Privacy Policy

1. Personal Data We Collect

A) Data you provide

• Account & profile (e.g., name, email, password, organization, role).
• Billing (e.g., billing address, VAT/tax IDs, limited payment details; we do not store full card numbers—payments are processed by third‑party providers).
• Communications (e.g., support requests, feedback, survey responses).
• Content you submit where community/posting features are available (e.g., comments). Do not upload confidential or sensitive information.

B) Data collected automatically

• Usage & device information (pages viewed, features used, timestamps, IP address, device identifiers, approximate location, system configuration, crash/error logs).
• Cookies and similar technologies (see §7).

C) Data from third parties

• Payment processors and resellers (billing status, limited transaction data).
• Authentication/identity providers (if you use social or SSO sign‑in).
• Analytics/attribution partners (aggregated metrics).
• Public and licensed business data (e.g., professional contact info for business users).

D) Professional contact & lead data

• Business contact details (e.g., work email, job title, employer, industry), sourcing context (public websites, regulatory filings, trade publications, events, referrals), and interaction metadata (outreach status, responses, opt‑out flags). We may enrich existing records with publicly available or licensed business data. We do not intentionally collect special‑category data for marketing.

Children

The Services are not directed to children. Do not use the Services if you are under the age required by your local law (13 in the US; up to 16 in parts of the EEA without guardian consent). If we learn we collected personal data from a child contrary to law, we will delete it.

2. Purposes & Legal Bases

We process personal data to:

• Provide the Services (create/maintain accounts, deliver functionality, customer support).
  Legal bases: contract performance; legitimate interests.
• Operate, secure, and improve (monitoring, debugging, preventing fraud/abuse, developing new features, analytics).
  Legal bases: legitimate interests; legal obligations.
• Personalize the experience (remember settings and preferences).
  Legal bases: legitimate interests; consent where required.
• Direct marketing & B2B prospecting (emails about our services, updates, events, promotions; contacting prospective business customers).
  Legal bases:
  • EEA/UK/CH: consent for electronic direct marketing to individuals as required by ePrivacy rules; legitimate interests for B2B prospecting to corporate addresses where permitted by local law (with easy opt‑out).
  • US: compliance with CAN‑SPAM; provision of opt‑outs; compliance with state privacy opt‑outs for "sale/share."
  • Canada: express or implied consent under CASL, as applicable (with withdrawal at any time).
• Compliance & enforcement (regulatory reporting, lawful requests, enforcing terms, protecting rights and safety).
  Legal bases: legal obligations; legitimate interests.

Where we rely on consent, you may withdraw it at any time (this does not affect prior processing). Where we rely on legitimate interests, we balance our interests against your rights and expectations.

3. How We Share Personal Data

We share personal data only as described below:

• Service providers (processors). Hosting, security, analytics, email/SMS, customer support tools, payment processing, and similar vendors under contract who process data on our instructions.
• Business partners & integrations you connect or use, at your direction.
• Selected commercial partners (with separate consent). With your explicit, separate consent, we may share your professional contact details (name, work email, employer, role) with a limited number of selected partners so they can contact you about offerings relevant to your professional interests. You can withdraw consent at any time. We do not sell personal information for money.
• Corporate transactions. In connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to appropriate safeguards.
• Legal and safety. To comply with law, respond to lawful requests, or protect the rights, property, or safety of OreStocks, our users, or the public.
• Aggregated/de‑identified data. We may share data that does not identify you.

We require recipients to protect personal data and honor legal requirements, and we prohibit partners from using shared contact details for purposes other than those disclosed.

4. International Transfers

We are based in Sweden and may process data in other countries. Where personal data from the EEA/UK/Switzerland is transferred outside those regions, we use appropriate safeguards, such as the EU Standard Contractual Clauses (and the UK Addendum, where applicable), and implement technical/organizational measures to protect data.

5. Retention

We retain personal data for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce agreements. Retention depends on the category and context (e.g., account data kept while your account is active; billing records retained per tax laws; logs retained for a shorter operational period). Marketing contacts are retained for the shortest period necessary to carry out outreach and maintain accurate suppression records, typically no longer than 24 months from the last meaningful interaction, unless a longer period is required by law or necessary to honor opt‑out records. When data is no longer needed, we delete or irreversibly de‑identify it.

6. Security

We employ technical and organizational safeguards designed to protect personal data (e.g., encryption in transit, access controls, monitoring). No system is completely secure; you are responsible for maintaining the security of your account credentials.

7. Cookies & Tracking Technologies

We use cookies, SDKs, and similar technologies to operate the Services, remember preferences, perform analytics, prevent fraud, and (where applicable) measure or personalize content. Where required by law, we obtain consent for non‑essential cookies.

