Privacy Policy
Last updated 2026-06-23
This Privacy Notice for ThesisCheck ("we," "us," or "our") describes how and why we might access, collect, store, use, and/or share ("process") your personal information when you use our services ("Services"), including when you:
- Visit our website at https://thesischeck.com or any website of ours that links to this Privacy Notice
- Use ThesisCheck to submit a stock ticker and investment thesis, retrieve public company information, and generate descriptive company-research briefs
- Engage with us in other related ways, including support, marketing, or events
Questions or concerns? Reading this Privacy Notice will help you understand your privacy rights and choices. We are responsible for making decisions about how your personal information is processed. If you do not agree with our policies and practices, please do not use our Services. If you have any questions or concerns, please use the contact details in section 16 below.
SUMMARY OF KEY POINTS
What personal information do we process? We process account and authentication data, the investment thesis text you submit, generated brief artifacts, payment records, logs, cookies, analytics data where enabled, and information you choose to send us.
Do we process sensitive personal information? We do not ask you to submit special-category personal data. Payment details are processed by Stripe. Your investment thesis may include information you choose to provide, and you are responsible for avoiding unnecessary personal or sensitive information.
Do we collect information from third parties? We retrieve public company filings and other public sources to generate briefs. SEC/EDGAR and public web sources are public-data retrieval sources, not personal-data sub-processors; we do not send user PII to them for retrieval.
How do we process your information? We process your information to provide, improve, secure, and administer our Services, communicate with you, process payments, prevent abuse, and comply with law.
In what situations and with which parties do we share personal information? We share information with service providers that help us operate the Services, such as database/authentication, payment, AI processing, background jobs, storage, rate limiting, error monitoring, email, analytics where enabled, and hosting providers.
How do we keep your information safe? We protect your personal information with organizational and technical measures, including encryption in transit and managed infrastructure controls. No electronic transmission or storage technology can be guaranteed to be 100% secure.
What are your rights? Depending on where you are located, applicable privacy law may give you rights to access, correct, delete, export, restrict, or object to processing of your personal information.
How do you exercise your rights? Use the contact details in section 16 below. We will consider and act upon any request in accordance with applicable data protection laws.
TABLE OF CONTENTS
- WHAT INFORMATION DO WE COLLECT?
- HOW DO WE PROCESS YOUR INFORMATION?
- WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR PERSONAL INFORMATION?
- WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?
- DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?
- DO WE OFFER ARTIFICIAL INTELLIGENCE-BASED PRODUCTS?
- IS YOUR INFORMATION TRANSFERRED INTERNATIONALLY?
- HOW LONG DO WE KEEP YOUR INFORMATION?
- HOW DO WE KEEP YOUR INFORMATION SAFE?
- DO WE COLLECT INFORMATION FROM MINORS?
- WHAT ARE YOUR PRIVACY RIGHTS?
- CONTROLS FOR DO-NOT-TRACK FEATURES
- DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?
- DO OTHER REGIONS HAVE SPECIFIC PRIVACY RIGHTS?
- DO WE MAKE UPDATES TO THIS NOTICE?
- HOW CAN YOU CONTACT US ABOUT THIS NOTICE?
- HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?
1. WHAT INFORMATION DO WE COLLECT?
Personal information you disclose to us
In Short: We collect personal information that you provide to us.
We collect personal information that you voluntarily provide to us when you register on the Services, submit a ticker and investment thesis, generate a brief, make a purchase, contact us, or otherwise use the Services.
The personal information we collect may include:
- names
- email addresses
- account and authentication data
- contact preferences
- investment thesis text you submit
- generated brief artifacts and related metadata
- payment records and purchase history
- support messages and other information you send us
Sensitive Information. We do not request special-category personal data. You should not include unnecessary personal data or sensitive personal information in investment thesis text or support messages.
Payment Data. We may collect data necessary to process your payment if you choose to make purchases. Payment details are handled and stored by Stripe. You may find Stripe's privacy notice here: https://stripe.com/privacy.
Public company and source data. We retrieve public company filings and other public sources to generate briefs. SEC/EDGAR and public web sources are public-data retrieval sources, not personal-data sub-processors; we do not send user PII to them for retrieval.
Information automatically collected
In Short: Some information, such as your IP address and browser or device characteristics, is collected automatically when you visit our Services.
