Legal
Privacy Policy
Last updated · Version 2026-05-17
This policy explains what personal information BigFatBat collects when you use the website at bigfatbat.com and the BigFatBat product (together, the Service), why we process it, who we share it with, and the rights you have under the United Kingdom General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It is written to reflect what the Service actually does today; if you spot anything that looks out-of-date please email us at ethan@bigfatbat.com.
1. Who we are
BigFatBat is operated by EMCShared Ltd, a company incorporated in England and Wales (Companies House number 14695260) with its registered office at 46 Castleton Road, Ruislip, HA4 9QL, England. We have applied to the UK Information Commissioner’s Office (ICO) for controller registration and our reference will be published here once issued. For the purposes of UK data protection law, EMCShared Ltd is the controller of the personal information described in this policy.
We have not appointed a Data Protection Officer because we are not legally required to. The point of contact for all privacy matters is ethan@bigfatbat.com.
2. What data we collect
We deliberately collect as little personal information as the Service needs to function. The tables below describe the categories, the source, and where each category is stored.
2.1 Account & identity
When you sign in with eToro using single sign-on, eToro returns a signed token identifying you. We extract and store:
| Field | Source | Stored in |
|---|---|---|
eToro user ID (etoro_user_id) | eToro OAuth token (sub claim) | Supabase Postgres |
| eToro username | eToro OAuth token / public profile API | Supabase Postgres |
Popular Investor flag (is_pi) | eToro public profile API | Supabase Postgres |
| Email address (optional) | eToro OAuth token (when you grant the email scope) | Supabase Postgres (email_preferences table) |
| Account-tier and subscription metadata | Derived from Stripe events | Supabase Postgres |
We do not receive your eToro password and we never see it. If eToro does not return an email address, we ask you to enter one during onboarding so we can send transactional emails such as receipts and digest deliveries.
2.2 Portfolio & trading information
While you are signed in we make authenticated requests to the eToro API on your behalf, using an access token that is stored only in our session cache and never sent to the browser. The data we read includes:
- your portfolio composition (instruments, copy positions, allocations);
- your aggregate trade information (open / closed trade summaries, per-instrument profit and loss);
- your performance metrics (returns, risk score, drawdown, win rate); and
- the username metadata of investors you copy, follow or watchlist.
We cache portions of this data in Supabase and in our Upstash Redis tier to keep dashboards responsive. We do not derive psychological profiles or behavioural scores from this data; it is used to render the briefs and signals you see in the product.
2.3 Subscription & billing
Card payments are handled entirely by Stripe. Card numbers, CVCs and bank details never reach our servers. From Stripe we record:
- your
stripe_customer_id; - your subscription status (active, trialing, past_due, cancelled), trial start / end dates and current period dates;
- the timestamps at which webhook events arrived (used to drive trial reminders and recovery emails).
2.4 Communications & preferences
If you opt in to email notifications we store your delivery address and a set of per-section toggles (e.g. daily digest, AI news wire, earnings, weekly / monthly dossier) in the email_preferences table. You can change or remove these at any time from Settings → Email or by clicking the unsubscribe link in any marketing email. Transactional emails (receipts, trial reminders, account security notices, abandoned-checkout reminders) are sent on the basis of the contract between us and cannot be opted out of without closing your account.
We also store the watchlist of investor usernames you ask us to track so the product can keep tabs on them on your behalf.
2.5 Usage analytics
We use PostHog to understand how the product is used so we can prioritise improvements and detect outages. Where you are signed in, analytics events are associated with your eToro username and tier; common examples of the events we capture include sign-in, page view, external link click, watchlist add, investor profile view, paywall view, checkout failure, and email-preference save. We do not use this data for advertising and we do not sell it to third parties. A complete list of event names lives in our source code at src/lib/analytics.ts.