Your choices: Manage cookies via our on‑site cookie settings (e.g., Accept All, Reject Non‑Essential, or granular controls) and through your browser. If your jurisdiction recognizes Global Privacy Control (GPC) signals, we treat a valid GPC signal as a request to opt‑out of sale/sharing for cross‑context behavioral advertising to the extent required by law.

For details, see our Cookie Policy.

8. Your Rights

Your rights depend on your location. We will honor applicable rights requests and will not discriminate against you for exercising them. To make a request, contact info@orestocks.com and include your name, the email associated with your account, your country/state of residence, and the right you wish to exercise. We may need to verify your identity and request additional information.

EEA/UK (GDPR)

• Access your personal data and obtain a copy.
• Rectification of inaccurate or incomplete data.
• Erasure ("right to be forgotten").
• Restriction of processing in certain cases.
• Portability of data you provided to us.
• Object to processing based on legitimate interests and to direct marketing (including profiling).
• Withdraw consent at any time where processing is based on consent.

You also have the right to lodge a complaint with a supervisory authority. In Sweden, this is the Swedish Authority for Privacy Protection (IMY).

United States (state laws, incl. CA/VA/CO/CT/UT)

• Know/Access the categories and specific pieces of personal information we collected.
• Delete personal information, subject to exceptions.
• Correct inaccurate personal information.
• Opt‑out of (i) "sale" of personal information, (ii) "sharing" for cross‑context behavioral advertising, and (iii) certain profiling for automated decisions with legal or similarly significant effects.
• Limit use/disclosure of sensitive personal information (where applicable).
• Appeal a decision regarding your request (for states that require appeal rights).

We do not sell personal information for money. Some cookie/ad technology may be considered "sale" or "sharing" under certain US laws; use the cookie settings and, if available, the "Do Not Sell or Share My Personal Information" link to opt out. We honor GPC signals where required.

Canada (PIPEDA)

• Access and correct personal information.
• Withdraw consent (subject to legal/contractual restrictions).
• Contact us to challenge our compliance with PIPEDA principles.

Authorized agents may submit requests where permitted by law; we may require proof of authorization.

9. Marketing Communications

You can opt out of marketing emails at any time by clicking unsubscribe in the email or contacting us. We may still send transactional or account‑related messages. We comply with CAN‑SPAM (US) and CASL (Canada) for commercial electronic messages.

10. Automated Processing & Profiling

We use automated methods to generate analytics and insights (e.g., scores, summaries, or alerts) based on public and user‑provided inputs. These processes do not produce legal or similarly significant effects about you. Where required by law, you may object or opt‑out of certain profiling used for marketing.

11. Third‑Party Links & Services

The Services may link to third‑party websites or include third‑party components. We are not responsible for the privacy practices of third parties. Review their policies before providing personal data.

12. Changes to This Policy

We may update this Policy from time to time. We will post the updated version with a new Effective Date and, for material changes, provide additional notice as required by law. Your continued use of the Services after the Effective Date signifies acceptance of the updated Policy.

13. Contact & Complaints

OS Group International AB
Garverigrand 15, 131 60 Nacka, Sweden
Email: info@orestocks.com

EEA/UK users may raise concerns with their local supervisory authority (in Sweden, IMY). US users with unresolved concerns may contact their state attorney general. Canadian users may contact the Office of the Privacy Commissioner of Canada (OPC) or relevant provincial commissioner.

14. Jurisdiction‑Specific Disclosures

California (CCPA/CPRA)

• Categories collected: Identifiers (e.g., name, email, IP), commercial information (subscription data), internet activity (usage logs), geolocation (coarse), and inferences (service usage patterns). We do not use sensitive personal information to infer characteristics.
• Sources: You, your devices, service providers/partners, public sources.
• Purposes: As described in §2.
• Disclosures: To service providers and others as described in §3.
• Retention: As described in §5.
• Your rights & opt‑outs: As described in §8 (including opt‑out of "sale/share").
• Non‑discrimination: We will not discriminate for exercising your rights.
• Notice of financial incentives: If we offer rewards or discounts tied to data, we will present terms describing material aspects, opt‑in, and withdrawal.

Virginia, Colorado, Connecticut, Utah

We provide access, deletion, correction (where applicable), and opt‑out rights for targeted advertising and certain profiling. We offer an appeals process for denied requests (contact info@orestocks.com).

Canada (PIPEDA)

We identify purposes, obtain consent where required, limit collection/use/disclosure/retention, safeguard data, maintain accuracy, provide access and correction, and remain accountable. Marketing emails include an unsubscribe mechanism.

15. Additional Notes

• Roles. We generally act as a controller for personal data we collect. In limited cases, where we process data strictly on behalf of a business customer (e.g., an enterprise contract), we act as a processor under a separate data processing agreement.
• Do Not Track. The Services do not currently respond to browser Do Not Track signals.