Back to DashboardPRIVACY POLICY · v2.0
Privacy PolicyEffective: May 20, 2026 · Last updated: May 20, 2026 · Version 2.0
1. Introduction & Controller IdentityStrata (“Strata”, “the Service”) is a financial analytics platform. This Privacy Policy explains how we collect, use, store, and protect your personal data in compliance with Regulation (EU) 2016/679 (the “GDPR”), the French Loi Informatique et Libertés, and other applicable data-protection law.
Data controller (Art. 13(1)(a)): Wuttipat Klinyam, Entrepreneur Individuel registered in France under the commercial name Wynex Labs. SIREN 100 844 000. SIRET 100 844 000 00016. Code APE 6201Z. Registered office: 59 Rue Georges Lardennois, 75019 Paris, France.
Data protection contact: privacy@wynexlabs.studio. We respond to data-subject requests within one calendar month per Art. 12(3); identity verification may be required for sensitive requests.
Data Protection Officer (Art. 37): No Data Protection Officer is appointed. The Art. 37(1) criteria are not met (Strata is not a public authority, our core activities do not consist of large-scale systematic monitoring, and we do not process special-category data under Art. 9 at scale). The controller handles all privacy matters directly at the address above. This position is reviewed annually.
EU representative (Art. 27): Not required — the controller is established in the European Union (France).
By using Strata, you acknowledge that you have read and understood this Privacy Policy.
2. Data We CollectWe collect the following categories of personal data:
Account information: Name and email address provided by your authentication provider (Google OAuth, email + OTP, or passkey).
Usage data: Portfolios, watchlists, preferences, and analytical inputs you create within the platform.
Payment data: Subscription status and billing period. Payment card details are processed and stored exclusively by Stripe; we never see or store your card number.
Technical data: IP address, browser type, and session tokens for authentication and security purposes.
Audit logs: Records of key account actions (login, consent acceptance, data export, account deletion) for security and compliance.
3. Purpose and Legal Basis (GDPR Art. 6)PurposeLegal Basis
Providing the Service and its featuresPerformance of contract (Art. 6(1)(b))
Authentication, session management, account recoveryPerformance of contract (Art. 6(1)(b))
Processing subscription payments via StripePerformance of contract (Art. 6(1)(b))
Maintaining invoicing records (10 years, French commercial law)Legal obligation (Art. 6(1)(c))
Security monitoring, abuse detection, audit loggingLegitimate interest (Art. 6(1)(f))
Error monitoring via Sentry (text-masked, on-error only)Legitimate interest (Art. 6(1)(f))
Aggregate analytics via Vercel (cookie-free, see §6)Legitimate interest (Art. 6(1)(f))
AI-assisted analysis on demand (see §10)Performance of contract (Art. 6(1)(b))
Where we rely on legitimate interest (Art. 6(1)(f)), we have conducted a balancing test. For Vercel analytics specifically, the test is documented in our Legitimate Interests Assessment, available on request at privacy@wynexlabs.studio. You have a right to object to processing based on legitimate interest at any time (see §5).
4. Data RetentionWe retain your personal data for as long as your account is active. If you request account deletion, all your personal data is permanently erased within 30 days, except:
Invoicing and accounting records: retained for 10 years from the end of the financial year of the transaction, as required by French commercial law (Code de commerce, Art. L123-22). These records are minimised (invoice number, date, amount, VAT mention, your name and the email address on the invoice) and stored under access controls.
Audit-log security events: certain security-relevant audit records (failed-login spikes, API-key abuse) are retained for 12 months for security purposes, then deleted. Routine audit records (login, consent acceptance) are deleted with the account.
Stripe billing data: retained by Stripe under their own retention policy (independent controller for payment fraud-prevention purposes).
Cached market data (equity snapshots, SEC filings) contains no personal information and is shared across users. It is not subject to user-driven deletion.
5. Your Rights Under GDPRYou have the following rights regarding your personal data:
Right of access (Art. 15): Request a copy of your personal data.
Right to rectification (Art. 16): Update inaccurate personal data via your account settings.
Right to erasure (Art. 17): Delete your account and all associated data from your Account Settings.
Right to data portability (Art. 20): Export all your data in JSON format from your Account Settings.
