Privacy Policy

This summary does not replace the full policy below. In the event of any conflict, the full policy governs.

This policy applies to all personal information we process in connection with:

• The sherpabonds.com website and any associated mobile or desktop applications;
• Any API access to the Service;
• Communications you send to us (email, support tickets, feedback).

It does not apply to third-party websites or services we may link to. Those are governed by their own privacy policies.

For purposes of the EU General Data Protection Regulation ("GDPR"), the UK GDPR, Brazil's Lei Geral de Proteção de Dados ("LGPD"), and other laws that require identification of a data controller or operator, the controller is SherpaBonds.

Privacy contact: ganiz@ganiz.com

We are evaluating whether we are required to appoint an EU/UK representative under Article 27 GDPR and UK GDPR. If we are, we will update this section and notify users through the Service before the obligation takes effect.

3.1 Account and identity information

Authentication is handled by a third-party identity provider. When you create an account or sign in — including via supported single sign-on options — the provider processes and returns to us identifiers such as your email address, display name, profile image URL, and a unique user ID. We use these to establish and manage your account.

GDPR/UK GDPR legal bases: Performance of a contract (Art. 6(1)(b)); Legitimate interests in account security (Art. 6(1)(f)).

3.2 User-generated content

When you use the Service, we store content you create, including:

• Bonds added to your watchlist;
• Portfolio positions (bond identifier, quantity, cost basis, acquisition date, source label);
• Notes and tags you attach to bonds or positions;
• Display preferences (e.g., currency selection, toolbar state, layout settings).

This content is linked to your account and stored in an encrypted, access-controlled database. Row-level security policies restrict access so that only you — and service operations personnel where strictly necessary — can read or modify your records.

GDPR/UK GDPR legal bases: Performance of a contract (Art. 6(1)(b)); Legitimate interests in providing the Service (Art. 6(1)(f)).

Note for California residents: Portfolio holdings and financial account data may constitute sensitive personal information under the CCPA/CPRA. We collect this data solely to provide the Service and do not use it for secondary purposes. You have the right to limit our use of it (see Section 11.2).

3.3 Interaction signals

To power discovery and personalization — including recommendation rails, search ranking, and suggested bonds — we record lightweight behavioral signals such as:

• Which bonds and issuers you view, and dwell time;
• Search queries you submit;
• Items you skip or dismiss;
• Features you engage with.

These signals are used solely to improve the relevance of the Service for you. We do not use explicit ratings, do not share your behavioral history with other users, and do not use these signals to build an advertising profile.

GDPR/UK GDPR legal bases: Legitimate interests in improving the Service (Art. 6(1)(f)). Where required by applicable law (e.g., the EU ePrivacy Directive as nationally implemented, or UK PECR), we obtain prior consent before placing non-essential cookies or trackers used to collect these signals.

3.4 Technical and device information

When you access the Service, our infrastructure automatically collects standard request metadata, including:

• IP address;
• Browser type and version, operating system;
• Referring URL and pages viewed;
• Timestamps and session identifiers;
• Error logs and performance metrics.

We use this data for security monitoring, abuse prevention, fraud detection, and operational reliability. We do not use it to build marketing profiles.

GDPR/UK GDPR legal bases: Legitimate interests in security and reliable operation (Art. 6(1)(f)); Legal obligations (Art. 6(1)(c)) where applicable.

3.5 Communications

If you contact us by email or through a support interface, we retain the content of your communication and our response in order to resolve your inquiry, improve the Service, and maintain records of our obligations.

GDPR/UK GDPR legal bases: Legitimate interests (Art. 6(1)(f)); Legal obligations (Art. 6(1)(c)).

We use cookies, local storage, and similar technologies strictly for the following purposes:

We do not use advertising cookies, cross-site tracking pixels, or third-party behavioral analytics platforms.

4.1 Your cookie choices

Where required by applicable law — including the EU ePrivacy Directive and its national implementations, and the UK Privacy and Electronic Communications Regulations (PECR) — we present a consent mechanism before placing non-essential cookies or trackers. You can manage your preferences:

• In-app: Via the privacy or cookie settings panel (where available);
• Browser settings: Most browsers allow you to block or delete cookies. Disabling strictly necessary cookies will prevent you from signing in;
• Withdrawing consent: You may withdraw consent for non-essential cookies at any time. Withdrawal does not affect the lawfulness of any prior processing.

