1. Introduction

BioRadar (“we,” “us,” or “our”) respects your privacy. This Privacy Policy explains how we collect, use, and protect your personal data when you use bioradar.io.

By using BioRadar, you consent to the practices described in this policy.

2. Data Controller

The data controller is BioRadar, based in Finland. For privacy inquiries, contact: privacy@bioradar.io

3. Data We Collect

3.1 Account Data

When you register, we collect:

• Email address
• Username
• Password (stored as a salted hash, never in plaintext)

3.2 Usage Data

We automatically collect:

• Pages visited and features used
• Watchlist tickers you add
• Timestamps of activity
• Browser type and device information
• IP address

3.3 Payment Data

Premium subscription payments are processed by Stripe. We do not store your credit card number, CVV, or full card details. Stripe handles all payment data under their own Privacy Policy. We receive and store:

• Stripe customer ID
• Subscription status (active/cancelled)
• Last 4 digits of your card (for display purposes only)

3.4 Email Communication Data

We use Brevo (Sendinblue) to send transactional emails. When we send you emails, Brevo may track:

• Whether you opened the email
• Which links you clicked
• Delivery status

4. How We Use Your Data

We use your data to:

• Provide the service — display your watchlist, generate briefings, send alerts
• Process payments — manage your Premium subscription via Stripe
• Send emails — welcome emails, daily digests, PDUFA alerts, and account notifications
• Improve the service — understand usage patterns and fix bugs
• Ensure security — detect abuse, prevent fraud, and protect accounts

We do not sell your personal data to third parties. We do not use your data for advertising targeting.

5. Legal Basis (GDPR)

Under the EU General Data Protection Regulation, we process your data based on:

• Contract performance — to provide the service you signed up for
• Legitimate interest — to improve the service and ensure security
• Consent — for optional marketing emails (you can opt out anytime)

6. Data Sharing

We share data only with:

• Stripe — payment processing
• Brevo — transactional email delivery
• Hosting provider (Ploi/Hetzner) — server infrastructure
• Cloudflare — DNS and security

All processors are GDPR-compliant and bound by data processing agreements. We do not share data with data brokers, advertisers, or other third parties.

7. Data Retention

• Account data — retained while your account is active, deleted within 30 days of account deletion
• Usage data — retained for up to 12 months for analytics, then anonymized
• Payment records — retained for 7 years as required by Finnish tax law
• Email logs — retained by Brevo for up to 12 months

8. Your Rights (GDPR)

As an EU/EEA resident, you have the right to:

• Access — request a copy of your personal data
• Rectification — correct inaccurate data
• Erasure — request deletion of your data (“right to be forgotten”)
• Portability — receive your data in a machine-readable format
• Restriction — limit how we process your data
• Objection — object to processing based on legitimate interest
• Withdraw consent — for consent-based processing, at any time

To exercise any right, email: privacy@bioradar.io. We will respond within 30 days.

9. Cookies

BioRadar uses the following cookies:

• Session cookies — required for login and authentication (essential, no consent needed)
• WordPress cookies — standard WP session management

We do not use advertising cookies or third-party tracking cookies.

10. Security

We protect your data with:

• HTTPS/TLS encryption for all data in transit
• Salted password hashing (bcrypt via WordPress)
• Database access restricted to the application server
• Regular security audits of our codebase
• Webhook signature verification for payment events

No system is 100% secure. If we discover a data breach affecting your personal data, we will notify you and the relevant authorities within 72 hours as required by GDPR.

11. International Transfers

Your data is stored on servers in the EU (Hetzner, Finland/Germany). Some processors (Stripe, Brevo) may transfer data to the US under Standard Contractual Clauses or equivalent safeguards.

12. Children

BioRadar is not intended for anyone under 18 years of age. We do not knowingly collect data from minors.

13. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email. The “Last updated” date at the bottom indicates when the policy was last revised.

14. Contact & Complaints

For privacy inquiries: privacy@bioradar.io

If you believe we have violated your data protection rights, you have the right to lodge a complaint with the Finnish Data Protection Ombudsman (tietosuoja.fi).

Last updated: March 24, 2026