We automatically collect certain information when you visit, use, or navigate the Services. This may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, country, location inferred from IP address, information about how and when you use our Services, and other technical information. This information is primarily needed to maintain security and operation, prevent abuse, diagnose technical issues, and, where analytics is enabled and consented to, understand usage trends.
We also collect information through cookies and similar technologies. You can find out more in our Cookie Policy.
2. HOW DO WE PROCESS YOUR INFORMATION?
In Short: We process your information to provide, improve, and administer our Services, communicate with you, process payments, secure the Services, and comply with law.
We process your personal information for a variety of reasons, depending on how you interact with our Services, including:
- To facilitate account creation and authentication and otherwise manage user accounts.
- To deliver the Services. This includes processing your submitted ticker and investment thesis, retrieving public sources, generating brief artifacts, storing brief history, and displaying source-linked output.
- To process payments and manage paid access.
- To respond to user inquiries and offer support.
- To send administrative information. This includes changes to our terms, policies, security notices, and service messages.
- To protect our Services. This includes fraud monitoring, rate limiting, abuse prevention, debugging, and security diagnostics.
- To identify usage trends where analytics is enabled and you have consented where required.
- To comply with law and enforce our legal terms.
3. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR PERSONAL INFORMATION?
In Short: We only process your personal information when we believe it is necessary and we have a valid legal reason to do so under applicable law.
If you are located in the EU, UK, or Switzerland, this section applies to you. The GDPR, UK GDPR, and Swiss Federal Act on Data Protection (FADP/revDSG) require us to explain the legal bases we rely on:
- Consent. We may process your information if you have given us permission to use your personal information for a specific purpose, such as optional analytics cookies where enabled. You can withdraw your consent at any time.
- Performance of a Contract. We process your personal information when necessary to provide the Services, manage your account, generate briefs, and process paid access.
- Legitimate Interests. We may process your information when reasonably necessary for our legitimate business interests, such as securing the Services, preventing abuse, diagnosing problems, improving the product, and understanding aggregate usage, provided those interests do not outweigh your rights and freedoms.
- Legal Obligations. We may process your information where necessary for compliance with our legal obligations, such as tax, accounting, consumer, regulatory, or law-enforcement obligations.
- Vital Interests. We may process your information where necessary to protect your vital interests or the vital interests of another person.
4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?
In Short: We may share information with service providers and in the specific situations described below.
Vendors, consultants, and other service providers. We may share your data with third-party vendors, service providers, contractors, or agents who perform services for us or on our behalf and require access to such information to do that work. Where required by applicable law, we maintain contracts or data-processing terms with service providers that process personal information on our behalf. Some service providers engage their own sub-processors to deliver their services.
We use, or may use depending on the enabled deployment configuration, the following service providers:
| Service provider | Purpose | Notes |
|---|---|---|
| Supabase | Authentication, database, platform services, and related storage | Hosts account data, brief metadata, and application data where enabled. |
| Stripe | Checkout, billing, tax, payment, and payment-record processing | Handles payment details; we do not store full card numbers. |
| OpenRouter and underlying model providers | AI model routing and generation | Processes submitted thesis text and related prompt context to generate briefs. We configure provider privacy controls where supported. |
| Trigger.dev | Background jobs and workflow execution | Runs asynchronous brief-generation and maintenance tasks. |
| S3-compatible storage | Brief artifact and file storage | Stores generated artifacts or source packets where enabled. |
| Upstash | Rate limiting and lightweight infrastructure state | Used for abuse prevention and endpoint protection. |
| Sentry | Error monitoring and diagnostics | Used to diagnose errors and service performance. |
| Email provider | Transactional email delivery | Sends account, login, purchase, and service emails. |
| Analytics provider | Product analytics | Used only where analytics is enabled and, where required, after consent. |
| Hosting provider | Website and application hosting | Hosts the web application and server-side routes. |
SEC/EDGAR and public web sources are public-data retrieval sources, not personal-data sub-processors; we do not send user PII to them for retrieval.
We also may need to share your personal information in the following situations:
- Business Transfers. We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, incorporation, reorganization, or acquisition of all or a portion of our business by another company.
- Legal obligations and rights. We may disclose information where necessary to comply with law, enforce our terms, respond to lawful requests, or protect rights, safety, and security.
