Privacy Policy

The data controller for personal data processed on this site is: Farol (independent publisher) Contact : privacy@farol.run Director of publication: [TBD] As long as Farol operates as a private beta without a registered entity, the publisher is the natural person operating the service. A company entity will be registered prior to any commercial launch and this policy will be updated accordingly.

Waitlist (form on homepage) : • Email address (mandatory — needed to notify you at launch) • IP address, country, browser user-agent (automatic — anti-abuse and rate limiting) • Timestamp of signup When we launch the paid service (not yet collected) : • Billing data (name, email, payment details — processed by our payment provider Lemon Squeezy, we never see card numbers) • API usage logs (API key, endpoints called, timestamps — for billing and abuse prevention) • Optionally : Telegram chat ID if you subscribe to Telegram alerts We do not use tracking cookies, analytics pixels or third-party advertising.

Waitlist signup : • Purpose: notify you when Farol launches in public beta or production • Legal basis: your explicit consent (Art. 6(1)(a) GDPR), given by submitting the form • You can withdraw consent at any time by emailing privacy@farol.run Service delivery (future paid plans) : • Purpose: provide the subscribed API/MCP service, bill you, prevent abuse • Legal basis: performance of contract (Art. 6(1)(b) GDPR) + legitimate interest for anti-abuse (Art. 6(1)(f) GDPR) Legal obligations (future) : • Purpose: retain billing records for tax/accounting • Legal basis: legal obligation (Art. 6(1)(c) GDPR) — 10 years for invoices in France

Your data is shared only with sub-processors strictly necessary to deliver the service : • Cloudflare, Inc. (US) — website hosting (Pages), API backend (Workers), database (D1), rate limiting (KV). Data storage is configured in EU regions where possible. Cloudflare acts as data processor under Standard Contractual Clauses (SCCs) per Art. 46 GDPR. • Resend (US, when activated) — transactional email delivery for launch notifications. SCCs in place. • Lemon Squeezy (US, when paid plans launch) — Merchant of Record for payment processing. Lemon Squeezy handles all billing data as an independent controller and processor per their own privacy policy. • AI providers via Cloudflare AI Gateway (Anthropic, Google, Groq, OpenAI) — only if you opt in to use Farol's analysis features. Non-personal market data is sent to LLMs ; no customer PII is included in prompts. We do not sell your data to third parties. We do not share data with advertisers or data brokers.

Some of our processors (Cloudflare, Resend, Lemon Squeezy) are US-based. Your personal data may be transferred outside the European Economic Area (EEA). Safeguards used (Art. 46 GDPR) : • EU Standard Contractual Clauses (SCCs) with all US processors • Cloudflare has committed to the EU-US Data Privacy Framework (since July 2023) • Data is stored in EU regions (Cloudflare D1 with location preference WEUR) where the architecture allows You can request a copy of the SCCs by emailing privacy@farol.run.

• Waitlist emails : until you unsubscribe, or at the latest 24 months after signup if Farol has not launched • API usage logs (future) : 90 days rolling for abuse prevention ; aggregated metrics (no PII) retained for analytics • Billing records (future) : 10 years per French tax obligation • Support emails : 3 years after last contact When Farol account deletion is implemented, requests will be honored immediately with anonymization of billing records where legally required.

Under GDPR, you have the following rights concerning your personal data : • Right of access (Art. 15) — ask for a copy of what we hold on you • Right to rectification (Art. 16) — correct inaccurate data • Right to erasure / to be forgotten (Art. 17) — have your data deleted • Right to restriction of processing (Art. 18) • Right to data portability (Art. 20) — receive your data in a machine-readable format • Right to object (Art. 21) — particularly for legitimate interest processing • Right to withdraw consent (Art. 7) — for anything based on consent • Right not to be subject to solely automated decision-making (Art. 22) — Farol provides analysis, you make decisions • Right to lodge a complaint with a supervisory authority (Art. 77) — in France, the CNIL (www.cnil.fr) To exercise any right, email privacy@farol.run. We respond within 30 days.

We apply reasonable technical and organizational measures to protect your data : • HTTPS/TLS encryption in transit • Database access restricted to production code paths (no direct admin SQL in a UI) • Passwords never stored (magic-link authentication when dashboard launches) • Rate limiting and anti-abuse monitoring • Regular backups with 30-day retention • Security audit performed on 2026-04-22, findings applied (see GitHub commit history) No system is 100% secure. If you suspect a breach, email security@farol.run.

Farol uses AI models (Claude, Gemini, Llama, GPT) to analyze public market data (prices, indicators, news articles from public RSS feeds) and generate trading signals. These signals are delivered to you as information — you make the final trading decision. Farol does not make automated decisions about you under Article 22 GDPR. No personal data is submitted to AI providers during market analysis. As required by the EU AI Act (Regulation 2024/1689), we disclose that outputs you consume are AI-generated and should not be treated as personalized financial advice.

This site does not use tracking or advertising cookies. The only technical cookies used (if any) are strictly necessary for security or session management : • Session cookie (future, when customer dashboard launches) — HttpOnly, Secure, SameSite=Lax — stores your login session. Strictly necessary, no consent required under the ePrivacy Directive. • No third-party cookies. No Google Analytics, no Facebook Pixel, no advertising networks. If we ever add analytics, we will switch to a cookieless solution (Cloudflare Web Analytics or Plausible with anonymization) and update this policy.

We may update this privacy policy to reflect changes in our service or legal obligations. Material changes will be notified by email to users who have signed up, and the "last updated" date at the top of this page will change. Prior versions are kept in the public git repository (github.com/FredericoRB/gaivota) for transparency and audit.

For any privacy-related question, data access request, complaint, or to withdraw your consent : privacy@farol.run If you believe your rights have not been respected after contacting us, you can file a complaint with the French Data Protection Authority (CNIL) at www.cnil.fr.