Privacy Policy
This policy explains what information CausalTrader (operated by Mercurial AI Inc., “we”) collects when you visit the website or buy a report, what we do with it, and the rights you have. We're a small team and we keep the data inventory short on purpose.
1. What we collect
From you, directly. When you sign up for the waitlist or buy a report we collect your email address, the ticker symbol you requested, and the analysis window (number of days). At Stripe checkout we additionally collect billing address and payment details — those go to Stripe, not to us; we receive only a Stripe customer id and the last four digits of the card for support purposes.
Automatically. Standard server logs (IP, user agent, request path, timestamp) are recorded for security, fraud prevention, and rate-limiting. We do not run third-party advertising cookies, fingerprinting scripts, or session replay tools.
2. How we use it
- To generate and email the report you ordered.
- To process payment, refunds, and tax compliance.
- To respond to support emails and operate the service.
- To improve the product. Aggregate, de-identified usage statistics (e.g. “most-requested tickers this month”) may inform our roadmap and marketing. We rely on legitimate interest for this purpose because the processing is minimal, uses only aggregate data, and poses negligible risk to you; you can opt out at any time by emailing us.
- To detect and prevent fraud, abuse, and violations of our Terms.
3. Cookies and tracking
We do not set first-party analytics cookies. Stripe may set cookies for fraud detection on the checkout page; these are strictly necessary for payment processing and do not require consent under the ePrivacy Directive. Vercel may set a performance cookie (__vsc) to route requests; this is also strictly necessary. We do not use any marketing, advertising, or preference cookies.
4. Sub-processors
We share the minimum necessary data with the following processors, each of whom is bound by a Data Processing Agreement:
- Stripe, Inc. — payment processing, fraud detection, subscription management.
- Resend (Resend.com Inc.) — transactional email delivery (the report PDF and order confirmations).
- Vercel Inc. — hosting for the marketing site and the checkout API.
- Hostinger International Ltd. — the VPS that runs the report-generation worker.
- Anthropic PBC, OpenAI OpCo, LLC, and xAI Corp. — large language models used to draft the analyst memo. We do not send your email or billing info to LLM providers; we send only the ticker, the analysis window, and the structured market/news evidence we've gathered.
5. We never sell your data
We do not sell, rent, or trade personal information. We do not run ads. The only money in this business comes from the price you paid for the report.
6. How long we keep it
- Order records (email, ticker, status, Stripe session id): retained for 7 years for tax and accounting compliance.
- Generated PDFs: retained for 90 days after delivery, then deleted from our storage. Re-delivery after that window requires regenerating the report.
- Server logs: rotated within 30 days.
7. Your rights
Regardless of where you live, you can email us at dennis@mercurial-ai.com and ask us to:
- show you the data we have on you (right of access);
- correct anything that's wrong (rectification);
- delete it, subject to our tax-record retention obligations (erasure);
- export it in a machine-readable format (data portability);
- stop processing it for product-improvement purposes (objection);
- restrict processing while a dispute is resolved (restriction).
If you're in the EU, UK, or California, you also have the rights granted by GDPR, UK GDPR, and the CCPA/CPRA respectively; the bullets above describe how we honour them. Our lawful basis for processing under GDPR is contract performance for fulfilling your order, and legitimate interest for fraud prevention and product analytics.
If we ever rely on consent as a lawful basis (for example, for optional marketing emails), you may withdraw that consent at any time by clicking “unsubscribe” or emailing us. Withdrawal does not affect the lawfulness of processing performed before you withdrew.
Right to complain. If you believe we have mishandled your data, you have the right to lodge a complaint with your local data protection supervisory authority (e.g. the Irish Data Protection Commission, the French CNIL, or the UK Information Commissioner's Office). We would appreciate the chance to address your concern first, but you are not required to contact us before filing a complaint.
8. International transfers
Our servers and most sub-processors are located in the United States. If you access CausalTrader from outside the US, your data may be processed in the US under appropriate safeguards. Where required by GDPR, we rely on the European Commission's 2021 Standard Contractual Clauses (Module 2: Controller-to-Processor) to provide an adequate level of protection for personal data transferred outside the EEA.
9. Automated decision-making
Our reports are generated by AI models (large language models) but they concern publicly-traded companies, not you personally. We do not use automated decision-making or profiling that produces legal or similarly significant effects on individuals as described in GDPR Art. 22.
10. Security
Data in transit is protected by TLS. Database backups are encrypted. Access to production systems is restricted to a single engineer (Dennis) and protected by hardware-key-backed SSH and 2FA. Despite our best efforts, no system is perfectly secure; if we detect a breach affecting your data we will notify you within 72 hours.
11. Children
CausalTrader is not directed at children under 16 and we don't knowingly collect data from them. If you believe we have, email us and we'll delete it.
12. Changes
Material changes to this policy will be announced by email or on this page at least seven days before taking effect. The “Last updated” date above reflects the current version.
13. Contact
Privacy questions, requests, or complaints: dennis@mercurial-ai.com · Mercurial AI Inc., Chicago, IL, USA.