- With your direction or consent. We may share information when you instruct us to do so or consent to the sharing.
Support and administrative access. Authorized personnel may access account, brief, and diagnostic data where reasonably necessary to provide support, investigate suspected abuse, fraud, or security incidents, maintain the Services, or comply with law. Such access is restricted to authorized personnel and used only for these purposes.
5. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?
In Short: We use essential cookies to run the site and, with your consent where required, analytics cookies to help us improve it.
We use cookies and similar technologies to maintain your session, remember language preferences, store cookie-consent choices, protect the Services, and support analytics where enabled and consented to. Specific information about how we use such technologies and how you can control them is set out in our Cookie Policy.
6. DO WE OFFER ARTIFICIAL INTELLIGENCE-BASED PRODUCTS?
In Short: We offer products, features, or tools powered by artificial intelligence, machine learning, or similar technologies.
As part of our Services, we offer products, features, or tools powered by artificial intelligence, machine learning, or similar technologies (collectively, "AI Products"). ThesisCheck uses AI to retrieve and organize public information and to produce descriptive company-research briefs based on a stock ticker and investment thesis that you provide.
Use of AI technologies. We provide AI Products through third-party service providers, including OpenRouter and the underlying model providers to which OpenRouter routes requests. Your submitted thesis text, ticker, prompt context, and generated output may be shared with and processed by those providers to enable your use of the AI Products.
Public source retrieval. The Services retrieve public company filings and other public web sources. SEC/EDGAR and public web sources are used as public-data sources and do not receive user PII from us for retrieval.
Our AI Products. Our AI Products are designed for source-checked descriptive research, text analysis, source organization, and brief generation. They are not designed to provide investment advice or make investment decisions for you.
How we process your data using AI. Personal information processed using AI Products is handled in line with this Privacy Notice and our agreements with relevant service providers. AI-generated content may be incomplete, out of date, or wrong; see our Investment Disclaimer and Terms of Service for important limitations.
7. IS YOUR INFORMATION TRANSFERRED INTERNATIONALLY?
In Short: We may transfer, store, and process your information in countries other than your own.
Our processors may operate in Switzerland, the European Union, the United Kingdom, the United States, and other countries. Regardless of your location, your information may be transferred to, stored by, and processed in these countries by us and by the third parties with whom we share your personal information as described above.
If you are a resident in the European Economic Area, United Kingdom, or Switzerland, these countries may not necessarily have data protection laws as comprehensive as those in your country. However, we will take measures designed to protect your personal information in accordance with this Privacy Notice and applicable law.
Safeguards for international transfers. Where personal information is transferred internationally, transfers rely on appropriate safeguards where required, such as adequacy decisions, the EU-U.S. / Swiss-U.S. Data Privacy Framework where the recipient is certified, and otherwise standard contractual clauses or equivalent transfer mechanisms.
8. HOW LONG DO WE KEEP YOUR INFORMATION?
In Short: We keep your information for as long as necessary to fulfill the purposes outlined in this Privacy Notice unless otherwise required by law.
We keep personal information only as long as needed for the purposes described in this notice, unless a longer retention period is required or permitted by law. Most account information is retained for as long as you maintain an account with us. Generated brief artifacts, thesis text, source metadata, and related run records may be retained while your account remains active so you can access your brief history. Payment, tax, accounting, fraud-prevention, dispute, and security records may be kept longer where required or permitted by law.
When we have no ongoing legitimate business need or legal basis to process your personal information, we will either delete or anonymize it, or, if deletion is not immediately possible, securely store it and isolate it from further processing until deletion is possible.
9. HOW DO WE KEEP YOUR INFORMATION SAFE?
In Short: We aim to protect your personal information through organizational and technical security measures.
We have implemented appropriate and reasonable technical and organizational security measures designed to protect the personal information we process. These include encryption in transit, managed database and storage controls, application authorization checks, rate limiting and abuse prevention, restricted administrative access, and error monitoring.
Payment data is handled by Stripe; we do not store full card numbers.
However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure. Although we work to protect your personal information, transmission of personal information to and from the Services is at your own risk. You should access the Services only within a secure environment.
10. DO WE COLLECT INFORMATION FROM MINORS?
In Short: We do not knowingly collect data from or market to children under 18 years of age.
