Legal · Data products · Privacy
Privacy Policy — Daystrom Data
How Daystrom OÜ handles personal data across the Daystrom Data products — both your customer and account data, and the limited personal data that may be contained within the datasets we publish.
Last updated: 2026-07-02
This notice covers the Daystrom Data products operated by Daystrom OÜ — including but not limited to Apex DB, RxAtlas, TrialBase, Strata, and RecallRadar — their websites, snapshots, and REST/MCP APIs. In this notice, "the dataset" means the specific Daystrom dataset in question.
Not legal advice — review notice
This page is provided in good faith to explain how Daystrom Data handles personal data. It is a plain-language privacy notice, not legal advice, and will be reviewed by counsel before launch. If anything here is unclear or appears inconsistent with how the service actually works, the description of our actual practices and applicable law prevails, and you can contact us at data@daystromworks.com to ask. We will update this notice as the service and our data practices evolve; the "last updated" date above always reflects the current version.
Who we are (the controller)
Daystrom Data is operated by Daystrom OÜ ("Daystrom", "we", "us"), a private limited company (osaühing) registered in the Estonian Commercial Register under registry code 17537299, VAT EE102999776, with its registered office at Tornimäe tn 5, Kesklinna linnaosa, Tallinn 10145, Harju maakond, Estonia. Daystrom OÜ is the data controller responsible for the personal data described in this notice. We are established in the European Union, and we process personal data in accordance with the EU General Data Protection Regulation (GDPR) and Estonian data-protection law.
For any privacy question, request, or complaint, contact us at data@daystromworks.com. We have not appointed a statutory Data Protection Officer, as we are not required to; privacy requests are handled by the Daystrom team at that address. If you are contacting us about personal data that appears inside a dataset we publish (rather than about your own account), please see the separate section "Personal data contained in the datasets we sell" below.
Scope of this notice
This notice covers two distinct kinds of personal data, and it is important not to confuse them:
-
Customer and visitor data — personal data about you when you visit our websites, create an account, buy a snapshot or an API/MCP subscription, or call our API. This is the subject of the sections immediately following.
-
Dataset subject data — personal data that may be contained within a Daystrom dataset, where the data describes third parties (for example, named individuals appearing in a public registry record). This is governed by its own dedicated section, "Personal data contained in the datasets we sell", because our legal basis, the source of the data, and your rights differ.
This notice does not cover websites, products, or services operated by third parties (including our sub-processors and the public source registries), which have their own privacy policies.
What customer personal data we collect, why, and on what legal basis
We collect only what we need to provide and protect the service. The categories below set out, for each kind of data, the purpose and the GDPR Article 6 legal basis.
Account email address. Collected when you create an account and used for passwordless "magic-link" sign-in, to associate your account with your purchases and API tokens, and to send service and transactional messages (for example, sign-in links, receipts, subscription-expiry and renewal notices, and important changes to the service or this notice). Legal basis: performance of a contract with you, or steps taken at your request before entering a contract (GDPR Art 6(1)(b)). Where we send a non-essential service-related email that is not strictly necessary to the contract, our basis is our legitimate interest in keeping you informed (Art 6(1)(f)), and you can opt out of such non-essential messages.
API tokens (stored only as a SHA-256 hash). When you provision an API or MCP token we store only a cryptographic hash of it, never the token itself in readable form, together with metadata such as its label, creation date, and scope. We use this to authenticate your API requests and to let you manage and revoke your tokens. Legal basis: performance of the contract (Art 6(1)(b)) and our legitimate interest in securing the service (Art 6(1)(f)).
Payment and billing metadata. When you buy a snapshot or a subscription, payment is processed by our payment providers (see sub-processors below). Card details and full payment credentials are collected and held by the payment provider, not by us; we do not store your card number. We do retain billing metadata — for example, a payment-provider customer or transaction reference, the product purchased, the amount and currency, the date, and the information required to issue a VAT-compliant invoice (which, for business customers, can include a business name, address, and VAT identification number). Legal basis: performance of the contract (Art 6(1)(b)); and, for retaining invoices and accounting records, compliance with our legal obligations under tax and accounting law (Art 6(1)(c)).