3. Why we process it & lawful basis
Under UK GDPR Article 6 we must have a lawful basis for each kind of processing. The mapping is:
| Activity | Lawful basis | Notes |
|---|---|---|
| Authenticating you, maintaining your session, fulfilling your subscription | Performance of a contract (Art. 6(1)(b)) | Without this processing we cannot let you sign in or pay. |
| Reading your eToro portfolio and trade history to populate the dashboard | Performance of a contract (Art. 6(1)(b)) | This is the core product and you grant the eToro scope explicitly at sign-in. |
| Sending transactional emails (receipts, trial reminders, security notices, abandoned-checkout reminders) | Performance of a contract (Art. 6(1)(b)) and our legitimate interests (Art. 6(1)(f)) in keeping you informed | You cannot opt out of transactional email without closing the account. |
| Sending marketing-style content (daily / weekly / monthly digests, news wire, AI news wire, earnings round-ups, investor dossiers) | Consent (Art. 6(1)(a)) | You opt in per-section in Settings → Email and can withdraw at any time. |
| Product analytics, performance monitoring, fraud and abuse prevention, securing the Service | Legitimate interests (Art. 6(1)(f)) | We have balanced this against your interests; you can object using the contact details below. |
| Sharing portfolio and identity data with AI sub-processors to generate commentary | Performance of a contract (Art. 6(1)(b)) | AI commentary is a contracted feature of the Service. See §6 for the disclosure required by Art. 22. |
| Complying with our tax, accounting and other legal obligations | Legal obligation (Art. 6(1)(c)) | For example, retaining subscription records for HMRC. |
4. Sub-processors
We use the following sub-processors to deliver the Service. Each of them receives only the personal information needed to perform its function and is bound by a data processing agreement (DPA) with us. We will publish a kept-current list at /sub-processors in a future release; until then this list is authoritative.
| Sub-processor | Purpose | Region(s) |
|---|---|---|
| eToro (Europe) Ltd | Identity, portfolio data, partner affiliate links | EEA |
| Stripe Payments Europe, Ltd | Card processing, subscription billing, customer-portal hosting | EEA / US |
| Supabase, Inc. | Primary Postgres database hosting | EEA |
| Upstash, Inc. | Redis cache for sessions, rate limits and hot data | EEA / US |
| Anthropic, PBC | Claude large-language-model API powering AI briefs, dossiers and commentary | US |
| Perplexity AI, Inc. | AI search API powering ticker queries and theme briefs | US |
| Resend, Inc. | Transactional and marketing email delivery | US / EEA |
| PostHog, Inc. | Product analytics, session-level usage telemetry | US / EEA |
| Vercel, Inc. | Application hosting, edge runtime, scheduled cron jobs | US / EEA |
| Financial Modeling Prep | Market reference data, fundamentals, earnings calendar | US |
| SEC EDGAR (U.S. Securities and Exchange Commission) | Public company filings — request includes only the ticker / CIK | US |
| OpenFIGI (Bloomberg Finance L.P.) | Instrument identifier resolution — request includes only the ticker | US |
| Google LLC (Google Fonts) | Web font delivery for the marketing pages | US |
Where a sub-processor processes personal information on our instructions (eToro, Stripe, Supabase, Upstash, Anthropic, Perplexity, Resend, PostHog, Vercel) we have a DPA in place. The remaining services receive only non-personal market data (tickers, identifiers, public filings) and do not process personal information on our behalf.
5. International transfers
Some of our sub-processors are based in or transfer data to the United States. Where the destination country has not received a UK adequacy decision, the transfer is protected by the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, executed as part of the sub-processor’s DPA. We perform a transfer-risk assessment for each new sub-processor before onboarding it.
6. Automated processing & AI
Several parts of the Service use AI to generate commentary. In particular:
- Anthropic (Claude) receives your eToro username, portfolio composition and per-instrument profit and loss to generate personalised portfolio briefs, investor dossiers, performance summaries and trade-journal commentary.
- Perplexityreceives ticker symbols and search themes (e.g. “NVDA earnings reaction”) to retrieve and summarise recent news. It does not receive your username or portfolio.
