Privacy Policy

1. INTRODUCTION AND SCOPE

This Privacy Policy applies to all users of the Dombey Capital website, member portal, research platform, email subscriptions, and related services (collectively, the "Platform"). By accessing or using the Platform, you consent to the data practices described in this Privacy Policy.

Data Controller: Dombey Capital Management is the data controller responsible for your personal information. We are based in San Francisco, California, United States.

This Privacy Policy complies with the California Consumer Privacy Act (CCPA), California Privacy Rights Act (CPRA), and the General Data Protection Regulation (GDPR) for applicable users.

2. INFORMATION WE COLLECT

We collect several categories of personal information to provide and improve our services:

2.1 Information You Provide Directly

• Account Registration: Name, email address, password (hashed), and membership tier
• Subscription Information: Payment details (processed by third-party payment processors), billing address, subscription tier, and renewal preferences
• Communications: Email correspondence, support inquiries, feedback, and survey responses
• Profile Information: Optional information you choose to provide, such as investment preferences or profile settings

2.2 Information Collected Automatically

When you access the Platform, we automatically collect certain information through cookies, log files, and analytics tools:

• Device Information: IP address, browser type and version, operating system, device type, and unique device identifiers
• Usage Data: Pages viewed, time spent on pages, click patterns, search queries, referral sources, and navigation paths
• Session Information: Login timestamps, session duration, and feature usage patterns
• Location Data: General geographic location inferred from IP address (city/country level, not precise GPS)

2.3 Firebase and Google Services Data

We use Firebase (a Google service) for platform infrastructure. Firebase collects and processes:

• Firebase Authentication: Email address, authentication tokens, login timestamps, and unique user IDs (UIDs)
• Firebase Firestore: Intelligence reports, user membership status, report access history, and platform data
• Firebase Analytics (if enabled): App usage events, session data, device characteristics, and aggregated behavior patterns

Google acts as a data processor for Firebase services. Data is stored on Google Cloud servers, primarily in the United States. See Google's Firebase Privacy Documentation for more information.

3. HOW WE USE YOUR INFORMATION

We use your personal information for the following purposes:

3.1 Service Delivery and Account Management

• Authenticate users and manage member accounts
• Provide access to research reports, intelligence briefs, and the Members Portal
• Process subscriptions and manage billing
• Sync intelligence data from third-party sources to your account
• Maintain and improve platform functionality

Legal Basis (GDPR): Contractual necessity – necessary to perform our agreement with you.

3.2 Communications

• Send Phoenix Intelligence reports and Catalyst Watchlist updates via email
• Notify you of new research publications and platform features
• Send subscription renewal reminders and billing notifications (required by California law for annual subscriptions)
• Respond to support inquiries and provide customer service
• Send important notices about Terms of Service or Privacy Policy changes

Legal Basis (GDPR): Contractual necessity (service-related emails), Legitimate interests (customer support), Consent (marketing emails, if applicable).

3.3 Platform Improvement and Analytics

• Analyze usage patterns to improve user experience and content curation
• Identify popular research topics and optimize intelligence delivery
• Monitor platform performance and diagnose technical issues
• Conduct research and development for new features

Legal Basis (GDPR): Legitimate interests – improving our services and user experience.

3.4 Security and Fraud Prevention

• Protect against unauthorized access, fraud, and abuse
• Enforce our Terms of Service and prevent prohibited conduct
• Investigate and respond to security incidents

Legal Basis (GDPR): Legitimate interests – protecting our platform and users.

3.5 Legal Compliance

• Comply with legal obligations, court orders, and regulatory requirements
• Respond to lawful requests from government authorities
• Maintain records as required by tax and financial regulations

Legal Basis (GDPR): Legal obligation.

4. HOW WE SHARE YOUR INFORMATION

We do not sell your personal information. We share personal information only in the following limited circumstances:

4.1 Service Providers and Data Processors

We share personal information with third-party service providers who perform services on our behalf:

• Google Firebase / Google Cloud: Platform infrastructure, authentication, database storage (Firestore), and analytics. Data shared: email, authentication data, usage analytics. Firebase Privacy Policy
• Resend: Email delivery service for sending Phoenix Intelligence reports and notifications. Data shared: email addresses, report content. Resend Privacy Policy
• Payment Processors: Secure payment processing for subscriptions (e.g., Stripe, PayPal). We do not store full credit card numbers. Data shared: billing information, transaction details.

These service providers are contractually obligated to protect your data and use it only for the purposes we specify.

4.2 Third-Party Intelligence Sources

We use third-party APIs to fetch curated intelligence reports. We do not share your personal information with these third-party intelligence providers. Our API requests use authentication keys and do not transmit user-identifiable data.

4.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your personal information may be transferred to the successor entity. We will notify you of any such change in ownership or control.

4.4 Legal Requirements

We may disclose personal information if required by law, court order, subpoena, or government request, or if we believe disclosure is necessary to protect our rights, prevent fraud, or ensure safety.

4.5 Cross-Border Data Transfers

Your personal information is stored on Google Cloud servers located primarily in the United States. If you access our Platform from outside the United States, your data will be transferred to and processed in the United States.

For EU/EEA/UK users: We rely on Google's Standard Contractual Clauses (SCCs) approved by the European Commission to safeguard data transfers. See Google Cloud GDPR Compliance.

5. COOKIES AND TRACKING TECHNOLOGIES

5.1 What Are Cookies?

Cookies are small text files stored on your device that help us recognize you, remember preferences, and analyze usage. We use both first-party cookies (set by Dombey Capital) and third-party cookies (set by service providers like Firebase).

