Privacy Policy

Valuein LLC ("Valuein," "we," "us," or "our") is a Wyoming limited liability company that operates as a Financial Data Infrastructure and Technology (FDIT) provider. This Privacy Policy applies to information collected through the Valuein website at valuein.biz and all subdomains, the Valuein Bulk Data API at data.valuein.biz, the Valuein MCP Server at mcp.valuein.biz, the Valuein Python SDK (valuein-sdk), and all related services, tools, and documentation (collectively, the "Service").

This Privacy Policy explains what personal information we collect, how we use and share it, what rights you have over your information, and how to contact us with questions. By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with this Privacy Policy, do not use the Service.

This policy applies to all individuals who interact with the Service, regardless of jurisdiction. Jurisdiction-specific rights and disclosures are provided in dedicated sections below.

We collect the following categories of personal information:

Account and Identity Information: When you create an account, we collect your name, email address, and a profile photo if provided by your OAuth provider. We do not store passwords — authentication is delegated to Google, GitHub, or LinkedIn via OAuth 2.0. We also collect your account creation date, subscription tier, and account preferences.

Payment and Billing Information: Payment processing is handled entirely by Stripe, Inc. We receive and store your Stripe customer ID, subscription plan, subscription status, billing cycle start and end dates, and invoice history. We do not receive, process, or store your full credit card number, CVV, bank account number, or any other payment instrument details.

API Usage Data: We automatically collect API request logs including the endpoint path, HTTP method, request timestamp, HTTP response status code, response latency in milliseconds, API key identifier (hashed), data table requested, and approximate geographic region derived from your IP address. We do not log request payloads or query parameters beyond what is necessary for rate limit enforcement and security monitoring.

Device and Network Data: When you visit our website, we collect your IP address (truncated to the /24 subnet for analytics purposes), browser type and version, operating system, screen resolution, preferred language, referring URL, and page view sequence. This data is collected passively through standard HTTP headers and Cloudflare Analytics.

Communication Data: When you contact us for support, we collect the content of your messages, your email address, and the date and time of the communication.

Security and Fraud Prevention Data: We collect data related to login attempts, API key usage patterns, anomalous request patterns, and other signals used to detect unauthorized access or abuse of the Service. This data may include full IP addresses, user-agent strings, and request timing metadata.

We use the information we collect for the following purposes:

Service Delivery and Account Management: To authenticate your identity, provision and maintain your account, generate and manage API keys, enforce rate limits based on your subscription tier, deliver financial data through our API, SDK, and MCP Server, and process Parquet file downloads.

Billing and Payment Processing: To initiate and manage subscription charges through Stripe, handle plan upgrades and downgrades, generate invoices and receipts, manage subscription renewals and cancellations, detect and prevent payment fraud, and comply with tax and financial reporting obligations.

Transactional Communications: To send emails necessary for the operation of your account, including welcome emails, API key generation confirmations, subscription confirmation and renewal receipts, billing failure notifications, password reset and account security alerts, and responses to your support requests. Transactional communications cannot be opted out of while your account is active.

Product Communications: With your consent, to send product updates, new feature announcements, dataset expansion notices, and changelog digests. You may opt out of product communications at any time by clicking the unsubscribe link in any such email or by updating your communication preferences in your account settings.

Security and Fraud Detection: To monitor for unauthorized access to your account or API key, detect and respond to API abuse and excessive scraping, enforce our Acceptable Use Policy, investigate and prevent fraudulent activity, and protect the integrity and availability of the Service for all users.

Service Analytics and Improvement: To analyze aggregate, anonymized usage patterns to identify high-demand API endpoints, improve API performance and reliability, monitor error rates and latency, prioritize product development, and understand how users interact with the Service. We do not build individual user profiles for behavioral advertising.

Legal Compliance and Enforcement: To comply with applicable laws and regulations including U.S. tax law, to respond to lawful requests from courts, law enforcement, and regulatory authorities, and to enforce our Terms of Service and Data License Agreement.

For users in the European Economic Area, the United Kingdom, and Switzerland, our legal basis for each processing activity is as follows:

Performance of a Contract (Article 6(1)(b) GDPR): Processing your account information, API usage data, and billing information is necessary to perform the subscription contract with you and to deliver the Service you requested.

Legal Obligation (Article 6(1)(c) GDPR): Retaining billing records and transaction history for seven years is required by U.S. tax and financial reporting law. Retaining security logs for incident investigation is required by applicable information security obligations.

