Up to 25% APR
EN
By Daniel Brenner, Senior Editor Updated 2026-05-18 How we rate →

Privacy Policy

1. Who is responsible for your data (Data Controller)

The data controller for personal data processed via crowdindex.org is:

Email for data protection enquiries: privacy@crowdindex.orgEmail for general contact:editorial@crowdindex.org

If we are required to appoint a Data Protection Officer (DPO) under Article 37 GDPR, the DPO’s contact details will be added here.

2. What personal data we collect

We process personal data in the following categories:

2.1 Information you provide directly

  • Email correspondence — if you email us (editorial@crowdindex.org, privacy@crowdindex.org, or any other CrowdIndex address), we store your email address, your name (if provided), and the content of your message for the purposes of responding to your enquiry and keeping a record.
  • Newsletter sign-up [if implemented]— if you subscribe to a newsletter, we store your email address and any preferences you set.
  • Contact form submissions [if implemented] — name, email, message content, timestamp.

2.2 Information collected automatically

  • Server logs— when you visit crowdindex.org, our hosting provider automatically logs your IP address, browser user-agent string, the page you requested, the referring URL, and the timestamp.
  • Privacy-respecting analytics— we use to measure aggregate site traffic. This vendor use cookies and process IP addresses in a personally identifiable form.
  • Cookies — see Section 6 below.

2.3 Information from third parties

  • Affiliate-tracking partners— when you click an affiliate link to a P2P platform, the destination platform may share back with us the fact that a signup occurred against our partner ID. This data is typically aggregated and does not include your personal identifiers, but the specific data shared varies by partner.

Under Article 6 GDPR, we process personal data on the following legal bases:

  • Legitimate interest (Article 6(1)(f) GDPR)— for server logs, basic analytics, and responding to direct correspondence. Our legitimate interest is operating the site, ensuring its security, and providing the editorial service.
  • Consent (Article 6(1)(a) GDPR)— for non-essential cookies, newsletter subscriptions, and any marketing communications. Consent must be specific, informed, freely given, and withdrawable.
  • Contract (Article 6(1)(b) GDPR) — if we enter into a direct contractual relationship with you (e.g., paid product, formal partnership), for processing necessary to perform that contract.
  • Legal obligation (Article 6(1)(c) GDPR) — to comply with record-keeping requirements under accounting, tax, or other regulatory law.

4. How long we retain data

Indicative retention plan (to be confirmed):

  • Email correspondence— retained for for the purpose of correspondence continuity and dispute resolution
  • Server logs
  • Aggregated analytics data
  • Newsletter subscribers — until consent is withdrawn
  • Affiliate-tracking signals
  • Accounting records— as required by applicable tax law

5. Who we share data with

We share personal data only with the following categories of recipients:

5.1 Processors acting on our behalf

These processors process personal data only on our instructions, under written Data Processing Agreements (DPAs) compliant with Article 28 GDPR.

  • Hosting provider:
  • Analytics provider:
  • Email service provider:
  • Email marketing platform [if used]:
  • Affiliate tracking platform [if used]:

5.2 Joint controllers

We may disclose personal data where required by court order, regulator demand, or other legal obligation. We will challenge overbroad demands where appropriate.

5.4 We do not sell personal data

We do not sell personal data to any third party. We do not share personal data for any third party’s marketing purposes without your explicit consent.

6. Cookies and similar technologies

Our cookie usage is governed by Directive 2002/58/EC (e-Privacy Directive) as implemented in national law, in addition to GDPR.

6.1 Categories of cookies (IAB TCF v2 framework)

  • Strictly necessary cookies — essential for site security and accessibility. No consent required under e-Privacy rules.
  • Performance / analytics cookies— set by our analytics provider for aggregate measurement. Consent required if the cookie carries persistent identifiers.
  • Functional cookies — set if you choose theme preferences, language preferences, etc. Consent required.
  • Marketing / advertising cookies

A consent banner appears on first visit. You can change your consent at any time via the “Cookie preferences” link in the site footer.