Right to restrict processing (Art. 18): Contact us to restrict processing of your data.
Right to object (Art. 21): Object to processing based on legitimate interest (e.g., analytics, error monitoring) by emailing the contact below.
We respond to data-subject requests within one calendar month per Art. 12(3). This period may be extended by two further months for complex or numerous requests, in which case we will inform you within one month of the reason. Identity verification may be required for sensitive requests.
If you believe your data-protection rights have been violated, you may lodge a complaint with the French supervisory authority, the Commission Nationale de l'Informatique et des Libertés (CNIL), at https://www.cnil.fr/fr/plaintes, or with the supervisory authority of your habitual residence.
6. Cookies and similar technologiesStrata uses a small, deliberately-minimised set of cookies and browser-storage items. We use no third-party advertising, marketing, or behavioural-profiling cookies — no Google Analytics, no Meta / Facebook pixel, no HubSpot, Mixpanel, or Hotjar. Because all our cookies are strictly necessary, exempt under Art. 82 LCEN, or governed by a documented legitimate interest with a right to object, we do not display a cookie consent banner. The table below replaces the information a banner would otherwise provide.
NameTypePurposeLifetimePartyLegal basis
next-auth.session-token / __Secure-next-auth.session-tokenCookie (HttpOnly)Authenticated session30 daysFirst-partyStrictly necessary — LCEN Art. 82 exempt
__Host-next-auth.csrf-tokenCookie (HttpOnly, Secure)CSRF protectionSessionFirst-partyStrictly necessary
next-auth.callback-urlCookiePost-login redirectSessionFirst-partyStrictly necessary
__stripe_mid / __stripe_sidCookieStripe payment fraud prevention (checkout pages only)1 year / 30 minThird-party (Stripe)Strictly necessary for payment — CNIL user-request exemption
portfolios_v2, equity_lab_v1, theme, glossary modelocalStorageIn-browser persistence of portfolios, lab inputs, UI preferencesPersistent (until you clear)First-partyStrictly necessary for feature delivery — LCEN Art. 82 exempt
Service-worker cache (Strata PWA)Service WorkerOffline functionalityUntil evictedFirst-partyStrictly necessary
Vercel Web Analytics + Speed InsightsNo cookie, no localStorage. Server-side IP+UA hash, 24h retention, discarded.Aggregate traffic measurement + Web Vitals performance24h server-side hashThird-party (Vercel)Art. 6(1)(f) legitimate interest — LIA available on request
Sentry on-error replaysessionStorage; on-error only, never continuous; text maskedError diagnosisSessionThird-party (Sentry)Art. 6(1)(f) legitimate interest — service reliability + security
How to control these: sign out at any time (clears the NextAuth session cookie); clear browser storage from your browser's settings (clears localStorage items and the service-worker cache); object to the Art. 6(1)(f) legitimate-interest processing (Vercel + Sentry) by emailing privacy@wynexlabs.studio with the subject “Opt-out of analytics”.
Vercel Web Analytics is verified cookie-free per Vercel's published privacy policy (privacy doc); it identifies sessions via a server-side hash of your IP and User-Agent, retained 24 hours then discarded. We never see your raw IP. The processing relies on legitimate interest because no terminal-equipment access occurs and the data is pseudonymous, aggregated, and short-retained.
7. Third-Party Services (Subprocessors)We rely on a small number of subprocessors to operate the platform (hosting, database, authentication, payments, error monitoring, transactional email, and the AI Intelligence Layer described in §10). The full list — including each subprocessor's purpose, processing region, and international transfer mechanism — is maintained on our dedicated Subprocessors page. We provide at least 30 calendar days' prior notice before adding or replacing a subprocessor; customers who object within the notice period may terminate the affected service for material breach with a prorated refund of any unused pre-paid term.
8. International Data TransfersYour account data, portfolios, audit logs, and cached market data are stored in the European Union — specifically, in Neon PostgreSQL's eu-central-1 region (Frankfurt, Germany). Application hosting (Vercel) and error monitoring (Sentry) operate EU-resident endpoints for our traffic.