Legitimate Interests (Article 6(1)(f) GDPR): We rely on our legitimate interests to collect API usage logs for security monitoring and abuse detection, to analyze anonymized aggregate usage patterns for service improvement, and to send existing customers product update communications. We have assessed that our legitimate interests are not overridden by your privacy interests given the nature and limited scope of the processing.

Consent (Article 6(1)(a) GDPR): Where we rely on consent — specifically for optional marketing communications — you may withdraw your consent at any time by unsubscribing. Withdrawal of consent does not affect the lawfulness of processing prior to withdrawal.

Automated Decision-Making (Article 22 GDPR): Valuein does not make decisions based solely on automated processing that produce legal effects concerning you or similarly significantly affect you. Our rate limit enforcement and fraud detection systems are automated but do not make decisions with legal or similarly significant effect; any account suspension resulting from automated signals is reviewed by a human before becoming permanent.

If you wish to obtain a copy of the Data Processing Agreement (DPA) for enterprise or B2B arrangements, please contact [email protected]. We maintain a current list of sub-processors and their processing purposes, which is available upon request.

We do not sell your personal information to third parties. We do not share your personal information for cross-context behavioral advertising or for any third-party marketing purpose. We share your information only with the following categories of service providers who process data on our behalf under written data processing agreements consistent with this Privacy Policy:

Stripe, Inc. (San Francisco, CA, USA): Payment processing and subscription management. Stripe receives your payment method details, billing address, and email address to process charges. Stripe is a PCI DSS Level 1 certified service provider. Stripe's privacy policy: stripe.com/privacy.

Cloudflare, Inc. (San Francisco, CA, USA): Infrastructure and delivery. Cloudflare provides our content delivery network, DDoS protection, Web Application Firewall, DNS, edge computing (Workers), key-value storage (KV), object storage (R2), Durable Objects, and static hosting (Pages). Cloudflare processes your IP address, request headers, and request content as part of delivering the Service. Cloudflare's privacy policy: cloudflare.com/privacypolicy.

Resend, Inc. (San Francisco, CA, USA): Transactional and product email delivery. Resend receives your email address and email content for the purposes of delivering emails you requested or that are required by your account. Resend's privacy policy: resend.com/legal/privacy-policy.

Inngest, Inc. (San Francisco, CA, USA): Background job orchestration for asynchronous data processing workflows. Inngest may process metadata associated with your account and API key to trigger and manage server-side background tasks. Inngest's privacy policy: inngest.com/privacy.

OAuth Providers (Google LLC, GitHub Inc., LinkedIn Corporation): When you authenticate via a third-party OAuth provider, that provider shares your name, email address, and profile photo with us as permitted by your OAuth consent. We do not share your Valuein usage data back to these providers.

Disclosure Required by Law: We may disclose your information if required by a valid court order, subpoena, search warrant, governmental investigation, or applicable law, or if we believe in good faith that disclosure is necessary to prevent fraud, protect our rights or property, protect public safety, or respond to a national security request. Where permitted by law, we will make reasonable efforts to notify you before complying with such requests.

Business Transfers: In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy involving Valuein, your personal information may be transferred to the successor entity. We will notify you of any such transfer and any choices you may have regarding your information.

We retain personal information for the following periods, after which it is permanently deleted or irreversibly anonymized:

Account and Identity Data: Retained for the duration of your active account plus 30 days following account deletion, except where longer retention is required by law. Deletion requests are processed within 30 days of receipt.

API Usage Logs: Detailed logs including IP addresses, request metadata, and API key identifiers are retained for 90 days for security incident response and rate limit enforcement. Aggregate, anonymized usage statistics (without individual identifiers) may be retained indefinitely for service analytics.

Payment and Billing Records: Retained for seven (7) years from the transaction date to comply with U.S. federal and state tax, anti-money-laundering, and financial recordkeeping obligations under the Internal Revenue Code. This data cannot be deleted upon request during the retention period due to legal requirements.

Support Communications: Retained for two (2) years from the date of the most recent interaction in the thread.

Security Event Logs: IP addresses and access records collected for security and fraud detection purposes are retained for 12 months.

Marketing Opt-Out Records: If you opt out of marketing communications, we retain a record of your opt-out preference indefinitely to ensure future compliance with your preference.

Regardless of your location, you have the following rights with respect to your personal information:

Access: You may request confirmation of whether we process personal information about you and, if so, receive a copy of that information in a portable format.

