Privacy policy.
What data Intrinsic collects, how it is used, who it is shared with, and what you can ask us to do with it.
Data controller.
Intrinsic is operated by its founders as a pre-incorporation project based in the United Kingdom. For the purposes of UK GDPR and the Data Protection Act 2018, the founders act jointly as the data controller. We can be reached at getintrinsic@gmail.com. Once a UK company is incorporated, this section will be updated to name the entity.
Data collected.
We collect only what is needed to operate the service:
- Account information. Your email address and an authentication credential, handled by Firebase Authentication. We do not see or store your password.
- Usage records. Tickers you have generated reports for, the timestamps of those generations, and the assumption inputs you supplied. This powers your report history and daily rate limit.
- Generated outputs. Excel workbooks you have produced, stored so you can download them again from your account.
- Technical logs. IP address, browser type, and timestamps captured by our infrastructure providers (Google Cloud Run, Firebase Hosting) for security, debugging, and abuse prevention.
- Anonymous analytics. Page views, referrers, and broad geographic region (country level) via a privacy-respecting analytics provider. Not linked to your account.
We do not collect payment information during beta. We do not collect financial account data, brokerage details, or holdings.
Purpose of processing.
- Authentication and account management — to let you sign in and access your reports.
- Service delivery — to generate, store, and make available the valuation reports you request.
- Rate limiting and abuse prevention — to enforce the daily report cap and protect the service from misuse.
- Product improvement — to understand which features are used and where users encounter friction.
- Communication — to respond when you email us and, if you opt in, to send product updates.
We do not sell your data. We do not share it with advertisers. We do not use it to train external machine learning models.
UK GDPR Article 6 bases.
- Contract — for processing necessary to provide you with the service you have signed up to use.
- Legitimate interest — for security logging, abuse prevention, and product analytics, balanced against your reasonable expectations.
- Consent — for any optional communications or analytics beyond what is essential to operate the service. Consent can be withdrawn at any time.
Sub-processors.
We rely on a small number of processors to operate the service. Each is bound by data processing terms that meet UK GDPR requirements:
- Google Firebase (Authentication, Firestore, Storage, Hosting) — for authentication, user data storage, generated file storage, and frontend delivery.
- Google Cloud Run — for backend compute and report generation.
- Anthropic — only when you opt to use the AI-assisted assumption suggestion or narrative feature. Anthropic processes the request and does not retain content for training under their commercial terms.
- Yahoo Finance and SEC EDGAR — public financial data sources called by the backend. These do not receive personal data; they receive only ticker queries from our infrastructure.
Where data is stored.
Some of our processors — Firebase Authentication in particular — store data on servers located in the United States. Where personal data is transferred outside the United Kingdom, we rely on the UK extension to the EU-US Data Privacy Framework, Standard Contractual Clauses, or equivalent safeguards as approved by the UK Information Commissioner's Office.
Retention periods.
- Account data — kept while your account is active and for up to 30 days after you delete it, after which it is permanently removed.
- Generated reports — retained for the lifetime of your account so you can re-download them. You can delete individual reports from your dashboard.
- Technical logs — typically retained for 30 to 90 days for debugging and abuse prevention, then purged.
- Anonymous analytics — aggregated and retained indefinitely; cannot be traced back to an individual.
Rights under UK GDPR.
- Access the personal data we hold about you.
- Rectify data that is incorrect or incomplete.
- Erase your account and associated data.
- Restrict processing in certain circumstances.
- Port your data to another service in a machine-readable format.
- Object to processing based on legitimate interest.
- Withdraw consent for any processing we do on the basis of consent.
- Complainto the UK Information Commissioner's Office at ico.org.uk if you believe we have mishandled your data.
To exercise any of these rights, email getintrinsic@gmail.com. We respond within 30 days.
Security measures.
All data is transmitted over HTTPS. Firebase services we rely on hold ISO 27001, SOC 1, SOC 2, and SOC 3 certifications. Access to user data is restricted to the founders and is protected by multi-factor authentication. We do not store passwords directly — authentication is delegated to Firebase.
No system is invulnerable. If we detect a personal data breach affecting you, we will notify you and, where required, the ICO within 72 hours.
Updates to this policy.
If we make material changes — anything that meaningfully alters how we collect or use your data — we will update the date at the top of this page and notify active users by email before the change takes effect. Minor edits for clarity are made in place without notification.
Questions and requests.
For anything related to your data — access, deletion, a complaint, or a question — email getintrinsic@gmail.com. We read everything and respond within a few days.