Privacy Policy
Oxford Ledge LLC, a New York limited liability company ("Oxford Ledge", "we", "us", "the Service"), is committed to protecting your privacy. This policy explains what data we collect, how we use it, and your rights.
Changes in the April 16, 2026 update: (a) age-verification logs no longer store your raw date of birth — only the derived age integer is retained for audit; (b) error-monitoring events sent to our observability provider are automatically scrubbed of personally identifiable fields before transmission; (c) real-time quote access is gated to paid subscribers only (free-trial users see the same 15-minute-delayed data as the free tier).
1. What We Collect
| Data Type | Details | Purpose |
|---|---|---|
| Account info | Email address, display name, hashed password | Authentication, account management |
| Usage data | API endpoints accessed, timestamps, response times | Usage metering, billing, service improvement |
| Session data | Session token, IP address (application-level session records are anonymized or purged within 90 days; hosting-provider platform logs follow the provider's default retention, typically 7–30 days) | Authentication, abuse prevention |
| User preferences | Watchlists, ticker selections, UI settings | Personalization |
We do not collect: financial account credentials, brokerage logins, Social Security numbers, payment card numbers (handled entirely by Stripe), or any sensitive financial identifiers.
2. How We Use Your Data
- Account management — creating and maintaining your account.
- Usage metering & billing — tracking API calls for metered pricing.
- Service improvement — understanding which features are used to prioritize development.
- Abuse prevention — detecting scraping, bot activity, and unauthorized access.
- Communication — service announcements, billing notifications, and security alerts.
3. What We Don't Do
- We do not sell your data to third parties. Ever.
- We do not serve advertising or share data with ad networks.
- We do not track you across other websites.
- We do not use your data to build marketing profiles.
- We do not share your watchlists, portfolio data, or research activity with anyone.
3a. One opt-in exception: reader-submitted reading-list notes
If you choose to publish a note on a reading-list entry via the
Make this public toggle at
/reading-list/<slug>/, the note body + your
username become readable at
/reading-list/<slug>/notes/<your-username> to
anyone with the link, including search engines and AI crawlers. This
is the one place on the platform where reader content is publicly
attributed under a chosen handle.
Specifically, when the toggle is on:
- The note body + your username are returned by any
GETrequest to that URL; no auth required. - Standard search-engine indexing applies — we set
<meta name="robots" content="index, follow">on the public note page, and AI crawlers (e.g., GPTBot, ClaudeBot, PerplexityBot) are permitted via the same permissive-crawl policy that covers the rest of the public site. - You can flip the toggle back to Private at any time; the public URL begins returning 404 immediately.
- If you delete your account, all of your reading-list notes — public and private — are purged synchronously as part of the deletion request, not deferred to the standard 30-day purge window. This is the COUNSEL-ratified faster SLA on publicly-indexable surfaces (see Section 8 on data retention).
- Oxford Ledge does not endorse or verify reader notes. Every public note carries a non-dismissable "reader-submitted note; not editorial" banner.
By default, every note is Private — you have to affirmatively flip the toggle and confirm an 18+ attestation before the URL becomes public. There is no silent or background path that publishes notes without your consent.
Our role as a host of reader-submitted content, and the process for reporting it, is described in our Terms of Service §10a.
4. Cookies
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
| ol_session | Essential | Authentication session | Session / 30 days |
We use one cookie for authentication only. We do not use third-party tracking cookies or advertising cookies. Our server-side usage analytics are first-party aggregates from your API-call logs. We also load Cloudflare Web Analytics for privacy-first page-view measurement (see Web Analytics below) — it does not set cookies and does not identify you.
5. Third-Party Services
- Stripe — payment processing. Stripe handles all payment card data directly. We never see or store your card number. See Stripe's Privacy Policy.
- Render — infrastructure hosting. See Render's Privacy Policy.
- Resend — transactional email delivery (signup confirmations, trial reminders, dunning notices). Email address only. See Resend Privacy.
- Cloudflare Web Analytics — privacy-first page-view measurement. See "Web Analytics" subsection below for the full disclosure. Cloudflare Privacy Policy.
- AI inference providers — Anthropic, OpenAI, Google Gemini. When you use Ask AI features, your question text and the ticker context are transmitted to one of these providers (selected by you for BYOK, or by us for platform-credit calls) for completion. The provider's own retention and training-use policy applies to that transmission. See Anthropic Privacy, OpenAI Privacy, Google Privacy.