We do not use this processing to take decisions that have legal or similarly significant effects on you within the meaning of UK GDPR Article 22. AI-generated content is editorial and informational, not a personal recommendation. It can be wrong, incomplete or out of date — see §8 of the Terms of Service for the full AI-content disclaimer.
7. Retention
- Active session tokens are stored in Upstash Redis and expire automatically 24 hours after sign-in, or sooner if you sign out.
- Account record (
usersrow) is retained for the lifetime of your account. - Email preferences and watchlist are retained for the lifetime of your account and deleted when the account is deleted.
- Subscription and billing records are retained for seven years after the end of the relevant accounting period, in line with our obligations to HMRC.
- Product analytics in PostHog are retained for twelve months and then automatically aggregated or deleted.
- Cancelled accounts are deleted within ninety days of an explicit deletion request, subject to retention obligations above.
8. Your rights
You have the following rights under UK GDPR, free of charge:
- Right of access — to receive a copy of the personal information we hold about you.
- Right to rectification — to have inaccurate personal information corrected.
- Right to erasure — to ask us to delete your personal information, subject to the retention obligations above.
- Right to restriction — to restrict our processing of your personal information.
- Right to data portability — to receive the personal information you provided us in a structured, commonly used, machine-readable format.
- Right to object — to object to processing carried out on the basis of legitimate interests.
- Right to withdraw consent — at any time, in respect of any processing carried out on the basis of consent (e.g. marketing emails). Withdrawal does not affect the lawfulness of past processing.
- Right to complain — to the Information Commissioner’s Office (ICO) at ico.org.uk/make-a-complaint or by calling 0303 123 1113.
To exercise any of these rights please email ethan@bigfatbat.com. We will respond within one calendar month. We are building self-service data export and deletion endpoints (/api/me/data-export and /api/me/data-delete); until those ship the email route is the canonical channel.
9. Cookies and similar technologies
We group the cookies and local-storage entries the Service uses into three buckets.
9.1 Strictly necessary
user_token— a server-set,HttpOnly,Secure,SameSite=Laxsession cookie that points to your encrypted session entry in Upstash Redis. Without it you cannot sign in or stay signed in. TheSameSite=Laxattribute provides our cross-site request forgery (CSRF) protection.cc_cookie— a first-party functional cookie that stores the choice you make in our cookie banner (see §9.4 below) so we do not ask you again on every visit.
These cookies are exempt from consent requirements under the Privacy and Electronic Communications Regulations 2003 (PECR) because they are strictly necessary to provide a service you have requested.
9.2 Preferences
- A
themeentry written tolocalStoragebynext-themesso the product remembers your light / dark choice. - A small set of
localStorageentries used to remember when you dismissed in-app banners (e.g. the upgrade banner cooldown).
9.3 Analytics
- PostHog sets first-party cookies (e.g.
ph_*) to associate events with a stable distinct ID and to deduplicate sessions.
9.4 How we ask for consent
When you first visit the Service we show a cookie banner with three options: Accept all, Reject all and Manage preferences. Until you make a choice, the analytics cookies described in §9.3 are notset and no analytics events are captured — the analytics SDK loads in an opted-out state and stays inert. You can change your choice at any time using the Cookie preferences link in our footer; the change takes effect immediately.
Your choice is recorded in the cc_cookie functional cookie and is remembered for 365 days. If we materially change the cookies we use we will bump the revision number stored in that cookie, which causes the banner to re-appear so you can re-confirm your choice against the new list.
10. Children
The Service is a financial information product and is intended for adults only. We do not knowingly collect personal information from anyone under the age of 18. If you believe we have inadvertently collected such information, please contact us and we will delete it.
11. Changes to this policy
If we make material changes to this policy we will update the “Last updated” date at the top of this page, post a notice in the dashboard on your next sign-in, and where appropriate email you. Continued use of the Service after the effective date constitutes acceptance of the updated policy.
12. Contact
For any privacy matter, please email ethan@bigfatbat.com or write to us at EMCShared Ltd, 46 Castleton Road, Ruislip, HA4 9QL, England.