Effective date: June 1, 2026 · Last updated: June 2026
Concentration of Risk ("we", "us", or the "Service") provides research tools built on concentration-of-risk disclosures extracted from public SEC EDGAR filings. This Privacy Policy explains what information we collect, how we use it, and the choices you have. By using the Service you agree to this policy.
Account information. When you sign in with Google, we receive and store your name, email address, and profile picture from the authentication provider. We never receive or store your Google password.
Session data. We set a session cookie (session_token) so you stay signed in. Sessions expire automatically after 7 days. This cookie is essential to the Service and is not used for advertising.
Messages you send us. If you join the waitlist or use the contact form, we store the name, email address, and message you provide so we can respond and notify you of updates you requested.
Usage logs. Like most web services, our servers record basic technical logs (IP address, request path, timestamp) for security and reliability. These logs are retained only as long as operationally necessary.
We do not collect payment card details, government identifiers, precise location, or any special-category personal data. We do not run third-party advertising trackers on the Service.
We use the information above solely to: (a) operate the Service and keep you signed in; (b) respond to messages you send us; (c) notify you about features you asked to hear about (e.g., the expanded-coverage waitlist); (d) secure the Service and prevent abuse; and (e) comply with legal obligations.
We do not sell, rent, or trade your personal information. We share it only with the service providers strictly required to run the Service — authentication, hosting, and database infrastructure — each bound to use it only on our behalf, or where required by law.
The company data displayed on the Service is derived from filings publicly available on SEC EDGAR. It concerns corporate issuers, not private individuals, and is not "personal information" under this policy.
Account data is retained while your account is active. Session tokens expire after 7 days. You may request deletion of your account and associated personal data at any time via the contact page; we will complete verified requests within 30 days unless we are legally required to retain specific records.
Depending on where you live (e.g., GDPR in the EEA/UK, CCPA/CPRA in California), you may have rights to access, correct, delete, or port your personal data, and to object to or restrict certain processing. To exercise any right, contact us via the contact page. We do not discriminate against you for exercising your rights, and we do not "sell" or "share" personal information as those terms are defined under the CCPA/CPRA.
We use industry-standard safeguards: HTTPS everywhere, httpOnly secure session cookies, and access controls on our infrastructure. No method of transmission or storage is 100% secure, but we work to protect your information proportionate to its sensitivity.
The Service is not directed to children under 16, and we do not knowingly collect personal information from them. If you believe a child has provided us information, contact us and we will delete it.
We may update this policy from time to time. Material changes will be reflected by a new "last updated" date at the top of this page, and, where appropriate, additional notice on the Service. Continued use after changes take effect constitutes acceptance.
Questions about privacy? Reach us through the contact page.