Legal

Privacy Policy

Last updated: 26 May 2026

This Privacy Policy explains how Matthias Blank (“we”, “us”), a natural person operating the Vantage Insights service (the “Service”) as a Swiss sole proprietor, processes personal data when you visit or use the Service. It applies in addition to our Terms of Service and is intended to satisfy the transparency requirements of the revised Swiss Federal Act on Data Protection (revFADP) and, where applicable to visitors in the EU/EEA or the UK, the EU General Data Protection Regulation (GDPR) and the UK GDPR.

1. Who is responsible (controller)

The data controller for the Service is Matthias Blank, a natural person resident in Switzerland and operating the Service as a sole proprietor. Full operator details are listed in our Impressum. You can reach us at hello@vantage.energy for any question or request about your personal data.

We do not have an obligation to appoint a Swiss data-protection officer; the contact address above is also the data-protection contact under Art. 14 revFADP. For EU/EEA users, we currently rely on the direct accessibility of this contact rather than a formal Art. 27 GDPR representative; we will appoint one if our processing reaches the scale that requires it.

2. What personal data we process

We process the following categories of personal data:

2.1 Account data

  • Email address (required to create an account)
  • Display name (optional; shown on comments and community posts)
  • Hashed password (bcrypt; never stored in clear text)
  • If you sign in via LinkedIn: your LinkedIn user ID and the basic profile fields you authorise (name, email, profile picture URL)
  • Marketing-newsletter opt-in flag and confirmation timestamp
  • Account creation date, last sign-in date, ban status (if applicable)

2.2 Subscription & billing data

  • Subscription tier (FREE / PAID), plan (monthly / yearly), status, period end
  • Stripe customer ID and Stripe subscription ID (no card data ever touches our servers)
  • Invoice history (held by Stripe; we hold only the metadata above)

2.3 Usage & telemetry data

If you accept analytics cookies, we generate a random anonymous identifier (UUID) stored in the vantage_anon_id cookie and use it to attribute the following events to a pseudonymous visitor:

  • Page views on /insights/* pages
  • Article and chart impressions
  • Email-newsletter signups and email-confirmation events
  • Signup, sign-in, and upgrade-to-Pro funnel steps

The cookie itself carries no name, email, or other identifying information. We may join it to your account once you sign in, so that we can understand whether free-tier visitors eventually convert to paying subscribers. If you decline analytics cookies, none of the events above are recorded.

2.4 Community & content data

  • Comments you post on articles
  • Community posts and replies
  • Newsletter email captures (with double-opt-in confirmation)

2.5 Technical logs

Our hosting provider (Vercel) and our error-monitoring system retain short-term technical logs: IP address, user agent, request URL, response status, and (for errors) a stack trace. These logs are retained for a maximum of 30 days and used only to operate, secure, and debug the Service.

3. Why we process it (purposes and legal bases)

Under the revFADP we rely on legitimate contractual and operational grounds; under the GDPR the applicable legal bases are listed alongside each purpose:

  • Provide the Service — account creation, sign-in, subscription management, content delivery. GDPR Art. 6(1)(b) — contract performance.
  • Process payments — via Stripe; we receive the subscription metadata, Stripe handles card data. GDPR Art. 6(1)(b) — contract performance.
  • Send transactional emails — email verification, password reset, magic sign-in link, payment-failed notifications. GDPR Art. 6(1)(b) — contract performance.
  • Send the monthly newsletter — only after explicit double-opt-in. You can unsubscribe with one click from every email. GDPR Art. 6(1)(a) — consent.
  • Analytics & product improvement — pseudonymous usage metrics, only if you accept analytics cookies. GDPR Art. 6(1)(a) — consent.
  • Security & abuse prevention — short-term technical logs, rate limits, ban enforcement. GDPR Art. 6(1)(f) — legitimate interest in keeping the Service available and free of abuse.
  • Legal compliance — bookkeeping, tax records, response to lawful requests. GDPR Art. 6(1)(c) — legal obligation.

4. Cookies & similar technologies

We use the smallest possible set of cookies, split into two categories:

  • Strictly necessary — the NextAuth session cookie (keeps you signed in), the cookie-consent record (vantage_cookie_consent), and the CSRF token. These are set without consent because the Service cannot function without them.
  • Analytics (optional) — the anonymous-visitor cookie (vantage_anon_id), set only after you click “Accept analytics” in the cookie banner. You can withdraw your consent at any time by clearing the cookie or using the controls described in §8.

We do not use third-party advertising cookies, retargeting pixels, social plug-ins, or behavioural-profiling trackers.