IP address, request logs, and usage data. When you use the website or the API we automatically process technical data such as your IP address, request timestamps, the endpoints and resources requested, response status, approximate data volume, user-agent, and the token or account associated with the request. We use this to operate and secure the service: to authenticate requests, enforce rate limits and quotas, detect and prevent abuse, fraud, and attacks, debug and maintain reliability, meter usage for billing, and keep an audit trail. Legal basis: our legitimate interests in the security, integrity, and proper functioning of the service and in accurate billing (Art 6(1)(f)); and, for usage that directly underlies what you are charged, performance of the contract (Art 6(1)(b)).
Support correspondence. If you email us, we process the content of your message and your contact details to respond and to keep a record of the request. Legal basis: our legitimate interest in responding to and managing enquiries (Art 6(1)(f)), or performance of the contract where your request concerns an existing subscription (Art 6(1)(b)).
We do not deliberately collect special categories of personal data about you (such as health, biometric, or political data), and you should not send such data to us. We do not use your personal data for automated decision-making that produces legal or similarly significant effects on you, and we do not sell your personal data.
Our legitimate interests, in brief
Where we rely on legitimate interests (Art 6(1)(f)) — principally for security, abuse and fraud prevention, service reliability, usage metering, and responding to enquiries — we have considered your interests and rights and concluded that this processing is necessary, that it is limited to what those purposes require, and that it is something you would reasonably expect from a service of this kind. You can ask us for more detail on this balancing assessment, and you have the right to object to processing based on legitimate interests (see "Your rights").
How long we keep customer data (retention)
We keep personal data only as long as necessary for the purpose it was collected for, after which we delete or anonymise it. In practice:
| Data | Retention |
|---|---|
| Account data (email, hashed tokens, settings) | Life of the account + 12 months after closure (reactivation, disputes, legal claims), then deleted or anonymised |
| Invoices, payments & accounting records | 7 years from the end of the financial year in which the transaction was recorded (Estonian Accounting Act § 12; Taxation Act § 58) |
| Security, request & usage logs (incl. IP) | 12 months, then deleted or aggregated into non-identifying statistics |
| Support correspondence | 24 months |
Invoices and accounting records are kept regardless of account closure to meet our legal obligations (Art 6(1)(c)). The specific retention periods may be updated as our practices mature; the lawyer-confirmed durations are the controlling values.
Who we share customer data with (sub-processors)
We do not sell your personal data and we do not share it with third parties for their own marketing. We rely on a small set of vetted service providers (sub-processors) that process personal data on our behalf, under contract and on our instructions, each only to the extent needed for its role. Each is bound by a data-processing agreement requiring appropriate security and confidentiality. Our current sub-processors:
| Provider | Role | Data | Regions |
|---|---|---|---|
| Vercel | Website & API hosting, CDN, and Blob storage for snapshot delivery | IP address, request logs, snapshot files | US, EU |
| Vercel Web Analytics & Speed Insights | First-party, cookieless traffic & performance measurement (no cross-site identifier) | Aggregated page views, referrers, coarse device/geo, Core Web Vitals | US, EU |
| Neon | Managed PostgreSQL hosting (account data, hashed tokens, billing metadata) | Account email, hashed API tokens, billing metadata | US, EU |
| Resend | Magic-link / transactional email delivery for passwordless auth | Account email, message metadata | US |
| Google Workspace | Business email for support, security and corrections enquiries | Email content and metadata for messages sent to our contact addresses | US, EU |
Payment providers (independent controllers). When you pay, our payment providers process your payment data as independent (separate) data controllers in their own right — not as our sub-processors: Stripe (Stripe, Inc. and its EU entity Stripe Payments Europe, Ltd.) for card payments, and Coinbase, Inc. (Coinbase Developer Platform) for crypto / x402 / MPP payments. They determine the purposes and means of processing payment data — for payment processing, fraud prevention, tax/VAT calculation and invoicing, and their own legal and regulatory compliance — and handle it under their own privacy policies; we receive only billing metadata back from them. Full card numbers and crypto keys are handled by these providers, not by us.