We do not knowingly collect, solicit data from, or market to children under 18 years of age or the equivalent age specified by law in your jurisdiction. By using the Services, you represent that you are at least 18 or the equivalent age specified by law in your jurisdiction. If we learn that personal information from users under 18 has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records. If you become aware of any data we may have collected from children, please use the contact details in section 16 below.
11. WHAT ARE YOUR PRIVACY RIGHTS?
In Short: Depending on where you live, you may have rights that allow you to access and control your personal information.
In some regions, such as the EEA, UK, and Switzerland, you have certain rights under applicable data protection laws. These may include the right to request access and obtain a copy of your personal information, request rectification or erasure, restrict processing, object to processing, request data portability, and not be subject to certain automated decision-making.
We will consider and act upon any request in accordance with applicable data protection laws.
If you are located in the EEA or UK and you believe we are unlawfully processing your personal information, you may also have the right to complain to your Member State data protection authority or UK data protection authority. If you are located in Switzerland, you may contact the Federal Data Protection and Information Commissioner.
Withdrawing your consent: If we rely on your consent to process your personal information, you have the right to withdraw your consent at any time. You can withdraw consent by contacting us or updating available preferences. This will not affect the lawfulness of processing before withdrawal.
Account information: You may review or change information in your account through account settings where available or by contacting us.
Cookies and similar technologies: Most browsers accept cookies by default. You can usually set your browser to remove or reject cookies. If you remove or reject cookies, this could affect certain features or services. For further information, please see our Cookie Policy.
If you have questions or comments about your privacy rights, please use the contact details in section 16 below.
12. CONTROLS FOR DO-NOT-TRACK FEATURES
Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track ("DNT") feature or setting you can activate to signal your preference not to have data about your online browsing activities monitored and collected. At this stage, no uniform technology standard for recognizing and implementing DNT signals has been finalized. We do not currently respond to DNT browser signals or other mechanisms that automatically communicate your choice not to be tracked online. If a standard for online tracking is adopted that we must follow in the future, we will inform you in a revised version of this Privacy Notice.
California law requires us to let you know how we respond to web browser DNT signals. Because there currently is not an industry or legal standard for recognizing or honoring DNT signals, we do not respond to them at this time.
13. DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?
In Short: If you are a resident of certain U.S. states, you may have rights to request access to, correction of, deletion of, or a copy of personal information we maintain about you.
Depending on your state of residence, you may have rights under state privacy laws. These rights may include:
- Right to know whether we process your personal information
- Right to access personal information we maintain about you
- Right to correct inaccuracies
- Right to request deletion
- Right to obtain a copy of personal information you previously provided to us
- Right to opt out of certain processing, such as targeted advertising, sale of personal information, or profiling where applicable
We have not sold personal information to third parties for a business or commercial purpose in the preceding twelve (12) months. We do not use personal information for targeted advertising unless a future enabled analytics or advertising configuration states otherwise and the required notices and choices are provided.
To exercise these rights, use the contact details in section 16 below. We may need to verify your identity before fulfilling your request. You may designate an authorized agent where permitted by law.
14. DO OTHER REGIONS HAVE SPECIFIC PRIVACY RIGHTS?
In Short: You may have additional rights based on the country you reside in.
Residents of other countries and regions may have rights under applicable privacy laws, including rights to access, correct, delete, restrict, object to, or transfer personal information. Use the contact details in section 16 below to exercise these rights.
15. DO WE MAKE UPDATES TO THIS NOTICE?
In Short: Yes, we will update this notice as necessary to stay compliant with relevant laws and reflect our Services.
We may update this Privacy Notice from time to time. The updated version will be indicated by an updated "Last updated" date and will be effective as soon as it is accessible, unless otherwise stated. We encourage you to review this Privacy Notice frequently.
16. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?
If you have questions or comments about this notice, you may contact us at:
ThesisCheck (Hiestand Digital)
c/o F2BII E-Commerce #993
Hintergoldingerstrasse 30
8638 Goldingen
Switzerland
Email: info@thesischeck.io
17. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?
Based on the applicable laws of your country or state of residence, you may have the right to request access to the personal information we collect from you, details about how we process it, correction of inaccuracies, deletion of your personal information, or withdrawal of consent. To request to review, update, or delete your personal information, please use the contact details above.