Privacy Policy

Privacy Policy for customers, potential customers and website visitors

General

[COMPANY LEGAL NAME], a company registered in Sweden under org. nr. [ORG-NR], with registered address [REGISTERED ADDRESS] (the "Company", "we", "us", "our"), processes personal data about customers, potential customers and visitors of our website, including reversallabs.com with subdomains, and of our companion services (the Reversal Engine indicator delivered via TradingView, and notification delivery via Signal Messenger). Our processing of personal data always complies with Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data (the "GDPR"). It is important to us that you feel comfortable with how we handle your personal data. In this privacy policy (the "Policy") we describe how we process your personal data, what personal data we process, and why.

Reversal Labs is a systematic trading-signal platform. It has no affiliation with ReversingLabs, Inc., the unrelated software-supply-chain security company. Any similarity of name is coincidental.

"Personal Data", within the meaning of Article 4(1) of the GDPR, means any information that can be linked to you as an individual, such as your name, address and contact details, including your telephone number and email address. "Processing", within the meaning of Article 4(2) of the GDPR, means any operation we perform in relation to your Personal Data, such as the collection, organisation, storage, modification and disclosure of your Personal Data.

Data controller

[COMPANY LEGAL NAME] is the data controller, within the meaning of Article 4(7) of the GDPR ("Controller"), with regard to Processing of your Personal Data under this Policy. If you have any questions about our Processing of your Personal Data, please contact us at [EMAIL].

Our Processing of your Personal Data

Below we describe how we Process your Personal Data. This includes information on what Personal Data we Process, for what purposes, on what legal basis and for how long.

To conduct marketing activities

Categories of Personal Data: Name, email address.
Legal basis: Our legitimate interest in marketing our services (Article 6(1)(f) GDPR).
Retention period: Personal Data is Processed until you object to the Processing.

To invoice for our services

Categories of Personal Data: Name, contact details, billing address, reference to payment, any additional Personal Data we may require, or you may provide, for the invoice.
Legal basis: Fulfilment of contract (Article 6(1)(b) GDPR).
Retention period: Personal Data is Processed until the invoice is sent; retained thereafter only as required under applicable bookkeeping law (see below).

To provide user accounts on the Reversal Labs website

Categories of Personal Data: Name, email address, authentication identifier from our identity provider (Clerk), payment information (if applicable), user preferences such as profile country, preferred asset classes and watchlist tickers.
Legal basis: Fulfilment of contract (Article 6(1)(b) GDPR).
Retention period: Personal Data is Processed until our contract with you expires. The data may be passively retained after account closure to enable account reactivation and for auditing purposes. The data can be deleted upon your request, except such data that is required to be retained to fulfil our legal obligations (e.g. bookkeeping and audit requirements).

To deliver notifications via Signal Messenger (opt-in)

Categories of Personal Data: Phone number (in E.164 format), per-category notification preferences (e.g. stock-picks, crypto market updates, watchlist alerts), delivery timestamps and status.
Legal basis: Fulfilment of contract (Article 6(1)(b) GDPR) — you opt in per notification category in your profile.
Retention period: Personal Data is Processed until you opt out of the relevant notification category or until your account is closed. Delivery logs are retained for up to 90 days for reliability auditing.

To provide access to the Reversal Engine indicator on TradingView

Categories of Personal Data: Your TradingView username.
Legal basis: Fulfilment of contract (Article 6(1)(b) GDPR).
Retention period: Personal Data is Processed until you have been given access to the indicator on TradingView. The username is then passively stored to be able to fulfil customer support inquiries.

To provide you with customer support

Categories of Personal Data: Name, contact details, information you have provided when registering and using the service that we need to fulfil support requests, any additional Personal Data you may provide us in relation to the enquiry, communication history.
Legal basis: Our legitimate interest in providing customer support (Article 6(1)(f) GDPR).
Retention period: Personal Data is Processed until our services terminate, either because of expiration of our contract or upon your request. Some data may be passively retained after account closure to enable account reactivation, future support inquiries and for auditing purposes.

To send service announcements and product updates

Categories of Personal Data: Name, email address.
Legal basis: Our legitimate interest in communicating service-relevant information to our customers (Article 6(1)(f) GDPR). Non-essential marketing communications follow the "marketing activities" row above.
Retention period: Personal Data is Processed until you object to the Processing or close your account.