Analytics and advertising recipients (consent-gated). Only if you opt in through our cookie banner, we share online identifiers and usage data with Google (Google Analytics for traffic measurement and Google Ads for ad-conversion measurement, including a hashed email for enhanced conversions on a purchase). Under Google Consent Mode v2 nothing is sent to Google until you accept, and you can withdraw at any time on our cookies page. We also use Vercel Web Analytics and Speed Insights, which are cookieless, first-party, and set no cross-site identifier.
We may also disclose personal data where we are legally required to (for example, in response to a valid legal request from a competent authority), to establish, exercise, or defend legal claims, or as part of a corporate transaction (such as a merger or asset sale), in which case we will require the recipient to honour this notice or give you advance notice as required by law.
International transfers
We and some of our sub-processors process personal data outside the European Economic Area (EEA), in particular in the United States. Where personal data is transferred outside the EEA to a country that the European Commission has not deemed to provide an adequate level of protection, we rely primarily on the European Commission's Standard Contractual Clauses (SCCs) incorporated into our agreements with those providers, together with supplementary technical and organisational measures (such as encryption in transit and access controls) where appropriate. You can request more information about the safeguards in place by contacting us at data@daystromworks.com.
Your rights
If you are in the EEA (and, to a comparable extent, in the UK and many other jurisdictions), you have the following rights over your personal data, which you can exercise free of charge in most cases:
- Access — to obtain confirmation of whether we process your personal data and a copy of it.
- Rectification — to have inaccurate or incomplete data corrected.
- Erasure — to have your data deleted where one of the grounds in the GDPR applies (this does not override records we must keep by law, such as invoices).
- Restriction — to have us limit how we use your data in certain circumstances.
- Portability — to receive certain data you provided to us in a structured, commonly used, machine-readable format, and to have it transmitted to another controller where technically feasible.
- Objection — to object, on grounds relating to your particular situation, to processing we carry out on the basis of legitimate interests. We will stop unless we have compelling legitimate grounds that override your interests or need the data for legal claims. You may object to direct marketing at any time, with no need to give reasons.
- Withdraw consent — where we rely on your consent for a specific processing activity, you may withdraw it at any time, without affecting processing already carried out.
To exercise any right, email data@daystromworks.com. We may need to verify your identity before acting, and we will respond within the time limits set by the GDPR (generally within one month, extendable for complex requests).
Right to complain. If you believe we have not handled your personal data lawfully, you have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon), Tatari 39, 10134 Tallinn, Estonia — info@aki.ee — www.aki.ee. You may also complain to the supervisory authority in your own country of residence or work. We would, however, appreciate the chance to address your concern first.
Personal data contained in the datasets we sell
This section is distinct from everything above. It concerns personal data about third parties that may be contained within a Daystrom dataset that we compile, publish, and sell — not data about you as a customer.
Most Daystrom datasets are compiled to describe things, not people (for example, vehicles, drug products, or construction materials), and to the best of our knowledge contain no personal data about identifiable individuals. Some datasets, however, include a limited amount of personal data about identifiable individuals — for example, the names of trial sponsors in TrialBase, or of manufacturers, importers, distributors, and other responsible parties named in public product-recall notices in RecallRadar, which can include sole traders or otherwise identifiable individuals. For that data, Daystrom OÜ acts as a data controller, and the following applies.
Source and provenance. This personal data is sourced from public official registries and similar publicly accessible sources, and each value carries a provenance trail back to the source record it came from. The fact that the data is already public does not remove it from the scope of the GDPR or reduce your rights — we treat it as personal data and handle it accordingly.