Correction: You may request that we correct inaccurate or incomplete personal information we hold about you. You may update most account information directly through your account settings page.

Deletion: You may request deletion of your account and associated personal information. We will delete your data within 30 days except where retention is required by law (e.g., billing records) or legitimate interests (e.g., security event logs).

Data Portability: You may request a machine-readable copy of the personal data you have provided to us, in a commonly used format such as JSON or CSV.

Opt-Out of Marketing: You may unsubscribe from non-transactional communications at any time using the unsubscribe link in any marketing email or by updating your account preferences.

Appeal: If we deny a privacy rights request, you may appeal our decision by contacting [email protected] with the subject line "Privacy Rights Appeal." We will respond to appeals within 30 days.

To exercise any of these rights, contact [email protected] with the subject line "Privacy Rights Request" from the email address associated with your account. We will respond to verified requests within 30 days. We may require identity verification before processing requests. We will not charge a fee for reasonable requests.

This section applies to California residents and supplements the rights described above. The California Consumer Privacy Act of 2018 (CCPA) as amended by the California Privacy Rights Act of 2020 (CPRA) grants California residents additional rights.

Right to Know: You have the right to request the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purpose for collecting it, and the categories of third parties with whom we share it.

Right to Delete: You have the right to request deletion of personal information we have collected about you, subject to certain exceptions permitted by law (including legal retention obligations for billing records).

Right to Correct: You have the right to request that we correct inaccurate personal information we maintain about you.

Right to Opt Out of Sale or Sharing: We do not sell personal information as defined by the CCPA. We do not share personal information for cross-context behavioral advertising as defined by the CPRA. You have the right to opt out of any such activity if we ever change this practice.

Right to Limit Use of Sensitive Personal Information: We do not collect or use sensitive personal information (as defined by the CPRA) for purposes other than those necessary to perform the Service.

Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.

Categories of Personal Information Collected in the Last 12 Months: (A) Identifiers — name, email address, IP address, unique API key identifier; (B) Commercial information — subscription tier, transaction history, invoice records; (C) Internet or electronic network activity — API request logs, page views, referring URLs, browser type; (D) Geolocation data — approximate geographic region derived from IP address. We do not collect biometric information, genetic information, or information regarding race, religion, sexual orientation, or other protected characteristics.

Categories of Third Parties: Service providers (Stripe, Cloudflare, Resend, Inngest) as described in the Data Sharing section above. We do not disclose personal information to third parties for their own business purposes.

Retention: See the Data Retention section above for specific retention periods by category.

To submit a CCPA/CPRA request: Contact [email protected] or submit a request through your account settings. We will verify your identity and respond within 45 calendar days, with a possible 45-day extension if reasonably necessary. You may designate an authorized agent to make a request on your behalf; we may require the agent to provide proof of authorization.

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) or the UK GDPR and Swiss Federal Act on Data Protection (FADP):

Right of Access (Article 15): To obtain confirmation of whether we process your personal data and receive a copy of it.

Right to Rectification (Article 16): To request correction of inaccurate or incomplete personal data.

Right to Erasure (Article 17): To request deletion of your personal data where it is no longer necessary, where you withdraw consent, or where processing is unlawful, subject to exceptions for legal obligations and the establishment, exercise, or defense of legal claims.

Right to Restriction of Processing (Article 18): To request that we restrict processing of your personal data in certain circumstances, such as while you contest its accuracy or while we assess a legitimate interest objection.

Right to Data Portability (Article 20): To receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller without hindrance.

Right to Object (Article 21): To object to processing based on legitimate interests. Where you object to processing for direct marketing purposes, we will cease such processing immediately and without exception.

Right Not to Be Subject to Automated Decision-Making (Article 22): You have the right not to be subject to a decision based solely on automated processing that produces legal effects concerning you or similarly significantly affects you. We do not currently make such decisions.

Right to Withdraw Consent: Where processing is based on consent, to withdraw consent at any time without affecting the lawfulness of prior processing.

Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection supervisory authority. A list of EEA supervisory authorities is available at edpb.europa.eu. UK residents may contact the Information Commissioner's Office at ico.org.uk. Swiss residents may contact the Federal Data Protection and Information Commissioner (FDPIC).

To exercise any GDPR right, contact [email protected]. We will respond within 30 days. We will not charge a fee for requests unless they are manifestly unfounded or excessive.

