Skip to content

Privacy Policy

Last updated: 29 April 2026

The data controller for Sector Rotation Monitor is Neremar Advisory Ltd (company number 08828600, registered in England and Wales). For data-related enquiries, contact support@sectorrotationmonitor.com.

1. Data We Collect

  • Account data: email address (required for authentication)
  • Login metadata: timestamps, IP addresses, browser/device info
  • Usage data: pages visited, features used, session duration
  • Acquisition data (signup only): if you arrive via a marketing link, the UTM parameters in that link (source, medium, campaign), the referring site (e.g. twitter.com), the first page you landed on, and the optional free-text answer to “How did you hear about us?” are recorded against your account when you create it. We use this only to understand which channels bring us subscribers. UTM parameters are held in browser session storage between arrival and signup; nothing is stored if you do not create an account.
  • Signup-time technical signals: at the moment you submit the signup form we also record your device type (mobile/tablet/desktop), preferred browser language, an approximate country derived from your IP address, and how long you spent on the form. These help us understand who our audience is and improve onboarding. Your IP address is used only for the country lookup and is not stored.
  • Payment data: processed exclusively by Stripe — we store only your Stripe Customer ID, subscription ID, and payment status

2. How We Use Your Data

  • Authentication: to verify your identity and manage your session
  • Security: to detect and prevent unauthorised access, abuse, and fraud
  • Service improvement: to understand usage patterns and improve features
  • Communication: to send account-related emails (e.g., subscription status, security alerts)

Lawful basis (GDPR Article 6): We process your data on the basis of (a) contractual necessity (account creation, service delivery, payment processing), (b) legitimate interest (security, fraud prevention, service improvement), and (c) your consent where separately obtained (e.g., newsletter subscription).

3. Data Storage

Your data is stored on Google Cloud Platform (Firestore) in the europe-west1 region. Firebase Authentication manages login credentials. All data is encrypted at rest and in transit.

4. Data Retention

  • Account data: retained while your account is active, plus 30 days after deletion
  • Login logs: retained for 12 months
  • Aggregate analytics: retained indefinitely (non-personal)

5. Third-Party Services

We use the following third-party services that may process your data:

  • Firebase Authentication — login and session management
  • Google Cloud Run — application hosting
  • Google Firestore — data storage
  • Stripe — payment processing (PCI DSS Level 1 compliant)
  • Sentry — error monitoring and performance tracking
  • Ghost CMS — blog newsletter subscription management
  • OpenAI — generates blog post and market commentary content from anonymous quantitative market data. No personal user data is sent.
  • X (Twitter) and LinkedIn APIs — used to publish auto-generated market commentary to our own corporate accounts. No personal user data is shared.
  • Third-party market data providers — market data sources (no personal data shared)

Some of these services may process data outside the UK/EEA (e.g., in the United States). Where international transfers occur, they are protected by appropriate safeguards such as Standard Contractual Clauses or the service provider's participation in recognised data protection frameworks.

6. Payment Data

All card data is processed exclusively by Stripe, which is PCI DSS Level 1 compliant. We never see, store, or process your card number, CVV, or expiration date. We store only your Stripe Customer ID, Subscription ID, and payment status.

7. Your Rights (GDPR)

If you are in the UK or EU, you have the right to:

  • Access: request a copy of your personal data
  • Rectification: correct inaccurate personal data
  • Erasure: request deletion of your personal data
  • Portability: receive your data in a machine-readable format
  • Object: object to processing of your personal data

To exercise any of these rights, contact us at support@sectorrotationmonitor.com.

8. Cookies

We use only essential cookies for authentication session management. We do not use advertising cookies, third-party tracking cookies, or analytics cookies that require consent.

9. Age Restriction

Sector Rotation Monitor is not intended for users under the age of 18. At signup we ask every user to tick a mandatory checkbox confirming they are 18 or over, and we record the confirmation (timestamp and policy version) against their account. We do not knowingly collect data from minors; if we become aware that an account belongs to a person under 18, we will close it and delete the associated data.

10. Data Breach Notification

If we become aware of a personal data breach, we will notify the Information Commissioner's Office (ICO) within 72 hours where required by Article 33 UK GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay (Article 34) at the email address held on your account. If you suspect that your account or data has been compromised, please contact us immediately at support@sectorrotationmonitor.com.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email. Continued use of the Service after changes constitutes acceptance.