Privacy Policy

Effective date: 20 March 2026

This Privacy Policy explains how Intel Desk ("we", "us", "our"), operated by Chris Woodward, collects, uses, and protects your personal information when you use our service at inteldesk.app.

  Summary: We collect only what we need to run the service. We never sell your data to third parties. We comply with GDPR.

1. Data We Collect

Data Type	What	Why
Account info	Email address, name	To create and manage your account, send service communications
Usage data	Pages visited, features used, timestamps, session duration	To improve the Service, diagnose issues, and understand usage patterns
Technical data	IP address, browser type, device info	For security, fraud prevention, and service optimisation

2. How We Use Your Data

To provide, operate, and maintain the Service.
To send you important service updates and communications.
To monitor and analyse usage patterns to improve the Service.
To detect, prevent, and address technical issues or abuse.
To comply with legal obligations.

3. Legal Basis for Processing

Processing Activity	Legal Basis
Account creation and management	Performance of contract (Article 6(1)(b) UK GDPR)
Service communications and updates	Legitimate interest (Article 6(1)(f) UK GDPR)
Usage analytics and service improvement	Legitimate interest (Article 6(1)(f) UK GDPR)
Security and fraud prevention	Legitimate interest (Article 6(1)(f) UK GDPR)
Legal compliance	Legal obligation (Article 6(1)(c) UK GDPR)

4. Third-Party Data Processors and API Interactions

The Service integrates with the following third-party services. Each interaction is limited to the minimum data necessary to deliver the Service:

Provider	Purpose	Data Shared	Location
Supabase	Authentication, user accounts, session management	Email, hashed password, session tokens, user metadata (watchlist tickers)	United States (AWS us-east-1)
Render	Application hosting	Server logs (IP addresses, request timestamps, user agent strings). Logs are retained for 7 days.	United States (Oregon, us-west-2)
Twilio SendGrid	Transactional email (welcome emails, account notifications)	Email address only	United States
Finnhub	Real-time market data streaming	No user data shared. Server-to-server connection only.	United States
Seeking Alpha (via RapidAPI)	Quantitative ratings and analyst consensus	No user data shared. Server-to-server API calls only.	United States
RSS Feed Publishers (130+ sources)	News and intelligence aggregation	No user data shared. Server fetches publicly available RSS feeds.	Various

Market data providers, RSS feeds, and OSINT sources are queried server-side only. No user data, watchlist contents, or account information is ever transmitted to these providers.

5. Cookies

We use cookies strictly for:

Authentication: To keep you signed in and maintain your session.
Security: To protect against cross-site request forgery and other threats.

We do not use advertising or third-party tracking cookies.

6. Watchlist and Configuration Data

When you create a custom watchlist of tickers and instruments, this data is stored in your Supabase user profile as account metadata. Your watchlist is:

Accessible only to you (via your authenticated session) and to system administrators for support purposes.
Never shared with any third-party data provider, market data vendor, or analytics service.
Never used for advertising, profiling, or any purpose beyond delivering your personalised dashboard experience.
Deleted in full when you delete your account.

7. Data Sharing

We do not sell, rent, or trade your personal data to third parties. Data is shared only with the processors listed in Section 4 above, and with legal authorities when required by law. Your watchlist contents, browsing patterns, and alert configurations are never disclosed to any external party.

8. International Data Transfers

Some of our service providers are based in the United States. When we transfer your personal data outside the United Kingdom, we ensure appropriate safeguards are in place, including:

Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office.
Adequacy decisions where applicable.
Binding corporate rules of our service providers.

You may request further details about the safeguards we have in place by contacting us at support@inteldesk.app.

9. Data Retention

Data Category	Retention Period
Account data (email, metadata, watchlist)	Duration of active account + 30 days after deletion request
Authentication sessions	7 days (auto-expired by Supabase)
Server logs (IP, user agent, timestamps)	7 days (auto-purged by Render)
WebSocket connection data	Not stored. In-memory only during active session.
Watchlist/portfolio configuration	Duration of active account. Deleted with account.
Email delivery records	30 days (retained by SendGrid)

If you request account deletion, we will delete your personal data within 30 days, except where we are required by law to retain certain records.

10. Your Rights (UK GDPR)

If you are located in the UK or European Economic Area, you have the following rights under GDPR:

Access - Request a copy of the personal data we hold about you.
Rectification - Request correction of inaccurate data.
Erasure - Request deletion of your personal data.
Portability - Request your data in a structured, machine-readable format.
Objection - Object to processing of your personal data.
Restriction - Request restriction of processing in certain circumstances.

To exercise any of these rights, contact us at support@inteldesk.app. We will respond within 30 days.

If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

11. Data Security

We implement appropriate technical and organisational measures to protect your data:

Encryption in transit: All connections use TLS 1.2+ (HTTPS). WebSocket connections use WSS (encrypted).
Authentication: Passwords are hashed using bcrypt via Supabase Auth. We never store or have access to plaintext passwords. Sessions use JWT tokens with automatic expiry.
Access controls: Administrative endpoints are protected by token-based authentication. User data access is scoped to authenticated sessions only.
Infrastructure: Application hosted on Render with automatic TLS certificate management. Database hosted on Supabase with row-level security and encrypted storage at rest.

No method of electronic transmission or storage is 100% secure. If you discover a security vulnerability, please report it to support@inteldesk.app.

12. Children

The Service is not directed at individuals under 18. We do not knowingly collect data from children. If we become aware that we have collected data from a child, we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The "Effective date" at the top of this page indicates when the policy was last revised.

14. Data Controller and ICO Registration

The data controller for the purposes of UK GDPR is Chris Woodward, trading as Intel Desk. Intel Desk is in the process of completing registration with the Information Commissioner's Office (ICO) as a data controller. Registration reference will be published here upon confirmation. In the interim, all data subject rights and obligations described in this policy are fully honoured.

15. Contact

For any privacy-related questions or requests, contact us at:

Chris Woodward
121 Belgrave Road
London, E17 8QF
United Kingdom
support@inteldesk.app