Data Controller: Valuein LLC is the data controller for personal data collected through the Service. As we do not have an establishment in the EEA or UK, we are not currently required to appoint a representative under Article 27 GDPR based on the scale of our processing. Should this change, we will update this section accordingly. [email protected] is the point of contact for all data protection matters.

Residents of the following states have privacy rights under applicable state privacy law. We honor these rights for all residents of these states under a single, unified request process at [email protected]:

Virginia (VCDPA, effective Jan 2023): Rights to access, correct, delete, and obtain a portable copy of your personal data; right to opt out of the sale of personal data, targeted advertising, and profiling (we do not engage in any of these); right to appeal our decision on your privacy request within 60 days.

Colorado (CPA, effective July 2023): Rights to access, correct, delete, and obtain a portable copy of your personal data; right to opt out of the sale of personal data, targeted advertising, and profiling in furtherance of decisions that produce legal or similarly significant effects; universal opt-out signal recognition.

Connecticut (CTDPA, effective July 2023): Rights to access, correct, delete, and obtain a portable copy of your personal data; right to opt out of sale, targeted advertising, and profiling.

Texas (TDPSA, effective July 2024): Rights to access, correct, delete, and obtain a portable copy of your personal data; right to opt out of sale and targeted advertising.

Oregon (OCPA, effective July 2024): Rights to access, correct, delete, and obtain a portable copy of your personal data; right to opt out of profiling, targeted advertising, and sale; right to obtain a list of specific third parties to whom we have disclosed personal data.

Montana (MCDPA, effective October 2024): Rights to access, correct, delete, and obtain a portable copy of your personal data; right to opt out of sale, targeted advertising, and profiling.

Delaware (DPDPA, effective January 2025): Rights to access, correct, delete, and obtain a portable copy of your personal data.

Iowa (ICDPA, effective January 2025): Rights to access, delete, and obtain a portable copy of your personal data; right to opt out of sale, targeted advertising, and profiling.

Nebraska (NDPA, effective January 2025): Rights to access, correct, delete, and obtain a portable copy of your personal data; right to opt out of sale and targeted advertising.

New Hampshire (effective January 2025), New Jersey (effective January 2025), Maryland (MODPA, effective October 2025), Minnesota (MCDPA, effective July 2025): These states grant substantially similar rights to access, correct, delete, and port personal data, and rights to opt out of sale, targeted advertising, and profiling. We honor all such rights.

Universal Opt-Out Signals: We recognize and honor Global Privacy Control (GPC) and similar universal opt-out preference signals as valid requests to opt out of the sale or sharing of personal information, as required by applicable state law.

As additional U.S. state privacy laws take effect, we will extend the same rights to residents of those states. We apply a single, consistent standard: all rights listed in the "Your Privacy Rights — All Users" section are available to every user regardless of jurisdiction.

We use a minimal and privacy-respecting set of technologies on our website:

Essential Session Cookies: First-party cookies required to maintain your authenticated session. These are strictly necessary for the Service to function and are set only when you log in. They cannot be disabled without preventing access to authenticated features.

Cloudflare Analytics: We use Cloudflare Web Analytics, which is a cookieless, privacy-preserving analytics service. It does not use cookies, does not track individual users across sites, does not fingerprint devices, and does not share data with advertising networks. It provides aggregate page view and traffic data only.

Cloudflare Turnstile: We use Cloudflare Turnstile, a privacy-preserving CAPTCHA alternative, to protect certain forms and endpoints from bot abuse. Turnstile does not use cookies for tracking and does not profile users.

No Advertising Trackers: We do not use Google Analytics, Google Ads, Facebook Pixel, LinkedIn Insight Tag, or any other third-party advertising or behavioral tracking technology. We do not engage in cross-site tracking, behavioral profiling, retargeting, or interest-based advertising.

Do Not Track (DNT) Disclosure: Some web browsers transmit a "Do Not Track" (DNT) signal. As there is no industry-standard protocol for honoring DNT signals and we do not engage in any tracking that DNT is designed to prevent, our Service does not currently respond differently based on a DNT signal. However, because we do not use third-party advertising trackers, do not build behavioral profiles, and do not share information for cross-context behavioral advertising, the practical effect is the same as if we honored DNT.

Browser Controls: You may configure your browser to block or delete cookies. Blocking essential session cookies will prevent you from logging in to the Service. Blocking analytics via browser extensions does not affect your access to the Service.

We implement layered, industry-standard security controls to protect your personal information:

Encryption in Transit: All data transmitted between your device and the Service is encrypted using TLS 1.2 or higher. HTTP connections are automatically redirected to HTTPS. API endpoints enforce HTTPS and reject unencrypted connections.