We use personal information for the following purposes:

1. Providing the Service: Displaying your watchlist, portfolio, and preferences; executing searches; generating personalized recommendations.
2. Account management: Creating and maintaining your account; authenticating your identity; sending service-related communications.
3. Security and fraud prevention: Detecting and preventing unauthorized access, abuse, and fraudulent activity.
4. Service improvement: Diagnosing errors; monitoring performance; conducting internal analytics; developing new features.
5. Legal compliance: Meeting obligations under applicable law; responding to lawful requests from public authorities; enforcing our Terms of Service.
6. Communications: Responding to inquiries; sending transactional notices such as account alerts and material policy updates.

We do not use personal information for any purpose materially different from those listed above without providing advance notice and, where required by law, obtaining your consent.

We explicitly commit that:

• We do not sell your personal information, as that term is defined under the CCPA/CPRA or any equivalent law, or otherwise transfer it to third parties for monetary or other valuable consideration;
• We do not share your personal information for cross-context behavioral advertising;
• We do not share your portfolio, watchlist, notes, or any individually identifying financial information with other users of the Service;
• We do not use your personal information to train third-party AI or machine-learning models;
• We do not operate third-party advertising, retargeting, or behavioral tracking on the Service;
• We do not engage in profiling that produces legal or similarly significant effects on you.

We share personal information only in the following circumstances:

7.1 Sub-processors

We engage trusted third-party service providers ("sub-processors") to help operate the Service, including providers of authentication, database hosting, and application infrastructure. Each sub-processor is bound by contract to process your data only on our instructions and in accordance with applicable law, including GDPR Chapter V requirements for international transfers where relevant. A current list of sub-processors is available on request at ganiz@ganiz.com.

7.2 Business transfers

If we are involved in a merger, acquisition, asset sale, financing, or other corporate transaction, your information may be transferred as part of that transaction. We will notify you via the Service or by email before your information becomes subject to a materially different privacy policy, and you will have the opportunity to request deletion of your account beforehand.

7.3 Legal obligations and safety

We may disclose information if required to do so by law, court order, or governmental authority with jurisdiction over us, or where we reasonably and in good faith believe disclosure is necessary to:

• Comply with a legal obligation;
• Protect the rights, property, or safety of SherpaBonds, our users, or the public;
• Detect, prevent, or address fraud, security, or technical issues.

Where legally permitted, we will notify you of such requests before disclosing.

7.4 With your consent

We may share information in other ways if you give us explicit, informed, prior consent to do so.

Bond, issuer, price, and fund-holding data displayed on the Service is sourced from public regulator, exchange, and custodian feeds. This reference data is not personal to you and is not subject to the personal data protections in this policy. We mention it here for transparency about the nature of content displayed on the Service.

Upon account deletion, we will delete or irreversibly anonymize your personal data within the periods above, except where a longer retention period is required by law or is necessary for legitimate security, fraud-prevention, or dispute-resolution purposes. Data retained solely for legal compliance will be isolated from active processing systems.

We implement and maintain industry-standard technical and organizational measures, including:

• TLS encryption for all data in transit;
• Encryption at rest for database storage;
• Row-level security and least-privilege access controls;
• Regular security reviews and vendor assessments.

No system is perfectly secure.

You use the Service at your own risk, and we cannot guarantee that unauthorized third parties will never circumvent our measures. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify relevant supervisory authorities within 72 hours of becoming aware, where required by GDPR or UK GDPR;
• Notify affected users without undue delay where the breach is likely to result in a high risk to their rights and freedoms;
• Take prompt remedial action.

Depending on where you live, you have some or all of the rights described below. To exercise any of them, contact us at ganiz@ganiz.com. We will respond within the timeframe required by applicable law — generally 30 days, extendable by a further 60 days for complex requests under GDPR. We will not discriminate against you for exercising your privacy rights.

We may need to verify your identity before processing a request. We will not use information provided for verification for any other purpose.

11.1 EEA, UK, and equivalent jurisdictions (GDPR / UK GDPR)

11.2 California residents (CCPA / CPRA)

California residents have the following rights:

• Know: The categories and specific pieces of personal information collected about you in the past 12 months; the categories of sources; our business purpose for collecting it; and the categories of third parties with whom we share it.
• Delete: Request deletion of your personal information, subject to certain legal exceptions.
• Correct: Request correction of inaccurate personal information.
• Opt out of sale/sharing: We do not sell or share personal information for cross-context behavioral advertising. You may still submit an opt-out request and we will confirm our non-sale/non-sharing status in writing.
• Limit use of sensitive personal information: You may direct us to limit our use of sensitive personal information (including portfolio and financial data) to what is necessary to provide the Service.
• Non-discrimination: We will not deny, degrade, or penalize your use of the Service for exercising your CCPA/CPRA rights.

To submit a verifiable consumer request, contact us at ganiz@ganiz.com. You may also designate an authorized agent to make requests on your behalf; we may require written authorization or a copy of a power of attorney.

Shine the Light (Cal. Civ. Code § 1798.83): We do not disclose personal information to third parties for their direct marketing purposes and therefore do not provide a separate Shine the Light disclosure.

11.3 Other U.S. state residents

Residents of states with comprehensive privacy legislation — including Virginia (CDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and others enacted after the effective date of this policy — have rights broadly equivalent to those in Section 11.1, including rights to access, correct, delete, portability, and to opt out of targeted advertising, profiling for decisions with significant effects, and sales. We honor these rights regardless of whether your specific state is listed here.

If we deny your request in whole or in part, you have the right to appeal. To appeal, reply to our denial response or contact ganiz@ganiz.com with the subject line "Privacy Request Appeal." We will respond to appeals within the timeframe required by your state's law.

11.4 Brazilian residents (LGPD)

Under the Lei Geral de Proteção de Dados (LGPD), Brazilian residents have the right to:

• Confirmation of the existence of processing;
• Access to personal data;
• Correction of incomplete, inaccurate, or outdated data;
• Anonymization, blocking, or deletion of unnecessary or non-compliant data;
• Data portability;
• Deletion of data processed with your consent;
• Information about the public and private entities with which we share data;
• Information about the possibility of refusing consent and the consequences;
• Revocation of consent;
• Lodge a complaint with Brazil's national data protection authority (ANPD).

We have designated ganiz@ganiz.com as the point of contact for LGPD purposes (encarregado / data protection officer contact).

11.5 Canadian residents (PIPEDA / provincial laws)

Under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws, Canadian residents have the right to access personal information we hold about them and to challenge its accuracy. Our designated privacy officer for PIPEDA purposes is reachable at ganiz@ganiz.com.

The Service operates globally, and your personal information may be transferred to and processed in countries other than the one in which you reside, including the United States. These countries may have data protection laws that differ from those of your home country.

Where we transfer personal data originating from the EEA, UK, or Switzerland to countries not recognized as providing an adequate level of protection, we rely on appropriate safeguards, which may include:

• EU Standard Contractual Clauses (SCCs) adopted by the European Commission;
• UK International Data Transfer Agreements (IDTAs) or UK-approved addenda to EU SCCs;
• Swiss equivalents as issued by the Swiss Federal Data Protection and Information Commissioner (FDPIC).

A copy of the applicable transfer mechanism may be requested at ganiz@ganiz.com.

The Service is not directed to children under 13 (or the equivalent minimum age in your jurisdiction — 16 in certain EU Member States, 13 in the UK and US). We do not knowingly collect personal information from children. If you believe a child has provided us personal information, please contact us at ganiz@ganiz.com and we will promptly delete it.

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we do, we will:

• Update the "Effective date" and "Last reviewed" date at the top of this policy;
• For material changes, provide at least 30 days' advance notice through the Service or by email before the changes take effect;
• Maintain prior versions, available on request at ganiz@ganiz.com.

Your continued use of the Service after the effective date of a revised policy constitutes acceptance of the changes. If you do not agree, you should stop using the Service and may request deletion of your account.

For any questions, concerns, or requests relating to this policy or our data practices, contact us at ganiz@ganiz.com.

If you are located in the EEA or UK and are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority:

• EEA:Your EU Member State's data protection authority. A full list is available at edpb.europa.eu.
• UK:The Information Commissioner's Office (ICO) at ico.org.uk.
• Brazil: Autoridade Nacional de Proteção de Dados (ANPD) at gov.br/anpd.

We would appreciate the opportunity to address your concerns before you contact a supervisory authority, but this does not affect your right to do so at any time.