Privacy Policy

This Privacy Policy explains how Edwin Research LLC ("Company," "we," "us," or "our") collects, uses, and shares information when you use our websites, products, and services, including FOIAsearch.com, CommentLetterSearch.com, 8KSearch.com, StockPromotionTracker.com, StopNasdaqChinaFraud.com, and related applications, APIs, and features (collectively, the "Services").

By using the Services, you agree to the practices described here. If you do not agree, please do not use the Services.

Not legal advice. This policy describes our practices but is not a legal contract with you beyond what privacy laws require. Our Terms of Service govern your use of the Services.

1) What we collect

We collect information in three main ways: (A) you provide it; (B) it's collected automatically; (C) it comes from third parties.

A. Information you provide

• Account details: email
• Billing: email, and transaction metadata from our payment processor (we do not store full card numbers).
• Preferences & saved data:custom metadata you add.
• Support & communications: messages you send us (email, forms), feedback, survey responses.
• Content you upload: if you upload or annotate materials (e.g., lists or notes), we process them to operate the Services.

B. Information collected automatically

• Usage & device data: IP address (stored in an encrypted form), referring/exit pages, UTM parameters, timestamps, and feature use.
• Log data: request/response metadata, error logs, API usage, rate-limit events (e.g., Redis counters).
• Cookies & similar tech: session cookies; metered/paywall cookies (including a signed anonymous cookie to enforce free-tier limits across our sites);.

C. Information from third parties

• Payment processor: payment status, last four digits and card type token (no full PAN), charge outcomes, refunds.
• Email/CRM: deliverability, open/click rates via Brevo (formerly Sendinblue) for service and marketing emails.
• Market/filing data sources: e.g., Google Finance, Polygon.io, SEC/FOIA/public websites. These provide content/data, not your personal information.
• Authentication providers (if SSO/OAuth enabled): basic profile and verification tokens.

2) How we use information

We use information to:

• Provide the Services: authenticate users, deliver search/results, maintain saved items, and enforce plan entitlements.
• Operate & secure: prevent abuse, fraud, scraping, and unauthorized access; detect anomalies; measure performance; apply rate limits.
• Improve: debug, test, and develop new features (including quality and relevance tuning for search).
• Bill & administer: process payments, invoicing, accounting, tax and audit compliance.
• Communicate: send service messages (account, security, changes), and—with your consent or as permitted—product updates and marketing.
• Legal compliance: comply with law, respond to lawful requests, enforce our Terms, and protect rights, property, and users.

Legal bases for EU/UK users

Where GDPR/UK GDPR applies, we rely on: Contract (to provide the Services), Legitimate Interests (security, improvement, analytics proportional to your privacy), Consent (optional cookies/marketing where required), and Legal Obligation (tax/audit/requests).

3) Cookies and similar technologies

We use:

• Strictly necessary cookies (cannot be turned off): login/session; security; paywall/metering (e.g., a signed anonymous cookie to count free usage across our domains); load balancing.
• Analytics (optional/consented where required): to understand aggregate usage and improve reliability.

4) How we share information

We share information only as needed to provide and operate the Services, or as required by law:

Service providers / processors (bound by contract to protect data):

• Hosting & infrastructure: Vercel
• Database & storage: Supabase
• Caching/Rate-limiting/Queues: Upstash (Redis)
• Email delivery: Brevo
• Payments: Stripe
• Monitoring & logging: Vercel
• Market/filing data providers (content ingestion/attribution): e.g., Google Finance, Polygon.io, SEC EDGAR/FOIA sources.

Other sharing:

• Corporate events: merger, acquisition, financing, or sale of assets (your information may transfer as part of the deal).
• Legal: to comply with law, court orders, or enforce our rights and user safety.

We do not sell your personal information and we do not "share" it for cross-context behavioral advertising as defined by the CPRA.

5) Data retention

We retain information for as long as necessary to provide the Services and for legitimate business needs:

• Account & billing records: life of account + tax/audit requirements
• Logs & security events: 14 days
• User-uploaded content: until you delete it or your account is closed, subject to backups and legal requirements.

Backups are kept for limited periods and then purged on a rolling basis.

6) Security

We use reasonable technical and organizational measures (encryption in transit, access controls, least-privilege, environment isolation, and monitoring). No system is perfectly secure; you are responsible for safeguarding your credentials and notifying us of suspected compromise.

7) Analytics and signals

We may use privacy-respecting analytics to understand aggregate usage and reliability. Where required, we will request consent before setting non-essential cookies. You can withdraw consent at any time via our cookie controls (if present) or by contacting us.

Do Not Track. Industry standards for DNT are not uniform, so we currently do not respond to DNT signals.

8) Your rights & choices

Depending on where you live, you may have rights to:

• Access: know what personal information we have about you.
• Correct: fix inaccurate information.
• Delete: request deletion of personal information (subject to legal exceptions).
• Portability: receive a copy in a usable format.
• Opt-out of marketing: unsubscribe via email link or contact us.
• Limit/withdraw consent: for optional cookies or marketing where relied upon.
• Appeal (VA/CO/CT etc.): if we deny a request, you can appeal.

How to exercise your rights

Email us at edwin@585research.com with the subject "Privacy Request" and tell us which rights you wish to exercise. We may need to verify your identity (e.g., confirm control of your email). You may use an authorized agent where permitted; we may require proof of authorization and identity verification.

We will not discriminate against you for exercising your rights.

9) Additional notices for specific regions

California (CCPA/CPRA)

• Categories collected: identifiers (e.g., email, IP), commercial information (transactions), internet activity (usage logs), inferences for security/anti-fraud.
• Sources: you, your devices, service providers, and public sources.
• Purposes: see §2.
• Disclosures: to service providers and as described in §4.
• "Sale" and "Sharing": we do not sell personal information and do not share it for cross-context behavioral advertising.
• Sensitive personal information: we do not use it for additional purposes requiring a right to limit under CPRA.

EEA/UK/Switzerland (GDPR)

• Controller: [Company Legal Name] is the controller for personal data described here.
• Data transfers: when we transfer data outside the EEA/UK, we rely on approved safeguards (e.g., Standard Contractual Clauses).
• EU/UK representative (if applicable): [Representative/Contact].
• Complaints: you may lodge a complaint with your local supervisory authority, but we'd appreciate a chance to resolve concerns first.

Canada

You may contact us to access/correct your personal information and to learn about our policies and practices with respect to service providers outside Canada.

10) Children's privacy

The Services are not directed to children under 13 (or older if required by local law). We do not knowingly collect personal information from children. If you believe a child has provided personal information, contact us to request deletion.

11) Public documents and takedowns

We index public records from government and regulatory sources. Removal requests for such materials should generally be directed to the originating public body. For privacy concerns about public documents we display, contact us and we'll review on a case-by-case basis.

12) International transfers

We and our providers may process information in countries other than your own. These locations may have different data-protection laws than your jurisdiction. We use appropriate safeguards for such transfers as required by law.

13) Third-party links and services

The Services may link to third-party websites or services. We are not responsible for their privacy practices. Review their policies before providing personal information.

14) Changes to this policy

We may update this Privacy Policy periodically. We'll update the "Last updated" date and, where required, provide additional notice. Your continued use after the effective date means you accept the changes.

15) Contact us

• Email (privacy): edwin@585research.com

16) Subprocessors (illustrative)

We use carefully selected providers to process data on our behalf. Key categories include:

Contact us for a current list and locations. We contractually require processors to protect personal data and use it only as instructed.