- Federated authentication providers — Google, GitHub. If you choose to sign in via Google or GitHub, you authenticate directly with that provider; we receive an opaque OAuth subject ID, your email address, and your display name. These fields are stored in our user record so you can sign back in. We do not receive your password and never store one for federated accounts. Email/password sign-in remains available as an alternative if you prefer not to use a federated provider. See Google Privacy, GitHub Privacy.
We do not use Google Analytics, Facebook Pixel, or any cross-site tracking, advertising, or remarketing services.
Web Analytics
We use Cloudflare Web Analytics to understand how visitors find and use Oxford Ledge. Cloudflare Web Analytics is cookie-less and does not track individual visitors across sites. The aggregated data we see includes page views, referring sites, country (not city), and device class (desktop / mobile / tablet). No personally-identifiable information is collected, no cookies are set, no fingerprinting is performed, and no session recordings are made. Because nothing about you is identified or stored — only anonymous aggregated counts — there is no individual opt-out (there is nothing about you to opt out of). See Cloudflare's Privacy Policy for the underlying technical commitments.
6. Data Source Attribution
Oxford Ledge aggregates financial data from the following third-party providers. Each provider has its own privacy policy governing how they collect and process data:
| Provider | Data Types | Privacy Policy |
|---|---|---|
| Financial Modeling Prep (FMP) | Company profiles, earnings transcripts, analyst estimates, ETF data | FMP Privacy |
| Finnhub | Stock quotes, news, insider transactions, sentiment, recommendations | Finnhub Terms |
| SEC EDGAR | Public company filings (10-K, 10-Q, 8-K, 13F, DEF 14A, etc.) | SEC Privacy |
| Federal Reserve (FRED) | Treasury yields, CPI, Fed Funds Rate, unemployment, GDP | FRED Legal |
| FINRA | Corporate bond TRACE data, short interest | FINRA Privacy |
Oxford Ledge does not share your personal data (email, watchlists, portfolios) with any of these data providers. Data flows are one-directional: we fetch public market data from providers; we never transmit user information to them.
7. Data Storage & Security
- Data is stored in PostgreSQL on Render (US-based servers).
- All data is encrypted in transit via HTTPS/TLS.
- Passwords are hashed using industry-standard algorithms (bcrypt/scrypt). We never store plaintext passwords.
- API keys and session tokens are generated using cryptographically secure random generators.
8. Data Retention
| Data Type | Retention Period |
|---|---|
| API usage logs | 90 days, then automatically deleted |
| Session data | 30 days from last activity |
| Account data | Until you request deletion |
| Billing records | As required by law (typically 7 years) |
| Browser-side AI conversation history (BYOK in browser) | Stored locally in browser only (IndexedDB); never on our servers |
| Server-side AI questions (Ask AI server path) | Question text + ticker forwarded to the selected AI provider for completion. We log refusal events (anonymized) for safety review for 90 days. When a multi-turn conversation is in progress (the request includes a conversation_id), the question text + assistant response are persisted in our database on a 180-day rolling retention — a daily cron deletes messages older than 180 days so you can resume recent threads while the historical surface stays bounded. Messages within the 180-day window are included in your DSAR data export. Account deletion (GDPR Art. 17) wipes the entire history immediately via ON DELETE CASCADE. Updated 2026-05-12: tightened from "until account deletion forever" to "180-day rolling" per OWNER Q7 ratification. |
9. Your Rights
You have the right to:
- Access — request a copy of all data we hold about you.
- Delete — request complete deletion of your account and associated data.
- Export — download your watchlists, portfolios, and account data.
- Opt out — disable usage analytics from your account settings.
- Correct — update your account information at any time.
To exercise any of these rights, email oxfordledge@gmail.com or use the account settings on Oxford Ledge.
10. Minimum Age & Children's Privacy
You must be at least 18 years old to use Oxford Ledge. Users between 13 and 18 may only use the Service with verifiable parental or legal guardian consent. We do not knowingly collect personal data from individuals under 13. If you believe a minor under 13 has created an account, please contact us immediately at oxfordledge@gmail.com for account removal and data deletion within 48 hours.
In compliance with the Children's Online Privacy Protection Act (COPPA) and equivalent international regulations, Oxford Ledge does not target, market to, or design features for children under 13.
11. International Users
The Service is operated from the United States. If you access the Service from outside the US, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated with at least 30 days notice via email or a prominent notice on the Service.
