Back to Legal Documents

Privacy Policy

This Privacy Policy describes how Vantara Labs Ltd (trading as Pelosi Tracker) collects, uses, and shares your personal data.

Last updated: 19 April 2026

1. Introduction

Pelosi Tracker is a service operated by Vantara Labs Ltd, a company registered in England & Wales under company number 17133349, whose registered office is at Gibson House, Hurricane Court, Hurricane Close, Stafford, ST16 1GZ, United Kingdom (referred to in this policy as "we", "us", or "our"). Vantara Labs Ltd is the data controller for personal data processed through Pelosi Tracker.

Vantara Labs Ltd is registered with the UK Information Commissioner's Office (ICO) as a data controller under registration reference ZC129018.

We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we look after your personal data when you visit our website at pelositracker.app, tells you about your privacy rights, and how the law protects you.

If you are located in the European Economic Area (EEA), the EU General Data Protection Regulation (GDPR) applies to our processing of your personal data. If you are located in the United Kingdom, the UK GDPR and Data Protection Act 2018 apply. If you are located in California, see Section 13 for additional rights under the California Privacy Rights Act (CPRA).

2. Information We Collect

2.1. Personal Information

When you create an account or subscribe to our service, we collect:

  • Name
  • Email address
  • Password (stored in hashed form — we never store plain-text passwords)
  • Account preferences and settings
  • Discord user ID, username, and avatar (only if you choose to link your Discord account)
  • A pseudonymous user identifier (Firebase Authentication UID) sent to Google Analytics for logged-in users to stitch sessions across devices; see §4.3

2.2. Payment Information

When you subscribe to a paid plan, payment information (card number, billing address) is collected and processed directly by Stripe. We do not store your full card details on our servers. We receive from Stripe: a truncated card number (last 4 digits), card brand, billing country, and subscription status.

2.3. Usage Data

We automatically collect certain information when you visit, use, or navigate our website. This information does not on its own reveal your specific identity and includes:

  • IP address (truncated by Google Analytics before storage; see §4.3)
  • Browser and device characteristics
  • Operating system
  • Referring URLs
  • Pages viewed and time spent on pages
  • Interactions with features (e.g. watchlist actions, portfolio views)

2.4. Cookies and Similar Technologies

We use cookies and similar tracking technologies to operate the website and, with your consent, to understand how it is used.

Strictly necessary cookies are required for the website to function (authentication, fraud prevention, security challenges, and remembering your cookie choice). They do not require your consent under PECR.

Analytics cookies (Google Analytics) are used to understand how visitors interact with our website. They are only set after you have provided consent via our cookie banner. You can change or withdraw your choice at any time from the cookie preferences in the site footer.

The table below lists the cookies currently in use:

CookieProviderCategoryPurposeDuration
__sessionFirebase AuthStrictly necessaryAuthenticated sessionSession
pt_consentPelosi TrackerStrictly necessaryRemembers your cookie banner choice12 months
__stripe_midStripeStrictly necessaryFraud prevention on payment pages1 year
__stripe_sidStripeStrictly necessaryFraud prevention on payment pages30 minutes
cf_clearanceCloudflareStrictly necessaryBot challenge / DDoS protection30 minutes
__cf_bmCloudflareStrictly necessaryBot management30 minutes
_gaGoogle AnalyticsAnalytics (consent required)Distinguishes unique visitors2 years
_ga_<CONTAINER-ID>Google AnalyticsAnalytics (consent required)Session state2 years

You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. If you refuse strictly necessary cookies, parts of the Service will not function.

3. How We Use Your Information

We use the information we collect for the following purposes:

PurposeLegal Basis
Provide, operate, and maintain your account and the ServicePerformance of a contract with you
Process subscription paymentsPerformance of a contract with you
Send transactional emails (account verification, password reset, subscription confirmations, billing receipts)Performance of a contract with you
Send notification emails you have opted into (new filings, weekly summaries)Your consent (you can unsubscribe at any time from any email footer or in-app settings)
Analyse website usage to improve the ServiceLegitimate interest (improving our product)
Detect and prevent fraud or abuseLegitimate interest (security)
Comply with legal obligationsLegal obligation

4. Third-Party Data Processors

We share your personal data with the following third-party service providers who process data on our behalf under appropriate contractual safeguards:

