This Privacy Policy explains what information I collect, how I use it, and your rights regarding your data.
1. What I Collect
Account information (provided by you)
- Name
- Email address
- Institution / affiliation
- Country
- Role (faculty, PhD student, etc.)
- Password (stored as a PBKDF2-SHA256 hash — I cannot see your password)
- Newsletter subscription preference
Usage information (collected automatically)
- IP address (on login, registration, and download)
- User-agent string (browser/device identifier)
- Country (derived from IP by Cloudflare)
- Timestamps of logins, downloads, and API requests
- Tickers and data versions you download
- Total download volume (bytes)
2. Why I Collect It
- Account management: to let you log in and download data
- Citation tracking: to know which institutions and countries use the data, for grant reports and academic credibility
- Security: to detect and prevent abuse, fake accounts, and unauthorized access
- Service improvement: to understand which tickers are most used and prioritize additions
- Communication: to send account-related emails (verification, password reset) and, if you opt in, the newsletter
3. Who Has Access
Your data is stored in Cloudflare D1 (a managed database) and accessed only by:
- Ahmed Elkassabgi (me) — the sole administrator
- Cloudflare (as the infrastructure provider) — governed by Cloudflare's privacy policy
I will never sell, rent, or share your personal information with third parties except as required by law or as listed below.
4. Third-Party Services
- Cloudflare — hosting, DNS, CDN, DDoS protection, analytics
- Resend — transactional and newsletter emails (receives recipient email addresses)
- Cloudflare Turnstile — CAPTCHA on registration (receives IP and browser fingerprint)
5. Cookies and Local Storage
The site uses:
- Session cookie (
hfd_session) — keeps you logged in for 30 days; marked HttpOnly and Secure
- Local storage — stores your session token for API access
- No third-party tracking cookies, no Google Analytics, no advertising pixels
6. Data Retention
- Account information: retained while your account is active
- Login history and download logs: retained indefinitely for security and citation tracking
- Deleted accounts: personal information is permanently removed; anonymized usage counts may be retained for statistics
7. Your Rights (GDPR and CCPA)
You have the right to:
- Access — request a copy of all data I hold about you
- Correction — update inaccurate information in your profile
- Deletion — request complete removal of your account and personal data
- Portability — request your data in a machine-readable format
- Object — opt out of the newsletter or any non-essential communications
- Withdraw consent — stop using the Service at any time
To exercise any of these rights, email [email protected]. Requests will be honored within 30 days.
8. Security
I take security seriously:
- Passwords are hashed with PBKDF2-SHA256 (100,000 iterations)
- All traffic is encrypted via HTTPS (TLS 1.3)
- Admin accounts require two-factor authentication
- Rate limiting and CAPTCHA protect against abuse
- Audit logs track administrative actions
9. International Data Transfers
The Service uses Cloudflare's global network. Your data may be stored or processed in Cloudflare data centers worldwide. Cloudflare complies with GDPR, CCPA, and other major privacy frameworks.
10. Children's Privacy
The Service is intended for academic and research use and is not directed at children under 13. I do not knowingly collect information from children.
11. Changes to This Policy
This Privacy Policy may be updated. Material changes will be announced via the newsletter and on the site. The "Effective date" at the top will reflect the most recent version.
12. Contact
Questions about this Privacy Policy or to exercise your data rights:
Ahmed Elkassabgi
University of Central Arkansas
[email protected]