AI processing is described in detail in §10. Briefly: the routing layer prefers EU-resident inference endpoints (Azure AI Foundry in Sweden Central; AWS Bedrock in Frankfurt; Vertex AI in europe-west4). One important honest disclosure: when Anthropic Claude models are accessed via Azure AI Foundry, the request is routed through Microsoft's EU infrastructure under the Microsoft Data Processing Addendum, but the actual model inference still runs on Anthropic's US infrastructure today. Microsoft's roadmap targets EU-native Claude inference, but it is not contractually binding as of the date of this Policy. Where strict EU-residency is required, we route Claude traffic via AWS Bedrock Frankfurt (eu.anthropic.* model IDs) instead.
All non-EU transfers are governed by the European Commission's Standard Contractual Clauses (SCCs) under Art. 46(2)(c), with each subprocessor's Data Processing Addendum incorporating the SCCs by reference. For US-recipient processors, where the EU–US Data Privacy Framework adequacy decision applies and the recipient is DPF-certified, that decision also provides a transfer mechanism. Detailed transfer information per subprocessor is in our Subprocessor Register.
9. Security MeasuresWe implement the following security measures:
HTTPS/TLS encryption for all data in transit
Database encryption at rest (Neon PostgreSQL)
Content Security Policy headers with per-request nonces
HSTS, X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy, Permissions-Policy
Authentication via Google OAuth, email-OTP, or WebAuthn passkey (no password storage)
Audit logging of security-relevant actions
10. AI Data HandlingStrata includes AI-assisted features powering inline metric explanations, the command-palette AI commands, and the Strata Analyst side panel. This section describes how we handle your data when you use these features.
Providers and routing. AI requests are routed server-side via our internal AI router to one of the following providers, depending on the task:Microsoft Azure AI Foundry (Sweden Central, EU) — primary route for DeepSeek V4, GPT-4o, and Anthropic Claude. Microsoft DPA incorporated automatically.
AWS Bedrock (Frankfurt, EU) — EU-residency-today route for Anthropic Claude (eu.anthropic.* cross-region IDs).
Google Vertex AI (europe-west4 Netherlands, EU) — used for Gemini-family tasks.
Direct provider APIs (Anthropic, OpenAI, Mistral) — used only as fallback when EU-resident endpoints are unavailable.
The active provider per request is logged with a residency label. Our live Subprocessor Register is the authoritative source.
EU-residency disclosure. As described in §8, Anthropic Claude inference via Azure AI Foundry runs on Anthropic's US infrastructure today, under the Microsoft DPA. For strict-EU-residency use cases, we route via AWS Bedrock Frankfurt instead. We do not claim that all AI inference is EU-resident today; we are honest about which provider runs where.
No training on your data. Where a zero-retention enterprise contract is in place with a provider, your inputs are not retained beyond the request itself and are not used to train any model. Where a zero-retention contract is still pending, we rely on the providers' default API non-training terms (Anthropic and OpenAI both contractually exclude API traffic from training under their default API terms) and configure the lowest-retention option available. The exact contractual status per provider is maintained in our DPA register and summarised on the Subprocessor Register page.
Audit log. For each invocation we record the task, model, provider region / residency label, surface, token counts, latency, and success/error status. Message contents are not stored.
Cache. Generic popover explanations are cached server-side for 7 days, keyed by the metric and its rounded value. The cache does not include any user identifier.
Right to opt out. You may request a flag on your account that disables all AI surfaces by writing to privacy@wynexlabs.studio.
No automated decision-making with legal effect. The AI features are computational aids; they do not make decisions that produce legal or similarly significant effects within the meaning of Art. 22(1). Strata is not investment advice (see §3 of our Terms of Service) and the AI surfaces refuse buy/sell recommendations. Every AI response ends with the disclaimer “Educational purposes only. Not investment advice.”
11. Contact & Supervisory AuthorityFor any privacy-related request or question, contact us at: privacy@wynexlabs.studio.
For general queries: legal@wynexlabs.studio. For security-disclosure submissions: security@wynexlabs.studio.
Postal: Wuttipat Klinyam (Wynex Labs), 59 Rue Georges Lardennois, 75019 Paris, France.
If you believe your data-protection rights have been violated, you may lodge a complaint with the French supervisory authority, the Commission Nationale de l'Informatique et des Libertés (CNIL), at https://www.cnil.fr/fr/plaintes, or with the supervisory authority of your habitual residence in another EU/EEA Member State.
Project Strata © 2026|Wynex Labs|Changelog|Terms
Built for analysts