7. Your rights

Under GDPR (Articles 15-22), you have the following rights regarding your personal data:

  • Right of access (Article 15) — request a copy of the personal data we hold about you
  • Right to rectification (Article 16) — correct inaccurate or incomplete personal data
  • Right to erasure (Article 17) — request deletion of your personal data (“right to be forgotten”), subject to certain exceptions such as legal obligations to retain records
  • Right to restriction of processing (Article 18) — limit how we process your data while a dispute is resolved
  • Right to data portability (Article 20) — receive your data in a structured, commonly-used machine-readable format
  • Right to object (Article 21) — object to processing based on legitimate interests, including for direct marketing
  • Right to withdraw consent (Article 7(3)) — withdraw consent for any processing based on consent, at any time, as easily as you gave it
  • Right not to be subject to automated decision-making (Article 22) — we do not currently make any automated decisions with legal or significant effects on you

These rights are subject to the conditions and exceptions in GDPR.

8. How to exercise your rights

To exercise any of the rights above, please contact us:

We will respond within one month of receiving your request, as required by Article 12(3) GDPR. In complex cases this period may be extended by a further two months, with notification to you.

We may need to verify your identity before responding to a rights request, particularly for access, erasure, or portability requests. We will explain what verification we need.

You do not need to provide a reason for an erasure or objection request, but explaining your reasoning helps us respond more accurately.

9. Data breach notification

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will:

  • Notify the competent supervisory authority within 72 hours of becoming aware of the breach, as required by Article 33 GDPR
  • Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by Article 34 GDPR

Breach notifications to you, when required, will include the nature of the breach, the likely consequences, the measures taken or proposed to address it, and a point of contact for further information.

10. International data transfers

Where we transfer personal data outside the European Economic Area (EEA), we use safeguards approved under GDPR:

  • Adequacy decisions — transfers to countries the European Commission has determined provide adequate protection (e.g., Switzerland, UK)
  • Standard Contractual Clauses (SCCs) — for transfers to other third countries, we use the EU SCCs (2021 version) with our processors
  • Additional safeguards — where required by the Schrems II ruling, we implement supplementary measures (encryption in transit and at rest, pseudonymisation where feasible)

11. Children

CrowdIndex’s content covers financial investment products that are not appropriate for minors. We do not knowingly direct content to or collect personal data from children under the age of 18.

If you are a parent or guardian and you believe a child has provided personal data to us, please contact privacy@crowdindex.org and we will delete the data promptly, in accordance with Article 8 GDPR.

12. Security measures

We take appropriate technical and organisational measures to protect personal data, including:

  • HTTPS encryption on all site traffic
  • Access controls on the editorial back-end systems
  • Pseudonymisation and minimisation of personal data where feasible
  • Regular review of processors and sub-processors

13. Changes to this policy

We may update this policy from time to time, for example to reflect changes in our processing, in technology, in legal requirements, or in CrowdIndex’s organisational structure.

  • Last updated: 18 May 2026
  • Notification of changes: material changes will be flagged at the top of this page for 30 days; substantive changes will additionally be notified to newsletter subscribers (if any) by email

14. Supervisory authority and complaints

You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data infringes GDPR or applicable national law. You may do so:

  • In the EU Member State of your habitual residence
  • In the EU Member State of your place of work
  • In the EU Member State of the alleged infringement
  • With our lead supervisory authority, which is:

A list of EU Data Protection Authorities is published by the European Data Protection Board: https://edpb.europa.eu/about-edpb/about-edpb/members_en

15. Open Resolution Platform (ODR)

In accordance with Regulation (EU) No 524/2013, the European Commission provides an Online Dispute Resolution platform: https://ec.europa.eu/consumers/odr/

This platform is generally relevant for consumer disputes arising from online purchases. We currently do not sell goods or services directly to consumers, but we provide this link as required.