13. Data Processing Basis
We process your data under the following legal bases as defined by the General Data Protection Regulation (GDPR):
| Processing Activity | Legal Basis | Reference |
|---|---|---|
| Authentication & account management | Contract performance | GDPR Art. 6(1)(b) |
| Usage metering & billing | Contract performance | GDPR Art. 6(1)(b) |
| Anonymous analytics (first-party server aggregates only — no third-party analytics processors) | Legitimate interest | GDPR Art. 6(1)(f) |
| Essential cookies (session) | Legitimate interest | GDPR Art. 6(1)(f) |
| Abuse prevention & security | Legitimate interest | GDPR Art. 6(1)(f) |
| Non-essential cookies | Consent | GDPR Art. 6(1)(a) |
| Legal compliance (billing records) | Legal obligation | GDPR Art. 6(1)(c) |
14. Data Retention Periods
| Data Category | Retention Period | After Expiry |
|---|---|---|
| Analytics data | 30 days | Automatically purged |
| API usage logs | 90 days | Automatically deleted |
| Session data | 30 days from last activity | Automatically expired |
| News archive | 1 year | Archived or deleted |
| Price history cache | 2 years | Automatically purged |
| Account data | Until deletion requested | Deleted within 30 days of request |
| Billing records | 7 years (legal requirement) | Deleted after legal hold expires |
| Browser-side AI conversation history (BYOK in browser) | Stored locally in browser (IndexedDB) | Never transmitted to or stored on our servers; deleted when you clear browser data |
| Server-side AI questions (Ask AI server path, /api/ai/ask) | Question text is forwarded to the selected AI provider (Anthropic / OpenAI / Google) for completion. When a multi-turn conversation is in progress (request includes a conversation_id), the question text + assistant response are persisted in our database on a 180-day rolling retention so you can resume recent threads. A daily cron deletes messages older than 180 days. Messages within the window are included in your DSAR data export and purged immediately when you delete your account via ON DELETE CASCADE. Anonymized refusal-event metadata (matched safety patterns + question length, no question text) is logged for 90 days for safety review. Updated 2026-05-12: tightened from "until account deletion forever" to "180-day rolling delete" per OWNER Q7 ratification (caps incident-impact surface). | Daily cron at start of each day; deleted messages are unrecoverable. Subject to selected AI provider's retention for forwarded prompts (typically 0–30 days for API calls per provider DPAs). Refusal logs deleted after 90 days. |
15. Your Rights Under GDPR
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation:
Right to Access (Art. 15) — You have the right to request a copy of all personal data we hold about you. We will provide this in a structured, commonly used, machine-readable format within 30 days of your verified request.
Right to Rectification (Art. 16) — You have the right to request correction of any inaccurate or incomplete personal data we hold about you.
Right to Erasure (Art. 17) — You have the right to request deletion of your personal data. Upon receiving a verified request, we will delete all personal data within 30 days, except where retention is required by law (e.g., billing records). This includes your account data, usage logs, watchlists, portfolio data, and any other personally identifiable information.
Right to Restrict Processing (Art. 18) — You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest its accuracy.
Right to Data Portability (Art. 20) — You have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON or CSV). This includes your watchlists, portfolio configurations, account preferences, and usage history. You may also request that we transmit this data directly to another controller where technically feasible.
Right to Object (Art. 21) — You have the right to object to processing based on legitimate interest, including anonymous analytics. If you object, we will cease processing unless we demonstrate compelling legitimate grounds.
Right to Withdraw Consent (Art. 7(3)) — Where processing is based on consent (e.g., non-essential cookies), you may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing performed before withdrawal.
Data Retention for GDPR Purposes. Account data is retained for the duration of your account plus 30 days after account deletion or closure. Application-level API usage logs are retained for up to 90 days, then automatically purged. Request URLs in our route handlers do not encode email, password, or other identifying query parameters, so access logs retained by our hosting provider (Render, typically 7–30 days depending on plan) do not contain direct PII beyond IP addresses. Billing records are retained for 7 years to comply with tax obligations. Browser-side AI conversation history (when using BYOK in your browser) is stored locally in IndexedDB and is never transmitted to or stored on our servers. Server-side Ask AI queries (POST /api/ai/ask) are forwarded to the selected AI provider (Anthropic, OpenAI, or Google) for completion under that provider's retention terms; we do not persist question text in our database, but we log anonymized refusal-event metadata (matched safety patterns and question length, never the question text itself) for 90 days for advisory-refusal safety review.
To exercise any GDPR right, email oxfordledge@gmail.com with the subject line "GDPR Request". We will verify your identity and respond within 30 days. If we need additional time (up to 60 additional days for complex requests), we will notify you within the initial 30-day period.
