Privacy Policy

Last updated: June 2026

This policy contains placeholders (shown in gold) for details to be filled in once the operating entity is incorporated.

1. Data Controller

The controller responsible for the processing of personal data on this platform is:

[COMPANY NAME]
[STREET, NUMBER]
[POSTCODE CITY]
[COUNTRY]
Email: hello@indexingstudio.com

2. About This Privacy Policy

This Privacy Policy explains how The Indexing Studio (indexingstudio.com) collects, uses, and protects personal data when you use our platform. The Indexing Studio is a cloud-based SaaS platform for index administrators, ETF issuers, and structured products teams.

3. Legal Bases

We process personal data under the following legal bases of the GDPR:

  • Art. 6(1)(b) GDPR — processing necessary for the performance of a contract or pre-contractual measures
  • Art. 6(1)(f) GDPR — processing necessary for our legitimate interests, where these do not override your rights

4. Data We Collect and Why

4.1 Website Visits — Hosting (Vercel)

The platform is hosted on infrastructure provided by Vercel Inc., 340 Pine Street, 5th Floor, San Francisco, CA 94104, USA. Application code runs in the Frankfurt (Germany) region. When you access the website, the following data is processed automatically:

  • IP address
  • Date and time of access
  • Requested URL and data volume transferred
  • Browser type and operating system

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in secure operation). Vercel is certified under the EU-US Data Privacy Framework. Privacy policy: vercel.com/legal/privacy-policy · DPA: vercel.com/legal/dpa

4.2 Registration and Authentication (Clerk)

User sign-up and sign-in is handled by Clerk Inc., 1 World Trade Center, Suite 85-D, New York, NY 10007, USA. The following data is collected on registration:

  • Email address
  • First name and last name
  • Profile picture (optional, provided by the user)
  • Organisation membership and assigned role (Admin, Editor, Viewer)

This data is used for identity verification and access management. Clerk sets technically necessary authentication cookies (see Section 5). Legal basis: Art. 6(1)(b) GDPR. Clerk is certified under the EU-US Data Privacy Framework. Privacy policy: clerk.com/legal/privacy · DPA: clerk.com/legal/dpa

4.3 Platform Use and Database (Neon)

User information and index data created on the platform are stored in a PostgreSQL database operated by Neon Inc. (AWS-hosted database service). The following data is stored:

  • User data (email, name — synchronised from Clerk)
  • Organisation and membership records
  • Index configurations, methodology parameters, and backtest results
  • Audit log: every change to index data is recorded with user ID, timestamp, and change type

The database is hosted in the Frankfurt (EU) region (AWS eu-central-1). Legal basis: Art. 6(1)(b) GDPR for index data; Art. 6(1)(f) GDPR for audit logs (legitimate interest in traceability and integrity of index calculations). Privacy policy: neon.tech/privacy · DPA: neon.com/dpa

4.4 AI-Powered Index Designer (Anthropic)

When using the AI-assisted Index Designer, your inputs and the design session (conversation history, methodology parameters, selected constituents) are transmitted to Anthropic PBC, 548 Market St, PMB 90375, San Francisco, CA 94104, USA, for processing. Transmission is solely for the purpose of providing the AI design feature.

No directly identifying personal data (email, name) is transmitted to Anthropic. However, design conversations may allow indirect inferences about your work. Legal basis: Art. 6(1)(b) GDPR (contractual service). Privacy policy: anthropic.com/privacy · DPA: anthropic.com/legal/data-processing-addendum

4.5 Market Data APIs (Yahoo Finance, Frankfurter)

To calculate index values, price and exchange-rate data is fetched via external APIs:

  • Yahoo Finance — historical prices, dividends, stock splits. No personal data transmitted.
  • Frankfurter API (ECB exchange rates) — currency data. No personal data transmitted.

5. Cookies and Local Storage

5.1 Technically Necessary Cookies (Clerk)

For authentication, Clerk sets only technically necessary cookies. Under Art. 5(3) of the ePrivacy Directive, consent is not required for cookies that are strictly necessary to provide a service explicitly requested by the user.

CookiePurposeRetention
__sessionSession authenticationUntil sign-out
__clientClerk client identificationPersistent (up to 1 year)

We use no tracking, marketing, or analytics cookies. No cookie consent banner is therefore required.

5.2 Local Storage

User preferences (e.g. favourites list) are stored in browser local storage. This data remains exclusively on your device and is never transmitted to any server.

6. Third Parties and Data Processors

Personal data is shared with third parties only as part of the data processing arrangements described above (Vercel, Clerk, Neon, Anthropic) or where required by law. Data processing agreements (DPAs) pursuant to Art. 28 GDPR are concluded or will be concluded with all processors.

7. International Data Transfers

The service providers Vercel, Clerk, and Anthropic are based in the United States. Transfers of personal data to the USA are made on the basis of the EU-US Data Privacy Framework (Art. 45 GDPR) for certified providers, and supplemented by Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR where applicable.

8. Retention Periods

  • Account data: until account deletion
  • Index data and audit logs: for the duration of the contract and up to 90 days thereafter
  • Server logs (Vercel): typically up to 30 days

Upon request, personal data will be deleted promptly, unless statutory retention obligations apply. Contact: hello@indexingstudio.com

9. Your Rights

Under the GDPR, you have the following rights:

  • Right of access (Art. 15) — request information about data held about you
  • Right to rectification (Art. 16) — request correction of inaccurate data
  • Right to erasure (Art. 17) — request deletion of your data
  • Right to restriction (Art. 18) — request restriction of processing
  • Right to data portability (Art. 20) — receive your data in a structured, machine-readable format
  • Right to object (Art. 21) — object to processing based on legitimate interests

To exercise your rights, contact us at hello@indexingstudio.com.

10. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority (Art. 77 GDPR). The competent authority depends on the company's registered location. A list of EU supervisory authorities is available at edpb.europa.eu. For Germany: bfdi.bund.de.

11. Updates

This Privacy Policy is current as of June 2026. We reserve the right to update it when the platform or legal requirements change. The latest version is always available at indexingstudio.com/privacy.

Legal Noticehello@indexingstudio.com

© 2026 The Indexing Studio