5.2 Types of Cookies We Use

• Essential Cookies: Necessary for platform functionality, including authentication, session management, and security. These cookies cannot be disabled without impairing core features. No consent required (functional necessity).
• Analytics Cookies: Firebase Analytics and performance monitoring tools track usage patterns, page views, and user behavior to help us improve the Platform. GDPR: Opt-in consent required. CCPA: Opt-out available.
• Preference Cookies: Remember your settings, language preferences, and customization choices.

5.3 How to Control Cookies

You can control cookies through your browser settings:

• Most browsers allow you to block or delete cookies via settings
• You can opt out of Google Analytics: Google Analytics Opt-Out
• Disabling cookies may limit Platform functionality (e.g., you may not be able to stay logged in)

6. DATA RETENTION

We retain personal information only as long as necessary to fulfill the purposes described in this Privacy Policy, comply with legal obligations, resolve disputes, and enforce our agreements.

• Active Accounts: We retain account data for the duration of your subscription plus 1 year after cancellation
• Intelligence Reports (Firestore): Retained for 2 years to provide historical access to subscribers
• Authentication Data: Retained until account deletion, then deleted within 30 days
• Analytics Data: Firebase Analytics data is retained for 14 months (configurable)
• Email Communications: Subscription-related emails retained for 3 years to comply with California Automatic Renewal Law
• Legal/Tax Records: As required by applicable law (typically 7 years for financial records)

Upon account deletion or data retention expiration, we securely delete or anonymize your personal information.

7. YOUR PRIVACY RIGHTS

Depending on your location, you may have the following rights regarding your personal information:

7.1 GDPR Rights (EU/EEA/UK Users)

• Right to Access: Request a copy of the personal information we hold about you
• Right to Rectification: Correct inaccurate or incomplete personal information
• Right to Erasure ("Right to be Forgotten"): Request deletion of your personal information (subject to legal exceptions)
• Right to Restrict Processing: Limit how we use your personal information
• Right to Data Portability: Receive your personal information in a machine-readable format
• Right to Object: Object to processing based on legitimate interests or direct marketing
• Right to Withdraw Consent: Withdraw consent for processing based on consent (does not affect prior lawful processing)
• Right to Lodge a Complaint: File a complaint with your local data protection authority

7.2 CCPA/CPRA Rights (California Residents)

• Right to Know: Request disclosure of what personal information we collect, use, disclose, and sell (if applicable)
• Right to Delete: Request deletion of your personal information (subject to exceptions)
• Right to Correct: Request correction of inaccurate personal information
• Right to Opt-Out of Sale/Sharing: We do not sell personal information. If this changes, you will have the right to opt out.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

7.3 How to Exercise Your Rights

To exercise any of these rights, please contact us:

• Email: privacy@dombey.capital
• Account Settings: Log in and navigate to "Privacy Settings" or "Account Management"

Response Timeline: We will respond to verified requests within 30 days (GDPR) or 45 days (CCPA). We may request additional information to verify your identity before processing requests.

8. DATA SECURITY

We implement reasonable administrative, technical, and physical safeguards to protect your personal information from unauthorized access, disclosure, alteration, or destruction, including:

• Encryption: Data in transit is protected using TLS/SSL encryption. Passwords are hashed using industry-standard algorithms.
• Access Controls: Access to personal information is restricted to authorized personnel on a need-to-know basis
• Firebase Security: Google Firebase provides enterprise-grade security, including encryption at rest, DDoS protection, and regular security audits
• Regular Monitoring: We monitor for suspicious activity and security vulnerabilities

However, no method of transmission or storage is 100% secure. You are responsible for maintaining the confidentiality of your account credentials.

Breach Notification: In the event of a data breach affecting your personal information, we will notify you and applicable regulators as required by law (e.g., within 72 hours under GDPR, or as required by California law for breaches affecting 500+ residents).

9. CHILDREN'S PRIVACY

Our Platform is not directed to individuals under the age of 18 (or 16 for GDPR purposes). We do not knowingly collect personal information from children. If we discover that we have collected information from a child, we will delete it immediately. If you believe we have collected information from a child, please contact us at privacy@dombey.capital.

10. THIRD-PARTY LINKS

The Platform may contain links to third-party websites, research sources, or external services (e.g., Substack, intelligence providers). We are not responsible for the privacy practices or content of third-party sites. We encourage you to review the privacy policies of any third-party sites you visit.

11. INTERNATIONAL USERS AND EU REPRESENTATIVE

Our Platform is primarily intended for users in the United States. If you access the Platform from outside the U.S., you acknowledge that your personal information will be transferred to and processed in the United States, which may have different data protection laws than your country.

EU/EEA/UK Users: If you are located in the EU, EEA, or UK, you have the right to lodge a complaint with your local supervisory authority if you believe we have violated data protection laws.

12. CALIFORNIA "SHINE THE LIGHT" LAW

California Civil Code Section 1798.83 permits California residents to request information about our disclosure of personal information to third parties for direct marketing purposes. We do not share personal information with third parties for their direct marketing purposes. If you have questions, contact us at privacy@dombey.capital.

13. CHANGES TO THIS PRIVACY POLICY

We reserve the right to update this Privacy Policy at any time to reflect changes in our practices, legal requirements, or Platform features. If we make material changes, we will notify you by:

• Posting the updated Privacy Policy with a new "Effective Date"
• Sending an email notification to your registered email address
• Displaying a prominent notice on the Platform

Your continued use of the Platform after changes take effect constitutes acceptance of the updated Privacy Policy. We recommend reviewing this page annually and whenever you notice the "Last Updated" date has changed.

14. CONTACT INFORMATION

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: