Privacy
What we collect. Why. How you can control it.
In plain English, without the twenty-page legalese. If you want the exhaustive detail, read on. If you want the summary: we collect the minimum needed to run the service, we don't sell your data, and you can delete your account whenever.
1. Who we are
Maevol ("we", "us") is a diagnostic-research service operated from Singapore. This policy explains how we handle personal data of visitors and registered users of www.maevol.com. It is intended to be compliant with the Personal Data Protection Act 2012 of Singapore ("PDPA") and to reflect general GDPR principles for users in other jurisdictions.
2. What we collect
We collect only the personal data we need to run the service.
Account data (registered users)
- Email address — required for account creation, passwordless sign-in, and delivery of the weekly digest and transactional emails.
- Account tier — free or Insider, and (for paying members) the plan and billing status.
- Account creation timestamp.
Usage data
- Ticker lookups — which ticker symbols you look up on the diagnostic tool, and when. Used for the "recent lookups" list on your account page, for enforcing the free-tier daily cap, and for aggregate product analytics.
- Page visits and scanner filter selections — used to improve the product; never linked to your email in analytics reports.
Technical data
- IP address — used for rate-limiting anonymous users, security abuse detection, and rough geolocation (country-level) for analytics. Not stored beyond 90 days for anonymous visitors.
- Browser type, device type, referrer URL — standard web-server logs.
Payment data (Insider subscribers only)
- Payments are processed by a third-party PCI-DSS-compliant payment processor. We never see, store, or have access to your card number, CVV, or full bank details.
- We do store the following, returned by the payment processor: subscription status, billing plan (monthly / annual), next-renewal date, and the last four digits of the card (for display in "Payment method").
Session cookies
- A session cookie is set by our authentication provider after you sign in, so that you stay signed in across pages. It expires when you sign out or when the browser session ends (whichever comes first).
- A theme-preference item is stored in your browser's localStorage so we remember whether you toggled light or dark. It contains no personal data.
- We do not use tracking cookies, advertising cookies, cross-site trackers, or third-party analytics that fingerprint you personally.
3. Why we collect it — legal basis
For each type of data:
- Account & usage data — to deliver the service you have signed up for (contract performance).
- Payment data — to fulfil the subscription contract and meet tax / accounting obligations.
- IP address & security logs — legitimate interest in operating a secure, non-abused service.
- Digest emails — sent to subscribers who have explicitly opted in via the digest sign-up form. Opt-in is required; unsubscribing is one click from any digest email.
4. How we use it
- Deliver the diagnostic tool, scanner, and digest.
- Authenticate you via passwordless magic-link email.
- Enforce free-tier limits and prevent abuse.
- Send transactional emails: sign-in links, welcome to Insider, subscription receipts, cancellation confirmations.
- Send the weekly digest to opted-in subscribers.
- Debug production issues (aggregate error logs; individual user data only accessed with your permission or where necessary to resolve a support ticket you have opened).
- Compute aggregate product analytics (e.g., "X% of Insider users use the scanner weekly"). Aggregate reports never identify you personally.
5. Who we share it with
We share the minimum data required with a small set of essential service providers, each contractually bound to protect your data:
- Cloud infrastructure host — where the site and functions run. Data resides on the host's encrypted storage; the host cannot read application data.
- Authentication provider — stores email + session tokens for sign-in.
- Managed database provider — stores profile, usage, and subscription data. Encrypted at rest and in transit.
- Payment processor — handles all card data. We share only the customer email at checkout.
- Transactional email delivery service — sends the weekly digest, magic-link, and welcome emails.
We do not sell personal data to anyone, ever. We do not share personal data with advertisers, data brokers, or affiliate networks.
6. Where data is stored
Data is stored primarily on infrastructure located outside of Singapore, in secure data centres operated by our essential service providers. Where personal data is transferred outside Singapore, we ensure it is protected to a standard comparable to Singapore's PDPA — either through provider-contractual protections, or because the destination jurisdiction offers a comparable level of protection.
7. How long we keep it
- Active account data — for as long as your account remains active.
- Cancelled subscriptions — up to 24 months, to meet tax and audit obligations. After that, the payment record is retained only in aggregate form.
- Ticker-lookup history — rolling 12 months. Older entries are periodically purged.
- Anonymous visitor logs — 90 days maximum.
- Deleted accounts — email and profile are purged within 30 days of deletion, except where retention is required by law (e.g., financial-transaction records).
8. Your rights
You have the right to:
- Access — request a copy of the personal data we hold about you.
- Correct — ask us to correct any inaccurate data.
- Delete — request deletion of your account and associated data (subject to lawful retention periods).
- Export — receive a machine-readable copy of your data.
- Withdraw consent — unsubscribe from the digest (one click from any digest email), or ask us to stop processing your data for non-essential purposes.
- Complain — lodge a complaint with the Singapore Personal Data Protection Commission (PDPC) if you believe your rights have been violated.
To exercise any of these rights, email support. We respond within one business day and complete requests within 30 days.
9. Children
The service is intended for users aged 18 or over. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us data, please contact us and we will delete it.
10. Security
We use industry-standard practices to protect your data — HTTPS across the entire site, encrypted-at-rest storage, hashed passwords (where applicable — Maevol uses passwordless authentication, so there are no user passwords stored), and role-based access controls on internal tools. No system is perfectly secure; if a data-breach affects your personal data, we will notify you and the PDPC within the timelines required by law.
11. Changes to this policy
We may revise this policy from time to time. The "Last updated" date at the top will reflect the most recent change. If we make a material change affecting how we handle your data, we will notify you by email before the change takes effect.
12. Contact
Privacy questions or data-access requests: the team.