5. Sub-processors and recipients

We use a small number of carefully chosen service providers (“sub-processors”) to operate the Service. Each one only processes the personal data needed for its specific function, under a data-processing agreement (DPA) where required:

  • Vercel Inc. (United States) — application hosting and edge delivery. Primary processing region: Frankfurt (eu-central). DPA in place; transfers covered by Standard Contractual Clauses and the EU–US Data Privacy Framework.
  • Neon, Inc. (United States) — managed PostgreSQL database for account, subscription, and content data. Primary processing region: Frankfurt (eu-central). DPA in place; SCCs apply.
  • Stripe Payments Europe, Ltd. (Ireland) — payment processing, card tokenisation, customer-portal, invoicing. Your card data is sent directly to Stripe and never stored on our servers. DPA in place.
  • Resend, Inc. (United States) — transactional and newsletter email delivery. We share your email address, display name, and the message content. DPA in place; SCCs apply.
  • Sentry (United States) — error monitoring and stack traces. PII is stripped from error events; only the technical fields described in §2.5 are sent. DPA in place; SCCs apply.
  • Anthropic, PBC (United States) — large-language-model API used to generate news-brief drafts. Your account data is never sent. Only public market data and our editorial prompts are processed. DPA in place; SCCs apply.
  • LinkedIn Ireland Unlimited Company (Ireland) — only if you choose to sign in via LinkedIn. The handshake exchanges your LinkedIn user ID and basic profile fields under your authorisation.

We do not sell personal data and we do not share it with third parties for their own marketing purposes.

6. International transfers

Some of our sub-processors are established outside Switzerland and the EEA, in particular in the United States. In those cases we rely on (i) the relevant country adequacy decisions issued by the Swiss Federal Council and the European Commission, where they apply, and (ii) Standard Contractual Clauses with appropriate supplementary measures. A copy of the safeguards in place is available on request from hello@vantage.energy.

7. How long we keep your data

  • Account data — for as long as your account is active. If you delete your account, we erase it within 30 days, except for what we must keep for tax or legal reasons (see below).
  • Billing and invoice metadata — 10 years, as required by Swiss tax and bookkeeping rules (Art. 126(3) DBG and Art. 70 MWSTG).
  • Telemetry events — 24 months, then deleted or fully anonymised.
  • Newsletter signups — until you unsubscribe; an unsubscribe record is kept indefinitely so we don’t accidentally re-add you.
  • Technical logs — up to 30 days.

8. Your rights

You have the following rights regarding your personal data:

  • Access — a copy of the personal data we hold about you (Art. 25 revFADP / Art. 15 GDPR).
  • Rectification — correction of inaccurate or incomplete data (Art. 32 revFADP / Art. 16 GDPR).
  • Erasure — deletion of your data, subject to legal retention duties (Art. 32 revFADP / Art. 17 GDPR).
  • Restriction — limit processing while a dispute is resolved (Art. 18 GDPR).
  • Data portability — a structured export of the data you provided to us (Art. 28 revFADP / Art. 20 GDPR).
  • Withdraw consent — at any time, with effect for the future, for processing based on your consent (newsletter, analytics).
  • Object — to processing based on our legitimate interests (Art. 21 GDPR).

To exercise any of these rights, email hello@vantage.energy. We answer within 30 days. You can also delete your account directly from your account page, or unsubscribe from the newsletter via the one-click link in every email.

If you believe our processing infringes data-protection law, you have the right to complain to the Swiss Federal Data Protection and Information Commissioner (FDPIC, edoeb.admin.ch) or, if you are in the EU/EEA, to your local data-protection authority.

9. Security

We protect personal data through a combination of technical and organisational measures: TLS in transit, encryption at rest, hashed passwords (bcrypt with per-user salt), role separation between application code and database, principle-of-least-privilege secrets management, and a documented incident-response procedure. No system is perfectly secure; if we ever become aware of a breach that creates a high risk to your rights, we will notify the relevant authority within 72 hours and you directly if required by law.

10. Automated decision-making

We do not use automated decision-making (in the sense of Art. 22 GDPR / Art. 21 revFADP) that produces legal or similarly significant effects for you.

11. Children

The Service is intended for users aged 16 or older. We do not knowingly process personal data of children under 16. If you believe a minor has created an account, please contact us and we will delete it.

12. Changes to this policy

We may update this policy as the Service evolves or as the law changes. Material changes will be announced by email to subscribers and by a prominent notice on this page. The “last updated” date at the top of this page always reflects the current effective version.

13. Contact

Privacy questions, rights requests, and notices of any kind: hello@vantage.energy.