Scope and Data Controller

This General Data Protection Regulation (GDPR) notice describes how IndexSpan (indspn.org) processes personal data in connection with its services related to cryptocurrencies, blockchain developments, and global equities, including real-time prices, index trackers, analytics, research, education, alerts, and curated news. This notice applies to individuals in the European Union (EU), the European Economic Area (EEA), the United Kingdom (UK), and, as applicable, to users in the United States of America (USA) under relevant federal and state privacy laws.

The Data Controller for personal data described in this notice is: IndexSpan, owned by Ffion Evans, 1375 E South Boulder Rd, Louisville, CO 80027, United States of America. Contact: [email protected].

Lawful Bases for Processing

We process personal data under the lawful bases set out in Articles 6 and 9 GDPR (as applicable):

  • Consent: where you provide consent, for example to non-essential cookies, marketing communications, or optional analytics.
  • Contract: to provide, maintain, and support features you request, including account creation, alerts, watchlists, and portfolio-related tools.
  • Legitimate Interests: to secure our services, prevent fraud and abuse, improve site functionality and user experience, and perform aggregated analytics. We conduct balancing tests when relying on this basis.
  • Legal Obligation: to comply with accounting, tax, regulatory, and law enforcement requirements.
  • Vital Interests or Public Interest: only where strictly necessary and permitted by law.

Categories of Personal Data Processed

  • Identification and Contact Data: name, email address, username, password, settings, and user preferences.
  • Account and Service Data: alert configurations, watchlists, saved instruments, comparative analytics settings, and communication choices.
  • Device and Technical Data: IP address, device identifiers, operating system, browser type, language, time zone, approximate location derived from IP, and server logs.
  • Usage and Interaction Data: page views, feature usage (e.g., charts, index trackers), clickstream, session timing, and referring/exit pages.
  • Cookie, Pixel, and Similar IDs: identifiers associated with cookies or SDKs for functional, analytics, and (if enabled) advertising purposes.
  • Inquiry and Support Data: messages, support requests, and related metadata.
  • Marketing Preferences: subscription status, opt-in/opt-out choices, and engagement metrics.

We do not intentionally collect sensitive categories of data under Article 9 GDPR. We do not collect payment card details on our own systems unless explicitly stated at the time of collection; if payments are enabled, they are processed by vetted third-party processors.

Sources of Personal Data

  • Directly from you: when you create an account, subscribe to alerts, contact support, or configure portfolio analytics.
  • Automatically: through cookies, SDKs, logs, and similar technologies when you use our site.
  • From service providers: analytics providers, cloud hosting, security, and anti-fraud services that generate or host technical data on our behalf.

Purposes of Processing

  • Service Delivery: operate the website and core features (e.g., real-time prices, charts, alerts, watchlists, comparative analytics).
  • Account Management: authenticate users, maintain preferences, and provide support.
  • Improvement and Analytics: measure performance, fix issues, and optimize functionality and content relevance.
  • Security and Fraud Prevention: monitor, detect, and prevent suspicious or harmful activities.
  • Communications: send administrative notices, service updates, and, with consent where required, marketing communications.
  • Legal and Compliance: meet regulatory, tax, accounting, and law enforcement obligations.

Cookies, Tracking Technologies, and Analytics

We use cookies and similar technologies to provide essential functionality, remember preferences, analyze traffic, and improve our services. Where required, we obtain your consent for non-essential cookies. You can manage cookie preferences via your browser settings and any consent tools we provide. Disabling certain cookies may impact functionality.

Data Minimization, Storage, and Retention

We collect only data necessary for the stated purposes and retain it no longer than needed. We apply these general retention criteria:

  • Account and Service Data: retained for the life of your account and then securely deleted or anonymized within a reasonable period, unless we must retain it for legal obligations or dispute resolution.
  • Logs and Technical Data: retained for security and performance purposes for a limited period, typically up to 12 months unless an incident or legal need requires longer retention.
  • Marketing Data: retained until you opt out or your consent is withdrawn, then limited to a suppression record to honor your choice.