Privacy Policy

Effective: May 20, 2026 · Last updated: May 20, 2026 · Version 2.0

1. Introduction & Controller Identity

Strata (“Strata”, “the Service”) is a financial analytics platform. This Privacy Policy explains how we collect, use, store, and protect your personal data in compliance with Regulation (EU) 2016/679 (the “GDPR”), the French Loi Informatique et Libertés, and other applicable data-protection law.

Data controller (Art. 13(1)(a)): Wuttipat Klinyam, Entrepreneur Individuel registered in France under the commercial name Wynex Labs. SIREN 100 844 000. SIRET 100 844 000 00016. Code APE 6201Z. Registered office: 59 Rue Georges Lardennois, 75019 Paris, France.

Data protection contact: privacy@wynexlabs.studio. We respond to data-subject requests within one calendar month per Art. 12(3); identity verification may be required for sensitive requests.

Data Protection Officer (Art. 37): No Data Protection Officer is appointed. The Art. 37(1) criteria are not met (Strata is not a public authority, our core activities do not consist of large-scale systematic monitoring, and we do not process special-category data under Art. 9 at scale). The controller handles all privacy matters directly at the address above. This position is reviewed annually.

EU representative (Art. 27): Not required — the controller is established in the European Union (France).

By using Strata, you acknowledge that you have read and understood this Privacy Policy.

2. Data We Collect

We collect the following categories of personal data:

Account information: Name and email address provided by your authentication provider (Google OAuth, email + OTP, or passkey).
Usage data: Portfolios, watchlists, preferences, and analytical inputs you create within the platform.
Payment data: Subscription status and billing period. Payment card details are processed and stored exclusively by Stripe; we never see or store your card number.
Technical data: IP address, browser type, and session tokens for authentication and security purposes.
Audit logs: Records of key account actions (login, consent acceptance, data export, account deletion) for security and compliance.

3. Purpose and Legal Basis (GDPR Art. 6)

Purpose	Legal Basis
Providing the Service and its features	Performance of contract (Art. 6(1)(b))
Authentication, session management, account recovery	Performance of contract (Art. 6(1)(b))
Processing subscription payments via Stripe	Performance of contract (Art. 6(1)(b))
Maintaining invoicing records (10 years, French commercial law)	Legal obligation (Art. 6(1)(c))
Security monitoring, abuse detection, audit logging	Legitimate interest (Art. 6(1)(f))
Error monitoring via Sentry (text-masked, on-error only)	Legitimate interest (Art. 6(1)(f))
Aggregate analytics via Vercel (cookie-free, see §6)	Legitimate interest (Art. 6(1)(f))
AI-assisted analysis on demand (see §10)	Performance of contract (Art. 6(1)(b))

Where we rely on legitimate interest (Art. 6(1)(f)), we have conducted a balancing test. For Vercel analytics specifically, the test is documented in our Legitimate Interests Assessment, available on request at privacy@wynexlabs.studio. You have a right to object to processing based on legitimate interest at any time (see §5).

4. Data Retention

We retain your personal data for as long as your account is active. If you request account deletion, all your personal data is permanently erased within 30 days, except:

Invoicing and accounting records: retained for 10 years from the end of the financial year of the transaction, as required by French commercial law (Code de commerce, Art. L123-22). These records are minimised (invoice number, date, amount, VAT mention, your name and the email address on the invoice) and stored under access controls.
Audit-log security events: certain security-relevant audit records (failed-login spikes, API-key abuse) are retained for 12 months for security purposes, then deleted. Routine audit records (login, consent acceptance) are deleted with the account.
Stripe billing data: retained by Stripe under their own retention policy (independent controller for payment fraud-prevention purposes).

Cached market data (equity snapshots, SEC filings) contains no personal information and is shared across users. It is not subject to user-driven deletion.

