that changes we will update this notice.
  • AI provider calls for the strategic log and indicator summaries. Where the provider sits outside the UK, we rely on the UK International Data Transfer Agreement (IDTA) / the UK Addendum to the EU Standard Contractual Clauses where no adequacy decision applies. Each outbound request carries an explicit no-training opt-out header (X-OR-Allow-Training: false on OpenRouter); see the Third parties section below for the caveats. None of these outbound requests contain user holdings or other portfolio data.

Retention

  • Login codes: expire after a few minutes; row remains briefly to enforce single-use, then is purged.
  • Session cookies: expire automatically; you can sign out at any time to revoke.
  • Account: held until you ask us to delete it. Email hello@read.markets.
  • Cost ledger and job telemetry: retained for operational accounting; no personal data attached.

Third parties

  • SMTP provider: an operator-hosted Mailu server sends the one-time login codes. The provider sees your email address and the code body (the code itself).
  • AI provider(s): DeepSeek (primary) with OpenRouter as a fallback. They see the prompt for the strategic log and the indicator summaries. These prompts contain public market data and headlines — never any user holdings or portfolio data.
    No-training opt-out. Every OpenRouter request carries the X-OR-Allow-Training: false header, which signals to OpenRouter and any compatible upstream that the prompt must not be used to train or improve models. DeepSeek does not currently expose a per-request opt-out. We do not control retention or training policies on the provider side beyond the headers we set — the provider’s own published data policy is the binding statement on that point.
  • Market-data sources: Yahoo Finance and a small set of public RSS feeds. We request prices and headlines; we don’t send them any user identifier.

Your rights (UK-GDPR)

You have the right to:

  • Ask what personal data we hold about you (Art. 15, right of access).
  • Have inaccurate data corrected (Art. 16, rectification).
  • Have your account and associated data deleted (Art. 17, erasure).
  • Export the data you can recognise (Art. 20, portability): your email and your referral linkage.
  • Restrict processing (Art. 18).
  • Object specifically to processing carried out on the basis of legitimate interests (Art. 21), including any direct marketing.
  • Withdraw consent at any time where processing is based on consent (Art. 7(3)), e.g. by disabling cloud sync.
  • Lodge a complaint with the Information Commissioner’s Office if you think we’re mishandling your data.

Email hello@read.markets to exercise any of these.

Children

The Service is not directed at, and is not intended for use by, anyone under 18. Do not create an account if you are under 18. If you believe a child has provided personal data to us, contact hello@read.markets and we will delete it.

Security incidents

If we discover a personal-data breach likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of it, as required by UK-GDPR Art. 33, and notify affected users without undue delay where Art. 34 requires.

Changes to this notice

Material changes will be flagged in-app and dated above. Trivial edits (grammar, restructuring) won’t.