To analyse and improve the efficiency of our website

Categories of Personal Data: Pseudonymised session identifier (hashed from IP, user-agent and date — rotated at midnight, never stored raw), pageviews, referrer URL, country derived from IP geolocation (not stored raw), device and browser type, pseudonymised user identifier (first 16 hex of SHA-256 of our internal user ID — no raw Clerk or email reference), role (admin / user), and custom product events (e.g. signup_completed, signal_opened, pick_expanded).
Legal basis: Our legitimate interest in analysing and improving the efficiency of our Service (Article 6(1)(f) GDPR). No cookies or cross-site trackers are used; analytics is collected via our own self-hosted Umami instance on analytics.reversallabs.com, no third-party analytics provider is involved.
Retention period: Aggregate event data retained for up to 13 months. See the Cookies & local storage notice for the full analytics framing.

To deliver email notifications (opt-in, transactional)

Categories of Personal Data: Email address (from your Clerk account), per-category email preferences, delivery timestamps and Resend delivery identifiers.
Legal basis: Fulfilment of contract (Article 6(1)(b) GDPR) for transactional email (welcome, account confirmations); legitimate interest (Article 6(1)(f)) for opt-in categories such as daily stock picks and watchlist alerts where you have actively enabled them.
Retention period: Delivery logs are retained for up to 90 days for reliability auditing. Email address is retained as long as your account is active.

To fulfil our legal obligations under applicable accounting laws

Categories of Personal Data: Personal Data derived from bookkeeping documentation — name, contact details, payment information.
Legal basis: Legal obligation (Article 6(1)(c) GDPR).
Retention period: Personal Data is Processed for 7 years after the calendar year following the year when the bookkeeping documentation was created, in accordance with the Swedish Accounting Act (Bokföringslagen).

To exercise and defend legal claims

Categories of Personal Data: Name, contact details, payment and order information, communication history.
Legal basis: Our legitimate interest in exercising and defending potential legal claims (Article 6(1)(f) GDPR).
Retention period: Personal Data is Processed for up to 10 years in accordance with the applicable statute of limitations.

Backups and audit logs

Active processing of your Personal Data respects the retention periods listed above. However, Personal Data may persist for a limited period in database backups. Backups are taken nightly (PostgreSQL pg_dump, chmod 600 on the host) and retained for up to three (3) days before they are rotated out. Deletion requests extinguish active processing immediately; data held in backups is overwritten on the normal backup-rotation schedule and is not otherwise accessed. Audit logs required by accounting or anti-fraud law are retained for the legally mandated period even after the underlying account is deleted.

With whom do we share your personal data?

We may authorise our service providers to carry out Processing of Personal Data on our behalf. In this context, such service providers act as our data processors. For example, this is the case with some of our IT service providers who may store and organise data on our behalf. Furthermore, we may disclose your Personal Data to public authorities and other parties if we are obliged to do so under law or a legally binding decision of a public authority. We may also disclose your Personal Data to other third parties who themselves act as independent data controllers. For example, this is the case with our accounting firms and payment service providers. Please note that this Policy does not apply when we disclose your Personal Data to third parties who act as independent Personal Data controllers. Such third parties may apply their own terms to the Processing of your Personal Data.

Among others, your personal data is or may be shared with:

Authentication / identity: Clerk, Inc. (clerk.com)
Indicator delivery: TradingView, Inc. (tradingview.com)
Signal notification delivery: Signal Messenger, LLC via Signal Foundation (signal.org)
Email delivery: Resend, Inc. (resend.com) — transactional email from noreply@reversallabs.com and opt-in notification mail.
Hosting and infrastructure providers supporting the Site and the Market Radar.
Analytics: self-hosted on our own infrastructure (analytics.reversallabs.com) using open-source Umami. No third-party analytics provider processes your data.
Accounting and auditing firm, banking suppliers, relevant government authorities and agencies for tax auditing, AML purposes and other reasons as required by law.

Market-data vendors used to compute signals (including EOD Historical Data, Binance and Yahoo Finance) do not receive any Personal Data from us; we only retrieve market prices and fundamentals from them. Payment processing is not applicable during the current public beta; when paid plans launch we will update this Policy to identify the payment processor.