5. Your Rights Under GDPR

You have the following rights regarding your personal data:

Right of access (Art. 15): Request a copy of your personal data.
Right to rectification (Art. 16): Update inaccurate personal data via your account settings.
Right to erasure (Art. 17): Delete your account and all associated data from your Account Settings.
Right to data portability (Art. 20): Export all your data in JSON format from your Account Settings.
Right to restrict processing (Art. 18): Contact us to restrict processing of your data.
Right to object (Art. 21): Object to processing based on legitimate interest (e.g., analytics, error monitoring) by emailing the contact below.

We respond to data-subject requests within one calendar month per Art. 12(3). This period may be extended by two further months for complex or numerous requests, in which case we will inform you within one month of the reason. Identity verification may be required for sensitive requests.

If you believe your data-protection rights have been violated, you may lodge a complaint with the French supervisory authority, the Commission Nationale de l'Informatique et des Libertés (CNIL), at https://www.cnil.fr/fr/plaintes, or with the supervisory authority of your habitual residence.

6. Cookies and similar technologies

Strata uses a small, deliberately-minimised set of cookies and browser-storage items. We use no third-party advertising, marketing, or behavioural-profiling cookies — no Google Analytics, no Meta / Facebook pixel, no HubSpot, Mixpanel, or Hotjar. Because all our cookies are strictly necessary, exempt under Art. 82 LCEN, or governed by a documented legitimate interest with a right to object, we do not display a cookie consent banner. The table below replaces the information a banner would otherwise provide.

Name	Type	Purpose	Lifetime	Party	Legal basis
next-auth.session-token / __Secure-next-auth.session-token	Cookie (HttpOnly)	Authenticated session	30 days	First-party	Strictly necessary — LCEN Art. 82 exempt
__Host-next-auth.csrf-token	Cookie (HttpOnly, Secure)	CSRF protection	Session	First-party	Strictly necessary
next-auth.callback-url	Cookie	Post-login redirect	Session	First-party	Strictly necessary
__stripe_mid / __stripe_sid	Cookie	Stripe payment fraud prevention (checkout pages only)	1 year / 30 min	Third-party (Stripe)	Strictly necessary for payment — CNIL user-request exemption
portfolios_v2, equity_lab_v1, theme, glossary mode	localStorage	In-browser persistence of portfolios, lab inputs, UI preferences	Persistent (until you clear)	First-party	Strictly necessary for feature delivery — LCEN Art. 82 exempt
Service-worker cache (Strata PWA)	Service Worker	Offline functionality	Until evicted	First-party	Strictly necessary
Vercel Web Analytics + Speed Insights	No cookie, no localStorage. Server-side IP+UA hash, 24h retention, discarded.	Aggregate traffic measurement + Web Vitals performance	24h server-side hash	Third-party (Vercel)	Art. 6(1)(f) legitimate interest — LIA available on request
Sentry on-error replay	sessionStorage; on-error only, never continuous; text masked	Error diagnosis	Session	Third-party (Sentry)	Art. 6(1)(f) legitimate interest — service reliability + security

How to control these: sign out at any time (clears the NextAuth session cookie); clear browser storage from your browser's settings (clears localStorage items and the service-worker cache); object to the Art. 6(1)(f) legitimate-interest processing (Vercel + Sentry) by emailing privacy@wynexlabs.studio with the subject “Opt-out of analytics”.

Vercel Web Analytics is verified cookie-free per Vercel's published privacy policy (privacy doc); it identifies sessions via a server-side hash of your IP and User-Agent, retained 24 hours then discarded. We never see your raw IP. The processing relies on legitimate interest because no terminal-equipment access occurs and the data is pseudonymous, aggregated, and short-retained.

7. Third-Party Services (Subprocessors)

We rely on a small number of subprocessors to operate the platform (hosting, database, authentication, payments, error monitoring, transactional email, and the AI Intelligence Layer described in §10). The full list — including each subprocessor's purpose, processing region, and international transfer mechanism — is maintained on our dedicated Subprocessors page. We provide at least 30 calendar days' prior notice before adding or replacing a subprocessor; customers who object within the notice period may terminate the affected service for material breach with a prorated refund of any unused pre-paid term.

8. International Data Transfers

Your account data, portfolios, audit logs, and cached market data are stored in the European Union — specifically, in Neon PostgreSQL's eu-central-1 region (Frankfurt, Germany). Application hosting (Vercel) and error monitoring (Sentry) operate EU-resident endpoints for our traffic.

