Privacy Policy

Effective date: 2026-05-25. This policy describes how oernings collects, uses, and shares personal data, in compliance with the EU General Data Protection Regulation (GDPR) and the German Bundesdatenschutzgesetz (BDSG).

1. Controller

The data controller within the meaning of Art. 4 (7) GDPR is:
Ömer Kaya
Frankfurter Str. 41
63150 Heusenstamm, Germany
E-Mail: support@oernings.com

2. What we collect and why

Account creation

When you register we store your e-mail address and a hashed password. Legal basis: Art. 6 (1) (b) GDPR (performance of a contract).

Watchlist + usage

Which companies you add to your watchlist, which earnings reports you read, your notification preferences. Stored to provide the service you signed up for. Legal basis: Art. 6 (1) (b) GDPR.

Payment data (for paying users)

When you subscribe to a paid tier, your payment is processed by Stripe (see Section 4). We store only the Stripe customer identifier + the subscription state (tier, period end). We do not store credit card numbers. Legal basis: Art. 6 (1) (b) GDPR.

Server logs

Our infrastructure (Google Cloud Run, Supabase) records request metadata (IP address, timestamp, user-agent, request path) for up to 30 days to ensure stability and detect abuse. Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in service stability).

Pre-launch waitlist

When you submit your email to the pre-launch waitlist, we store the email address plus a salted SHA-256 hash of your IP address. The hash is used purely to enforce a per-IP rate limit (max 3 sign-ups per hour) and is not reversible from the database alone. Raw IP addresses are never persisted by the waitlist endpoint. Legal basis: Art. 6 (1) (f) GDPR (legitimate interest in preventing abuse of the sign-up form).

3. Cookies and similar technologies

We use functional cookies strictly required to keep you signed in (authentication session). These are first-party cookies set by Supabase Auth and do not require consent under § 25 (2) TTDSG. We do not use advertising or tracking cookies.

4. Third-party processors

We share data with the following processors strictly to deliver the service. Data Processing Agreements (DPA) per Art. 28 GDPR are in place with each.

Supabase (Supabase Inc., USA / EU regions) — authentication, database, file storage.
Google Cloud (Google LLC, USA / EU regions) — application hosting (Cloud Run, Cloud Scheduler).
Stripe (Stripe Payments Europe, Ltd., Ireland) — subscription payment processing for paid tiers.
Resend (Resend.com, USA / EU regions) — transactional e-mail delivery (registration confirmations, notifications, trial reminders).
Finnhub (Finnhub.io) — earnings-calendar and stock-price data feed. Finnhub receives no personal data; we send only ticker symbols.
Anthropic (Anthropic, PBC, USA) — Claude AI is used to interpret public SEC filings. Filing text is sent for analysis; no personal user data is included in those requests.

5. International transfers

Some processors are located in the USA. Transfers are based on the EU Standard Contractual Clauses (Art. 46 (2) (c) GDPR) and, where applicable, the EU-U.S. Data Privacy Framework.

6. Retention

Account data is kept as long as you have an active account. Server logs are retained for up to 30 days. Billing data is retained for 10 years to comply with German tax law (§ 147 AO). On account deletion, personal data is deleted within 30 days, except where statutory retention obligations apply.

7. Your rights

Under the GDPR you have the right to:

Access your data (Art. 15)
Correct inaccurate data (Art. 16)
Have your data deleted (Art. 17)
Restrict processing (Art. 18)
Data portability (Art. 20)
Object to processing (Art. 21)
Lodge a complaint with the competent supervisory authority — in Germany, the data-protection authority of your federal state

To exercise any of these rights, contact support@oernings.com.

8. Changes

We may update this policy when our processing activities change. Material changes will be communicated to active users by e-mail.

Last updated: 2026-05-25.