Why we process it and our legal basis. We compile, structure, cross-link, and make this data available to our customers (typically businesses and developers) to provide a reliable, traceable, machine-readable reference dataset. Our legal basis is our legitimate interests and those of our customers and the public (GDPR Art 6(1)(f)) in the availability, accuracy, and interoperability of information that is already part of the public record — for example, for research, due diligence, safety and compliance monitoring, and competitive intelligence. We have carried out a balancing assessment weighing those interests against the rights and reasonable expectations of the individuals concerned. In reaching it we took into account that the data is limited to professional or official-role information already published in a public registry, that we do not enrich it with additional sensitive information or use it to evaluate or target individuals, and that individuals can object. You can ask us for more detail on this assessment.
Notice to data subjects. Because we obtain this data indirectly from public registries rather than from the individuals themselves, providing individual notice to every person in the dataset would, given the volume and nature of the data, involve disproportionate effort within the meaning of GDPR Art 14(5)(b). This public notice is therefore the principal way we inform data subjects about our processing. It explains the categories of data, the source, the purpose and legal basis, the recipients (our customers and sub-processors), retention, and your rights — see the rest of this notice.
Your rights and how to object. If you are an individual described in a Daystrom dataset, you have the same data-subject rights set out in "Your rights" above — including, in particular, the right under GDPR Art 21 to object, on grounds relating to your particular situation, to our processing of your personal data, and the rights to access, rectification, and erasure. To exercise them, contact data@daystromworks.com, identifying the record(s) concerned. Where you object and we have no overriding legitimate grounds, or where another ground for erasure or restriction applies, we will remove or restrict the relevant personal data in our published dataset and, going forward, in new snapshots and API responses. Note that we cannot change the underlying public source record (that is controlled by the source registry, which you may also need to contact), and copies already downloaded by customers in earlier snapshots are outside our control; we will, however, stop further distribution of the affected data through our service. We aim to respond within the GDPR time limits.
Cookies and similar technologies
Daystrom Data keeps client-side tracking to a minimum and asks for your consent before any non-essential technology runs. We use the strictly necessary cookies and local storage required to operate the website and keep you signed in — for example, to maintain your authenticated session after you click a magic-link, to remember essential preferences, and to protect against cross-site request forgery. These are essential to providing a service you have asked for and, under the EU ePrivacy rules, do not require consent.
For measurement and advertising we use Google Analytics (GA4) and Google Ads — including enhanced conversions, which matches a purchase to our paid-search ads using a hashed email — but ONLY after you opt in. We implement Google Consent Mode v2, so until you accept our cookie banner every Google storage signal is set to 'denied' and no analytics or advertising cookie, identifier, or purchase data is written or sent. The banner offers Accept and Reject with equal prominence and no pre-ticked boxes, and you can change or withdraw your choice at any time. Separately, we use Vercel Web Analytics and Speed Insights, which are first-party and cookieless, set no cross-site identifier, and build no behavioural profile, so they are not part of the consent banner. The REST API and MCP endpoint use no cookies at all — they are stateless and authenticate with a Bearer token in the Authorization request header.
Security
We apply appropriate technical and organisational measures to protect personal data, including encryption of traffic in transit (HTTPS), storing API tokens only as SHA-256 hashes rather than in readable form, restricting access to production systems on a need-to-know basis, and relying on reputable infrastructure providers. No method of transmission or storage is completely secure, so we cannot guarantee absolute security, but we work to protect your data and to detect and respond to incidents. If a personal-data breach is likely to result in a risk to your rights, we will notify the competent supervisory authority and, where required, affected individuals, in line with the GDPR.
Children
Daystrom Data is a business-to-business and developer tool and is not directed to children. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact data@daystromworks.com and we will delete it.
Changes to this notice
We may update this privacy notice from time to time to reflect changes in our practices, our sub-processors, or the law. When we make material changes, we will update the "last updated" date shown on this page and, where appropriate, notify account holders by email. Continued use of the service after an update means you are aware of the current notice.
Contact
Questions, requests, or complaints about privacy — including any request to exercise your rights, or any concern about personal data appearing in a dataset — can be sent to data@daystromworks.com, or by post to Daystrom OÜ, Tornimäe tn 5, Kesklinna linnaosa, Tallinn 10145, Harju maakond, Estonia. Please tell us whether your request relates to your own account or to data in a dataset we publish, so we can route it correctly.