Privacy Policy
Last updated: 2026-02-28
1. Data Controller
The controller of your personal data is Scorise Agency Sp. z o.o., with its registered office at al. Reymonta 54, 01-842 Warszawa, Poland, VAT-EU: PL1133001016 (hereinafter referred to as "Controller", "we", or "us").
We operate the website https://www.sentisignal.com and the SentiSignal platform, providing AI-powered market sentiment analysis services.
For any questions regarding your personal data or this Privacy Policy, please contact us at: [email protected]. For general inquiries: [email protected].
2. Legal Basis for Processing
We process your personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation, "GDPR"), the Polish Act of 10 May 2018 on the Protection of Personal Data, and β for users in the United States β the California Consumer Privacy Act ("CCPA") and other applicable US state privacy laws. The legal bases for processing are:
- β’Article 6(1)(a) GDPR β Consent: Processing based on your explicit consent, e.g., for analytics cookies, newsletter subscription, and marketing communications.
- β’Article 6(1)(b) GDPR β Contract performance: Processing necessary for the performance of a contract (providing our services, managing your account, processing payments).
- β’Article 6(1)(c) GDPR β Legal obligation: Processing necessary to comply with legal obligations (e.g., tax, accounting requirements).
- β’Article 6(1)(f) GDPR β Legitimate interest: Processing necessary for our legitimate interests, such as ensuring platform security, fraud prevention, service improvement, and aggregated analytics.
3. Data We Collect
3.1 Account Data
When you register for an account, we collect:
- β’Email address (required)
- β’Full name (optional)
- β’Password (stored in irreversibly hashed form using bcrypt)
- β’Account creation and update timestamps
3.2 Security Data
If you enable two-factor authentication (2FA), we additionally store:
- β’TOTP secret (encrypted, for authenticator app verification)
- β’Hashed recovery codes
- β’2FA activation and verification timestamps
3.3 User Preferences
As you use the platform, we store your preferences to personalize your experience:
- β’Watchlist selections (assets you follow)
- β’Topic preferences (e.g., DeFi, Regulation, NFT)
- β’Priority settings for watched assets
3.4 Payment Data
If you subscribe to a paid plan, payment processing is handled by Stripe, Inc. We store:
- β’Stripe customer and subscription identifiers
- β’Subscription plan tier and status
- β’Billing period dates
We do not store your credit card number, CVV, or full payment card details. All payment information is processed directly by Stripe in accordance with PCI DSS standards. See Stripe's Privacy Policy.
3.5 Newsletter Data
If you subscribe to our newsletter, we collect your email address and, optionally, your first and last name. We use this data solely to send you market analysis updates, product news, and relevant content. You can unsubscribe at any time using the link in every email.
3.6 Technical & Log Data
When you use our platform, we automatically collect:
- β’IP address (logged for security monitoring of unauthorized access attempts)
- β’Browser type and version
- β’Operating system
- β’Pages visited and timestamps
- β’Referrer URL
IP addresses are used for security purposes and are not linked to user accounts in persistent storage.
3.7 Aggregated Engagement Data
We track aggregated click counts on news articles for content quality purposes. This data is not linked to individual users.
4. Cookies and Tracking Technologies
We use cookies and similar technologies on our platform. In accordance with EU Directive 2002/58/EC (ePrivacy Directive) and GDPR, analytics and marketing cookies are only activated after you provide explicit consent via our cookie consent banner.
