Draft — review before launch. This page is a good-faith, plain-English description of what the running code actually does. It is not legal advice and has not been reviewed by a lawyer. Do not treat it as final or binding until that review happens.
Legal & trust

Privacy policy.

Profin is a data API, not a data broker on you. This page describes the small amount of account data we collect to run the service, and is explicit about what we do not collect.

01

What we collect

When you sign up for an API key (POST /v1/signup), we store:

FieldWhat it isWhy we keep it
Email addressExactly what you submit at signup -- one email per key.Account identity (one key per email), and the only way we have to reach you about your account or a service issue.
API keyWe store a one-way hash of the key, never the plaintext. The plaintext key is shown to you exactly once, in the signup response.Authenticating your requests. We cannot recover a lost key from the hash -- see Retention.
Tier & limitsYour rate limit and daily quota (free/basic/pro).Enforcing the published tier limits (Terms of Service).
Daily request countsA per-day count of requests made with your key, tied to the key's internal ID.Quota enforcement and GET /v1/usage (so you can see your own trailing usage). We do not log the content of individual requests or responses against your identity.
Account created/active statusSignup timestamp and whether the key is active or disabled.Operating and, if needed, disabling abusive accounts.

The two public, keyless endpoints (/companies/{symbol}/statements/{statement} and /companies/{symbol}/periods) are rate-limited per IP address so they can't be used to scrape without a key. That check happens against an in-memory counter for the life of the request and is not written to a database or log file we retain. Standard web-server-level connection logs (the kind any host produces) may exist transiently at the infrastructure layer; we don't currently build any product feature or profile from them.

The marketing site and docs you're reading right now (/, /guide, /coverage, this page, etc.) run no third-party analytics, trackers, or advertising cookies as of this writing. If that changes before launch, this section will be updated first, not last.

02

What we don't collect

03

Why we collect it

Every field above exists to operate the service: identify your account, enforce the rate limit/quota that keeps the free tier sustainable for everyone, and let us contact you if something is wrong with your key or the service. None of it is used for advertising, and none of it is sold.

The financial data served by the API (SEC filings, statements, insider trades, 13F holdings) is a completely separate thing from this policy -- it's public-domain SEC data about public companies, not personal data about you. See the data source & methodology page for that.

04

Retention & security

Retention: account data is kept for as long as your key is active. There is no automatic data-deletion job today, and key revocation/self-service account deletion is not yet built (tracked as a launch-readiness item) -- if you want your account data removed before that ships, contact us (below) and we'll do it manually.

Security: API keys are stored as one-way hashes, never in plaintext, so a database compromise would not expose usable keys directly. That said, we make no uptime or security SLA at launch -- this is a small, early-stage service, not an enterprise vendor with a compliance program. Treat it accordingly for anything sensitive.

05

Your choices

You can stop using the service at any time by simply not calling it -- there's no subscription to cancel at launch (no self-serve billing exists yet). To have your email and key data removed, or to ask what we hold about your account, use the contact method below; this is a manual process today, not a self-serve button.

06

Changes to this policy & contact

We'll update the date at the top of this page whenever this policy changes, and won't silently narrow your rights in a revision. This document should be reviewed by a qualified professional before it is treated as final, and should be re-read once self-serve payment or email verification ship, since both would add new data categories.

Questions about this policy or your data: [support contact -- placeholder, set a real address before launch], or open an issue on our GitHub repository [repo link -- placeholder].