Encryption at Rest: Sensitive stored data including API tokens, authentication records, and subscription metadata is encrypted at rest using AES-256 encryption on Cloudflare's infrastructure.

API Key Hashing: API keys are hashed using a one-way cryptographic function before storage. We cannot retrieve your API key in plain text after it is generated; you are responsible for saving it securely at the time of generation.

Access Controls: Access to production systems and customer data is restricted on a need-to-know basis. Administrative access requires multi-factor authentication.

Infrastructure Security: The Service is delivered through Cloudflare's global edge network, which provides built-in DDoS mitigation, Web Application Firewall (WAF) protection, bot management, and network-level security controls.

Security Monitoring: We maintain automated monitoring for anomalous API access patterns, brute-force attempts, credential stuffing attacks, and unauthorized access attempts. Suspicious activity triggers alerts and may result in automatic temporary suspension of the relevant API key or account.

Breach Notification: In the event of a data breach affecting your personal information, we will notify you and applicable regulatory authorities as required by law. For GDPR-covered users, we will notify the relevant supervisory authority within 72 hours of becoming aware of a breach that is likely to result in a risk to your rights and freedoms, and we will notify affected individuals without undue delay where the breach is likely to result in a high risk. For California residents, we will comply with California Civil Code Section 1798.82. For other U.S. states with breach notification laws, we will comply with applicable notification timelines.

No method of electronic transmission or storage is 100% secure. While we strive to protect your personal information using commercially reasonable measures, we cannot guarantee absolute security.

Valuein is headquartered in the United States. Our Service is delivered through Cloudflare's global edge network, which may process your data at servers located in the United States and other countries. Our sub-processors (Stripe, Resend, Inngest) are also headquartered in the United States.

For users in the EEA, UK, and Switzerland, transfers of your personal data to the United States and other countries outside the EEA/UK with potentially different data protection standards are governed as follows: we rely on our sub-processors' Standard Contractual Clauses (SCCs) approved by the European Commission, supplementary transfer impact assessments, and other applicable transfer mechanisms to provide adequate protection for transferred data.

For UK transfers, we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as applicable.

You may request information about the specific transfer mechanisms we rely on by contacting [email protected].

The Service is a professional financial data platform intended for users who are at least 18 years of age. The Service is not directed to children under 18.

Compliance with the Children's Online Privacy Protection Act (COPPA): We do not knowingly collect personal information from children under the age of 13 as defined by COPPA. If we discover that we have inadvertently collected personal information from a child under 13, we will delete that information within 30 days and terminate the associated account.

Minors aged 13–17: We do not knowingly allow users under 18 to create accounts. If we discover that a user is under 18, we will take commercially reasonable steps to terminate the account and delete the associated personal information.

If you are a parent or guardian and believe that your child has provided us with personal information, please contact us at [email protected] immediately.

The Valuein Service provides access to financial data about publicly traded companies derived from SEC EDGAR filings — for example, revenue figures for Apple Inc. or balance sheet data for JPMorgan Chase & Co. This financial data pertains to public companies and their public disclosures, not to our users personally.

For the avoidance of doubt: the financial data you access through the Service (e.g., income statements, balance sheets, financial ratios of public companies) is not your personal information and is not subject to the privacy rights described in this policy. Our privacy obligations relate exclusively to information about you as an individual — your account data, usage data, payment data, and communications data as described in the "Information We Collect" section above.

The financial data itself is governed by the Data License Agreement, not by this Privacy Policy.

We may update this Privacy Policy from time to time to reflect changes in our practices, services, applicable law, or regulatory guidance. We will update the "Last Updated" date at the top of this page when we make changes.

For material changes — meaning changes that meaningfully alter your rights, expand the categories of information we collect, introduce new data sharing practices, or change the purposes for which we use your information — we will provide at least 30 days' advance notice to registered users by email before the changes take effect. Non-material changes (such as clarifications, formatting corrections, or additions required by new state privacy laws that do not reduce your existing rights) may be made without prior notice.

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Privacy Policy. If you do not agree to the revised policy, you must stop using the Service and may request deletion of your account.

If you have questions about this Privacy Policy, wish to exercise any of your privacy rights, or have concerns about how we handle your information, please contact us at:

Valuein LLC Privacy and Legal: [email protected]

We aim to respond to all privacy inquiries within 10 business days.