Privacy Contact. For data protection inquiries, contact us at oxfordledge@gmail.com. (Oxford Ledge LLC is a small operator and is not currently required to designate a formal Article 37 Data Protection Officer; this contact serves as our privacy point of contact.)
EU/UK Representative. Oxford Ledge LLC is established in the United States. Where processing activities fall within the scope of GDPR Art. 3(2) and require an EU/UK representative under Art. 27, such representative will be designated and their contact information published here. EU/UK data subjects may in the meantime contact us directly at oxfordledge@gmail.com.
Right to Lodge a Complaint. You have the right to lodge a complaint with your local supervisory authority (e.g., your national Data Protection Authority in the EU, or the ICO in the United Kingdom) if you believe our processing of your personal data violates applicable data protection law. A list of EU supervisory authorities is available at edpb.europa.eu.
International Data Transfers. Personal data is processed and stored in the United States. Where personal data of EU/UK residents is transferred to the United States, we rely on Standard Contractual Clauses (SCCs) adopted by the European Commission as the transfer mechanism under GDPR Art. 46. A copy of applicable SCCs is available upon request.
16. Your Rights Under CCPA
If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with the following rights:
Right to Know — You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which the information was collected, the business purpose for collecting the information, and the categories of third parties with whom we share the information.
Right to Delete — You have the right to request deletion of your personal information. We will delete your data and direct any service providers to delete your data as well, subject to certain legal exceptions.
Right to Opt-Out of Sale — Oxford Ledge does not sell your personal information. We have never sold personal information and have no plans to do so. Therefore, no opt-out mechanism for data sales is necessary.
Right to Non-Discrimination — We will not discriminate against you for exercising any of your CCPA rights. You will not receive a different level of service or pricing for making a rights request.
Right to Correct — You have the right to request correction of inaccurate personal information.
Right to Limit Use of Sensitive Personal Information — We do not collect sensitive personal information as defined by the CCPA (Social Security numbers, financial account credentials, precise geolocation, etc.).
Categories of Personal Information Collected. Under the CCPA, we collect the following categories of personal information:
| CCPA Category | Examples | Collected |
|---|---|---|
| Identifiers | Email address, display name, IP address | Yes |
| Internet or network activity | API endpoints accessed, pages visited, timestamps | Yes |
| Commercial information | Subscription tier, billing history, credit pack purchases | Yes |
| Financial preferences | Watchlists, portfolio selections, screener configurations | Yes |
| Geolocation data | Approximate location (country/region from IP) | Yes (coarse only) |
| Sensitive personal information | SSN, financial account credentials, precise geolocation | No |
To exercise any CCPA right, email oxfordledge@gmail.com with the subject line "CCPA Request". We will verify your identity using the email address associated with your account and respond within 45 days. You may also designate an authorized agent to make requests on your behalf.
CCPA Metrics (Annual Disclosure): Oxford Ledge will publish annual metrics regarding the number of requests received, complied with, and denied, as required by the CCPA.
17. Your Rights Under Virginia (VCDPA) and Colorado (CPA) Law
If you are a resident of Virginia or Colorado, you have rights similar to the CCPA under the Virginia Consumer Data Protection Act (VCDPA, effective January 1, 2023) and the Colorado Privacy Act (CPA, effective July 1, 2023). These include:
- Right to Access — confirm whether we process your personal data and obtain a copy.
- Right to Correct — fix inaccuracies in personal data we hold.
- Right to Delete — request deletion of personal data we collected from you.
- Right to Portability — receive your data in a portable, machine-readable format.
- Right to Opt Out — opt out of (a) targeted advertising, (b) sale of personal data, and (c) profiling in furtherance of decisions that produce legal or similarly significant effects. Oxford Ledge does not engage in any of (a), (b), or (c) — our opt-out is therefore effectively a no-op, but the right is preserved.
- Right to Appeal (VCDPA + CPA) — if we deny a rights request, you may appeal our decision; we will respond to appeals within 60 days (VCDPA) or 45 days (CPA). If the appeal is denied, you may contact the Virginia AG or Colorado AG.
To exercise any VCDPA or CPA right, email oxfordledge@gmail.com with the subject line "VCDPA Request" or "CPA Request". We will verify your identity using the email associated with your account and respond within 45 days.
18. Contact
For privacy-related questions or data requests:
- Email: oxfordledge@gmail.com
- General support: oxfordledge@gmail.com
- GDPR requests: oxfordledge@gmail.com (subject: "GDPR Request")
- CCPA requests: oxfordledge@gmail.com (subject: "CCPA Request")
We aim to respond to all data rights requests within 30 days (GDPR) or 45 days (CCPA) of receiving a verified request.