Processing of your Personal Data outside the EU/EEA

Some of our service providers may conduct some or all of their business activities in countries located outside the EU/EEA (so-called "third countries"). Your Personal Data is only transferred to countries for which the European Commission has issued a decision recognising an adequate level of protection, or under an appropriate transfer mechanism, in accordance with Chapter V of the GDPR. A list of adequacy decisions is available on the European Commission's website: commission.europa.eu.

The third countries to which we currently transfer Personal Data include: USA.

In some cases, we may use service providers who Process your Personal Data in the USA but who are not certified under the EU–US Data Privacy Framework. In those situations, we will ensure that the transfer is governed by an appropriate transfer tool, such as the European Commission's Standard Contractual Clauses for Transfers to Third Countries (2021). The European Commission's Standard Contractual Clauses and further information on the EU–US Data Privacy Framework are available on the European Commission's website: commission.europa.eu.

Your rights when we Process your Personal Data

Listed below are the rights to which you are entitled in relation to our Processing of your Personal Data. If you wish to exercise any of your rights, please contact us at [EMAIL].

Right to access

You have the right to request information about whether we Process your Personal Data, what Personal Data we Process and how the Personal Data is Processed. You also have the right to request a copy of the Personal Data we Process about you (a so-called register extract).

Right to rectification

You have the right to request the rectification of inaccurate Personal Data — for example, if you have reason to believe that your Personal Data is incomplete or incorrect.

Right to object

You have the right to object to the Processing of your Personal Data as long as the Processing is based on the legal basis of legitimate interest (Article 6(1)(f) GDPR). Please note that if we can demonstrate that our legitimate interest for the Processing of your Personal Data outweighs your rights and freedoms, we may continue the Processing despite your objection.

Right to erasure

You have the right to request that we erase your Personal Data if:

The Personal Data is no longer necessary for the purposes for which it is being Processed;
You withdraw your consent (if the Processing is based on consent, Article 6(1)(a) GDPR);
You object to the Processing and there are no legitimate grounds for us to continue Processing of the Personal Data;
The Processing is unlawful; or
The Personal Data must be erased to fulfil a legal obligation to which we are subject.

Right to restriction

You have the right to request that we restrict the Processing of your Personal Data (meaning that we will cease Personal Data Processing, in whole or in part) if:

You contest the accuracy of the Personal Data (the restriction only applies during the time we verify the accuracy);
The Processing is unlawful and you request that the Processing be restricted instead of erased;
The Personal Data is no longer necessary for the initial purposes of the Processing but is required to assert a legal claim; or
You have objected to the Processing but we have not yet had time to assess whether our legitimate interests outweigh your rights and freedoms.

Right to data portability

You have the right to have your Personal Data transferred to another data controller and to be provided with the data in a structured, commonly used and machine-readable format.

Right to withdraw consent

If the Processing is based on consent, you have the right to withdraw your consent at any time. However, please note that the withdrawal of your consent does not affect the lawfulness of the Processing carried out before your withdrawal.

Right to lodge a complaint

If you wish to lodge a complaint about our Processing of your Personal Data, you may contact your national data-protection authority. In Sweden, that authority is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) — see imy.se.

If you wish to exercise any of the rights outlined above, please contact us at [EMAIL].

Minors

The Service is not directed to individuals under 18 years of age, or the age of majority in your jurisdiction (whichever is higher). We do not knowingly collect Personal Data from minors. If we discover that we have collected Personal Data from a minor, we will delete that data promptly. If you believe a minor has provided us with Personal Data, please contact us at [EMAIL] and we will take appropriate action.

Amendments to the Policy

We may make amendments to this Policy from time to time. The most recent version of the Policy is always available on our website. Material changes will be communicated via email or an in-product notice with reasonable advance notice.

Contact details

If you have any questions about our Processing of your Personal Data, please contact us at [EMAIL].

Last Updated: 2026-04-21

Admin note — placeholders to replace before publishing

Four fields remain red-highlighted and need real values:

[COMPANY LEGAL NAME] — the legal entity operating Reversal Labs
[ORG-NR] — Swedish company registration number
[REGISTERED ADDRESS] — registered business address
[EMAIL] — single inbox for all user contact including GDPR / data-subject requests (e.g. legal@reversallabs.com)

All other defaults are set: governing law = Sweden, DPA = IMY, payment processor = "not applicable during beta", hosting = generic. Update these if the company is registered outside Sweden.