4.1 Necessary Cookies
These cookies are essential for the platform to function and cannot be disabled:
| Cookie | Purpose | Duration |
|---|---|---|
| __Secure-next-auth.session-token | User authentication session | 30 days |
| cc_cookie | Stores your cookie consent preferences | 365 days |
4.2 Analytics Cookies (Consent Required)
These cookies are set only if you consent. They help us understand how visitors use our platform:
| Cookie | Service | Purpose | Duration |
|---|---|---|---|
| _ga, _ga_* | Google Analytics 4 | Distinguishes visitors, measures traffic | 2 years |
| _gid | Google Analytics 4 | Session identification | 24 hours |
| _clck, _clsk | Microsoft Clarity | Session replay & heatmap analytics | 1 year / session |
4.3 Marketing Cookies (Consent Required)
We may use marketing cookies to measure the effectiveness of advertising campaigns. Currently, this may include:
- β’Meta (Facebook) Pixel β for measuring ad performance and audience insights (if activated)
Marketing cookies are only loaded after you grant explicit consent for this category.
4.4 Google Consent Mode v2
We implement Google Consent Mode v2, which ensures that Google services (Analytics, Tag Manager) respect your consent choices. By default, analytics_storage and ad_storage are set to "denied" until you opt in.
4.5 Server-Side Tracking
We use server-side tagging via Stape.io and Google Tag Manager Server Container to process analytics data. This means some tracking requests are routed through our first-party domain rather than directly to third-party servers, reducing your browser's exposure to third-party cookies while maintaining analytics accuracy. The same consent rules apply β no data is collected without your consent.
5. Third-Party Services and Data Transfers
We share personal data with the following third-party service providers, who process data on our behalf under appropriate data processing agreements:
| Service | Provider | Purpose | Data Transferred |
|---|---|---|---|
| Google Analytics 4 | Google LLC | Website analytics | Page views, session data, device info |
| Google Tag Manager | Google LLC | Tag management | Event data as configured |
| Microsoft Clarity | Microsoft Corp. | Session replay & heatmaps | User interactions, page content |
| Stape.io | Stape OY | Server-side tag management | Analytics events (proxied) |
| Stripe | Stripe, Inc. | Payment processing | Email, name, subscription data |
| Meta Pixel | Meta Platforms, Inc. | Advertising analytics | Page views, events (if consent given) |
International Data Transfers
Some of our service providers (Google, Microsoft, Stripe, Meta) are based in the United States. Data transfers to the US are conducted under the EU-US Data Privacy Framework (DPF) or Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring an adequate level of data protection as required by GDPR Chapter V.
6. Purposes of Data Processing
We process your personal data for the following purposes:
- β’Account management β creating and maintaining your user account, authentication, and session management.
- β’Service delivery β providing personalized market sentiment analysis, watchlists, topic preferences, and AI-generated content.
- β’Payment processing β managing subscriptions and processing payments through Stripe.
- β’Newsletter & communications β sending market analysis updates and product news to subscribers (consent-based).
- β’Security β protecting against unauthorized access, monitoring for abuse, and maintaining platform integrity.
- β’Analytics & improvement β understanding how users interact with our platform to improve features and user experience (consent-based).
- β’Legal compliance β fulfilling legal obligations including tax and accounting requirements.
- β’Advertising measurement β evaluating the effectiveness of marketing campaigns (consent-based, if applicable).
7. Data Retention
We retain your personal data for the following periods:
| Data Category | Retention Period |
|---|---|
| Account data (email, name) | Until account deletion or 3 years of inactivity |
| Password hash | Until account deletion or password change |
| Session data | 30 days from creation |
| Password reset tokens | 1 hour (automatically expired) |
| 2FA data | Until disabled or account deletion |
| Subscription data | Duration of contract + 5 years (legal requirement) |
| Watchlist & preferences | Until account deletion |
| Analytics cookies | Up to 2 years (GA4); session (Clarity) |
| Newsletter subscription | Until you unsubscribe |
| Security logs (IP addresses) | 90 days |
8. Your Rights Under GDPR
As a data subject, you have the following rights under the GDPR. You can exercise these rights by contacting us at [email protected]:
- β’Right of access (Art. 15) β You have the right to obtain confirmation of whether your personal data is being processed and to access a copy of that data.
- β’Right to rectification (Art. 16) β You have the right to request correction of inaccurate personal data.