AI processing is described in detail in §10. Briefly: the routing layer prefers EU-resident inference endpoints (Azure AI Foundry in Sweden Central; AWS Bedrock in Frankfurt; Vertex AI in europe-west4). One important honest disclosure: when Anthropic Claude models are accessed via Azure AI Foundry, the request is routed through Microsoft's EU infrastructure under the Microsoft Data Processing Addendum, but the actual model inference still runs on Anthropic's US infrastructure today. Microsoft's roadmap targets EU-native Claude inference, but it is not contractually binding as of the date of this Policy. Where strict EU-residency is required, we route Claude traffic via AWS Bedrock Frankfurt (eu.anthropic.* model IDs) instead.

All non-EU transfers are governed by the European Commission's Standard Contractual Clauses (SCCs) under Art. 46(2)(c), with each subprocessor's Data Processing Addendum incorporating the SCCs by reference. For US-recipient processors, where the EU–US Data Privacy Framework adequacy decision applies and the recipient is DPF-certified, that decision also provides a transfer mechanism. Detailed transfer information per subprocessor is in our Subprocessor Register.

9. Security Measures

We implement the following security measures:

HTTPS/TLS encryption for all data in transit
Database encryption at rest (Neon PostgreSQL)
Content Security Policy headers with per-request nonces
HSTS, X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy, Permissions-Policy
Authentication via Google OAuth, email-OTP, or WebAuthn passkey (no password storage)
Audit logging of security-relevant actions

10. AI Data Handling

Strata includes AI-assisted features powering inline metric explanations, the command-palette AI commands, and the Strata Analyst side panel. This section describes how we handle your data when you use these features.

Providers and routing. AI requests are routed server-side via our internal AI router to one of the following providers, depending on the task:
- Microsoft Azure AI Foundry (Sweden Central, EU) — primary route for DeepSeek V4, GPT-4o, and Anthropic Claude. Microsoft DPA incorporated automatically.
- AWS Bedrock (Frankfurt, EU) — EU-residency-today route for Anthropic Claude (eu.anthropic.* cross-region IDs).
- Google Vertex AI (europe-west4 Netherlands, EU) — used for Gemini-family tasks.
- Direct provider APIs (Anthropic, OpenAI, Mistral) — used only as fallback when EU-resident endpoints are unavailable.
The active provider per request is logged with a residency label. Our live Subprocessor Register is the authoritative source.
EU-residency disclosure. As described in §8, Anthropic Claude inference via Azure AI Foundry runs on Anthropic's US infrastructure today, under the Microsoft DPA. For strict-EU-residency use cases, we route via AWS Bedrock Frankfurt instead. We do not claim that all AI inference is EU-resident today; we are honest about which provider runs where.
No training on your data. Where a zero-retention enterprise contract is in place with a provider, your inputs are not retained beyond the request itself and are not used to train any model. Where a zero-retention contract is still pending, we rely on the providers' default API non-training terms (Anthropic and OpenAI both contractually exclude API traffic from training under their default API terms) and configure the lowest-retention option available. The exact contractual status per provider is maintained in our DPA register and summarised on the Subprocessor Register page.
Audit log. For each invocation we record the task, model, provider region / residency label, surface, token counts, latency, and success/error status. Message contents are not stored.
Cache. Generic popover explanations are cached server-side for 7 days, keyed by the metric and its rounded value. The cache does not include any user identifier.
Right to opt out. You may request a flag on your account that disables all AI surfaces by writing to privacy@wynexlabs.studio.
No automated decision-making with legal effect. The AI features are computational aids; they do not make decisions that produce legal or similarly significant effects within the meaning of Art. 22(1). Strata is not investment advice (see §3 of our Terms of Service) and the AI surfaces refuse buy/sell recommendations. Every AI response ends with the disclaimer “Educational purposes only. Not investment advice.”

11. Contact & Supervisory Authority

For any privacy-related request or question, contact us at: privacy@wynexlabs.studio.

For general queries: legal@wynexlabs.studio. For security-disclosure submissions: security@wynexlabs.studio.

Postal: Wuttipat Klinyam (Wynex Labs), 59 Rue Georges Lardennois, 75019 Paris, France.