Privacy policy
Last updated: 2026-05-26
Nordpuls is a public web app at nordpuls.app operated by Olav Koefoed as a natural person. This policy describes what data Nordpuls processes when you visit the site, why it processes that data, who else sees it, and how to exercise the rights GDPR gives you.
What data we process
You can use the public parts of Nordpuls — Equity Overview pages, privacy, terms — completely anonymously. If you want to use the AI panel, you can optionally create an account (email-only, no password) and supply your own API key for an LLM provider (currently Anthropic). The data that flows during normal operation:
- Your HTTP request — your IP address, browser User-Agent, and the path you requested reach Vercel (the hosting provider), where they are needed to serve the response and retained in Vercel's access logs per Vercel's published retention policy.
- Server-side errors — if a page or API route breaks, a stack trace and the failing route reach Sentry (EU region) so the failure can be diagnosed and fixed. The Sentry SDK is configured with
sendDefaultPii: false— IP addresses, cookies, and request headers are not attached to error events. A server-side hook additionally drops the request body for any error originating from a route under/api/and redacts the values of headers that look like credentials. - Ticker queries — when you visit a stocks page, Nordpuls makes server-to-server calls to financial-data providers (Finnhub, Financial Modeling Prep, OpenFIGI, SEC EDGAR, Twelve Data). These calls send only the ticker symbol you requested; they do not send your IP, cookies, or any personal identifier.
- Account creation and sign-in — when you sign in, your email address and a single-use 24-hour magic-link token reach Resend (EU region) for email delivery and are stored in Neon (Frankfurt) in the
usersandverification_tokenstables. Once you click the link, an opaque session token is written tosessionsand set as anHttpOnlySecureSameSite=Laxcookie with a 30-day rolling expiry. You can revoke every session at once from /account. - Your BYOK provider key (only if you set one) — your Anthropic API key is encrypted at rest in Neon under a key Nordpuls controls. We cannot read your key unless we explicitly decrypt it on your behalf, which only happens during an outbound LLM call you initiated (you clicked "Generate summary" or asked a question in the AI panel). The decryption key is derived per-user, so a database leak alone yields ciphertext, not keys. The plaintext is never logged. Full contract:
docs/ai/byok.mdin the project repository. - LLM calls (only if you use the AI panel) — your prompt and the equity context for that page reach your chosen LLM provider under your own API key. The relationship for that call is between you and the provider; Nordpuls does not log the prompt body or the response stream. The full list of what Nordpuls never logs (plaintext key, decrypted ciphertext, prompt body, response stream) is documented in
docs/ai/byok.md§ What we don't log.
Cookies
Nordpuls sets no tracking cookies and loads no third-party tracking script. The only cookies that may appear in your browser are strictly necessary for the service you requested:
- Vercel's load-balancer affinity cookie — necessary for routing to work; set on every visitor regardless of sign-in state.
authjs.session-token— only set after you sign in.HttpOnly,Secure,SameSite=Lax, 30-day rolling expiry. Carries no information beyond the opaque session token that lets us look up your session in the database. Signing out deletes the row + clears the cookie.
Both cookies fall under the ePrivacy Directive's exemption for "services explicitly requested by the user". For that reason no consent banner is shown.
Sub-processors
The following parties may process data on Nordpuls' behalf:
- Vercel, Inc.— hosting and CDN. US-headquartered with EU edge points of presence. Standard Contractual Clauses cover transatlantic transfers under Vercel's Data Processing Addendum.
- Neon, Inc. — Postgres database, EU region (Frankfurt). Holds the account, session, and (when configured) encrypted BYOK key rows described above.
- Sentry GmbH — error tracking, EU region (
de.sentry.io). Receives stack traces and minimal route metadata. - Resend— transactional email provider, EU region (Ireland). Receives your email address and the rendered magic-link email when you sign in. Retains delivery metadata per Resend's DPA; account deletion removes your row from Nordpuls' database but does not automatically purge Resend's delivery records. Users requesting full deletion can additionally have their address added to Resend's suppression list — email privacy@nordpuls.app to request this.
- Anthropic PBC — LLM provider for the AI panel. Only contacted when you initiate an AI call from
/stocks/<TICKER>and only under your own API key. Your prompt and the equity context for that page reach Anthropic; Nordpuls relays the call but does not store the request body or the response. You are Anthropic's direct customer for that interaction. Anthropic's published policy is that API submissions are not used to train models by default. Their DPA governs the user↔Anthropic relationship; Nordpuls does not act as Anthropic's processor on your behalf. - Namecheap, Inc.— domain registrar and email forwarding. Receives the operator's contact details only, not user data.
Financial-data providers (Finnhub, Financial Modeling Prep, OpenFIGI, SEC EDGAR, Twelve Data) are not GDPR sub-processors because no personal data of users is sent to them — only ticker symbols, which are identifiers of public companies.
LLM providers under BYOK(Anthropic in v1): when you use the AI panel, your prompt reaches the provider you chose, under your own API key. You are the provider's direct customer for that interaction — the data-controller relationship is between you and them, governed by their own policies. Nordpuls forwards the call but does not log the prompt body or the response stream on its side. The streaming response is rendered to your browser as tokens arrive and is then discarded.
Legal bases
- Contract (GDPR Article 6(1)(b)) — for processing strictly necessary to provide the service you requested (loading a page, looking up a ticker).
- Legitimate interest (GDPR Article 6(1)(f)) — for server-side error tracking. The interest in keeping the service working is balanced against the minimal PII surface configured into the integration.
Nordpuls does not rely on consent for any processing in v1.
Your rights
Under GDPR you have rights of access, rectification, erasure, restriction of processing, data portability, and objection.
Erasure. If you have an account, the fastest way to erase your data is the self-serve flow on /account — the "Delete account" card runs a triple confirmation and then atomically destroys your user row, every active session, and the encrypted copy of your AI provider key. You do not need to email anyone to exercise this right.
For everything else — or if you cannot sign in — email privacy@nordpuls.app. The default response time under GDPR is 30 days; an interim acknowledgement will arrive within five business days.
If you believe Nordpuls is mishandling your data, you have the right to lodge a complaint with the data-protection supervisory authority of your country of residence. In Norway, that is Datatilsynet.
Changes to this policy
This policy is updated when sub-processors change, when new categories of data are processed, or when applicable law changes. The "Last updated" date at the top of the page reflects the most recent change.