- β’Right to erasure (Art. 17) β You have the right to request deletion of your personal data ("right to be forgotten"), subject to legal retention obligations.
- β’Right to restriction (Art. 18) β You have the right to request restriction of processing in certain circumstances.
- β’Right to data portability (Art. 20) β You have the right to receive your personal data in a structured, commonly used, machine-readable format.
- β’Right to object (Art. 21) β You have the right to object to processing based on legitimate interests, including profiling.
- β’Right to withdraw consent (Art. 7(3)) β Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.
- β’Right to lodge a complaint (Art. 77) β You have the right to file a complaint with the President of the Personal Data Protection Office (UODO), ul. Stawki 2, 00-193 Warsaw, Poland, website: uodo.gov.pl.
We will respond to your request within 30 days of receipt. In complex cases, this period may be extended by an additional 60 days, of which you will be informed.
9. Additional Rights for California Residents (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):
- β’Right to know β You have the right to request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of collection, the purposes of processing, and the categories of third parties with whom we share your data.
- β’Right to delete β You have the right to request deletion of your personal information, subject to certain exceptions.
- β’Right to opt out of sale β We do not sell your personal information. If this changes, you will be provided with a "Do Not Sell My Personal Information" link.
- β’Right to non-discrimination β We will not discriminate against you for exercising your CCPA rights.
- β’Right to correct β You have the right to request correction of inaccurate personal information.
- β’Right to limit use of sensitive data β You may limit the use or disclosure of sensitive personal information.
To exercise your CCPA rights, contact us at [email protected]. We will verify your identity before processing your request. We will respond within 45 days.
Categories of Personal Information (CCPA Disclosure)
Under the CCPA, we collect the following categories of personal information:
- β’Identifiers: Name, email address, IP address, account ID
- β’Commercial information: Subscription records, purchase history
- β’Internet activity: Browsing history on our platform, search history, interaction data
- β’Geolocation: Approximate location derived from IP address
We do not sell personal information and have not done so in the preceding 12 months.
10. Other US State Privacy Rights
If you reside in Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), or other US states with comprehensive privacy laws, you may have similar rights to access, correct, delete, and opt out of certain data processing. Please contact us at [email protected] to exercise your rights. We will respond in accordance with the applicable state law timelines.
11. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- β’Passwords are hashed using bcrypt with a cost factor of 12 (irreversible)
- β’All data is transmitted over HTTPS (TLS encryption)
- β’API authentication uses timing-safe comparison to prevent timing attacks
- β’Database access is restricted through parameterized queries (SQL injection prevention)
- β’Session tokens are cryptographically signed JWT tokens
- β’Two-factor authentication (TOTP) is available for enhanced account security
- β’Content Security Policy (CSP) and HSTS headers are enforced
- β’Database connections are isolated with role-based access controls
12. Children's Privacy
Our services are not directed to individuals under the age of 16 (or 13 for US residents, as applicable under COPPA). We do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at [email protected], and we will take steps to delete such data.
13. Do Not Track Signals
Some browsers transmit "Do Not Track" (DNT) signals. Our platform honors DNT signals by default β analytics and marketing cookies are not loaded unless you provide explicit consent via our cookie consent banner, regardless of DNT settings.
14. Managing Your Cookie Preferences
You can manage your cookie preferences at any time by clicking the cookie settings button in the consent banner on our website. You can also control cookies through your browser settings:
- β’Google Chrome
- β’Mozilla Firefox
- β’Safari
- β’Microsoft Edge
Please note that disabling essential cookies may affect the functionality of the platform.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or applicable laws. We will notify you of significant changes by posting the updated policy on this page and updating the "Last updated" date. For material changes affecting your rights, we will provide additional notice (e.g., via email or a banner on the platform).
16. Contact Information
If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us:
Scorise Agency Sp. z o.o.
al. Reymonta 54, 01-842 Warszawa, Poland
VAT-EU: PL1133001016
Data protection inquiries: [email protected]
General inquiries: [email protected]