Disclosures, Service Providers, and International Transfers

We share personal data only as necessary and with appropriate safeguards:

  • Service Providers (Processors): cloud hosting, analytics, security, email communications, and customer support tools acting under written agreements and data protection terms.
  • Business Operations and Legal: to comply with law, enforce terms, protect rights, respond to lawful requests, or in connection with corporate events (e.g., reorganization) subject to continued protections.

International Transfers: As a US-based organization, we may transfer personal data to the United States and other countries. Where GDPR applies, we implement appropriate safeguards for such transfers, including Standard Contractual Clauses and supplementary technical and organizational measures, as needed. You may request a copy of relevant transfer safeguards by contacting us.

Security Measures

We implement technical and organizational measures appropriate to risk, including access controls, encryption in transit, hardened infrastructure, monitoring, least-privilege access, employee confidentiality obligations, and regular review of our security posture. No system can be completely secure; we continuously work to protect your data.

Data Subject Rights under GDPR

Where GDPR applies, you have the following rights, subject to legal limits and verification:

  • Access: obtain confirmation and a copy of your personal data.
  • Rectification: correct inaccurate or incomplete data.
  • Erasure: request deletion where processing is no longer necessary or lawful.
  • Restriction: request limited processing under certain conditions.
  • Portability: receive certain data in a structured, commonly used, machine-readable format and transmit it to another controller.
  • Objection: object to processing based on legitimate interests, including profiling; we will honor it unless we demonstrate compelling legitimate grounds.
  • Withdraw Consent: where processing is based on consent, you may withdraw it at any time without affecting prior lawful processing.
  • Automated Decisions: the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects, and to request human review.
  • Complaint: lodge a complaint with a competent supervisory authority.

How to Exercise Your Rights

To exercise your rights or request information about our processing, contact us at [email protected]. Please specify the right you wish to exercise and provide sufficient details for verification. We may request additional information solely to verify your identity. We respond without undue delay and within one month of receipt, extendable by two months where necessary due to complexity or volume. We do not discriminate for exercising your rights.

Automated Decision-Making and Profiling

We do not engage in solely automated decision-making that produces legal or similarly significant effects. We may use limited profiling to personalize content, alerts, and analytics. You may object to such processing where GDPR provides that right.

Children’s Data

Our services are not directed to children. We do not knowingly collect personal data from children under the age thresholds defined by applicable law. If you believe a child has provided personal data, contact us to request deletion.

United States Compliance Disclosures

As a controller established in the United States, we align this GDPR notice with applicable U.S. federal and state privacy laws (including, where applicable, the California Consumer Privacy Act as amended by the CPRA, the Colorado Privacy Act, and similar state laws). To the extent these laws apply:

  • Notice: The categories of data, purposes, disclosures, and retention described above also serve as our U.S. state privacy notice.
  • Sale/Sharing: We do not sell personal data as “sale” is defined by applicable U.S. state laws. We do not “share” personal data for cross-context behavioral advertising. If this changes, we will provide a clear right to opt out and honor authorized opt-out signals such as Global Privacy Control where required.
  • U.S. Rights: Depending on your state, you may have rights to access, delete, correct, and opt out of targeted advertising, sale, or profiling. You can exercise these by contacting [email protected]. Where required, we provide an appeals process if we deny a request.
  • Non-Discrimination: We will not discriminate against you for exercising your privacy rights under U.S. law.

Records of Processing and Accountability

We maintain appropriate records of our processing activities and periodically review our data protection practices, training, contractual controls with processors, and risk assessments, including Data Protection Impact Assessments where processing is likely to result in high risk to individuals.

Changes to This Notice

We may update this notice to reflect changes in our practices, technologies, or legal requirements. Material changes will be indicated by updating the “Effective Date” and, where required by law, by providing additional notice or obtaining consent.

Effective Date

This notice is effective as of the date it is published or last updated on our website.

Contact Information

Data Controller: IndexSpan (indspn.org), owned by Ffion Evans

Postal Address: 1375 E South Boulder Rd, Louisville, CO 80027, United States of America

Email: [email protected]

Comments

© 2025. All rights reserved.