4.1. Firebase (Google Cloud)

  • What they process: Email address, authentication credentials, account data, user-generated content (watchlists, portfolio settings, notification preferences)
  • Purpose: User authentication, database storage, hosting, Cloud Functions, Cloud Tasks
  • Data location: United States and European Union
  • Privacy policy: firebase.google.com/support/privacy

4.2. Stripe

  • What they process: Name, email address, payment card details, billing address, transaction history
  • Purpose: Payment processing, subscription management, invoicing, fraud prevention
  • Data location: United States and European Union
  • Note: Stripe is the payment processor; we do not store your full card details. Stripe is PCI DSS Level 1 certified.
  • Privacy policy: stripe.com/privacy

4.3. Google Analytics

  • What they process: Truncated IP address, device and browser information, pages viewed, session duration, referral source, and — for logged-in users — a pseudonymous Firebase Authentication UID used to stitch sessions across devices
  • Purpose: Understanding how visitors use the website in order to improve the Service
  • Data location: United States
  • Note: Analytics cookies are only activated after you provide consent. Google Analytics 4 truncates IP addresses before they are stored; we do not receive raw IP addresses through the Analytics product. The Firebase UID sent as the user_id parameter is an opaque random string with no meaning outside our systems — we never send your name, email address, or any other personally-identifying information to Google Analytics, and we do not enable User-Provided Data collection or Google Signals on our Analytics property.
  • Privacy policy: policies.google.com/privacy

4.4. SendGrid (Twilio)

  • What they process: Email address, name, email content, delivery metadata
  • Purpose: Sending transactional and notification emails (account verification, password resets, filing alerts, billing receipts, weekly summaries)
  • Data location: United States
  • Privacy policy: twilio.com/legal/privacy

4.5. Discord

  • What they process: Discord user ID, username, avatar, and any additional scopes you grant at the OAuth consent screen
  • Purpose: Linking your Pelosi Tracker account to your Discord identity for community features and notifications
  • Data location: United States
  • Note: Discord processing only occurs if you actively choose to connect your Discord account. You can unlink at any time from your account settings, after which we delete the linked identifiers within 30 days.
  • Privacy policy: discord.com/privacy

4.6. Cloudflare

  • What they process: IP address, TLS connection metadata, HTTP request headers, approximate geolocation (country code) derived from IP
  • Purpose: Content delivery network, DDoS protection, bot mitigation, and geolocation-based features such as region-aware cookie-consent banners
  • Data location: Global (Cloudflare's edge network)
  • Privacy policy: cloudflare.com/privacypolicy

4.7. AI processing of public filings

We use Google's Gemini API to parse and structure publicly-filed STOCK Act disclosures. Only the contents of public congressional filings are sent to Gemini; no user personal data is shared with Gemini. This processing is for public data only and is listed here for transparency.

5. International Data Transfers

Your personal data may be transferred to and processed in the United States and other jurisdictions by the third-party processors listed above. These transfers are protected by appropriate safeguards:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • EU-US Data Privacy Framework (where the processor is certified)
  • UK International Data Transfer Agreement (IDTA) or UK Addendum to SCCs

Each of our processors maintains appropriate safeguards for international data transfers in accordance with applicable data protection law.

6. Data Sharing and Disclosure

Beyond the processors listed in Section 4, we may share your information in the following situations:

6.1. Business Transfers

If we are involved in a merger, acquisition, or sale of all or a portion of our assets, your data may be transferred as part of that transaction. We will notify you before your personal data is transferred and becomes subject to a different privacy policy.

6.2. Legal Requirements

We may disclose your information where we are legally required to do so in order to comply with applicable law, governmental requests, a judicial proceeding, court order, or legal process.

6.3. With Your Consent

We may disclose your personal information for any other purpose with your consent.

We do not sell your personal data to third parties, and we do not share it for cross-context behavioural advertising.

7. Data Security

We have implemented appropriate technical and organisational security measures designed to protect the security of personal information we process, including:

  • Encrypted data transmission (HTTPS/TLS)
  • Hashed password storage (bcrypt via Firebase Authentication)
  • Role-based access controls and multi-factor authentication for administrative systems
  • Regular security reviews and dependency audits
  • Secrets stored in managed secret stores, not in source control

Despite our safeguards and efforts to secure your information, no electronic transmission over the internet or information storage technology can be guaranteed to be 100% secure.

7.1. Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the UK Information Commissioner's Office (ICO) within 72 hours of becoming aware of it. Where the breach is likely to result in a high risk to affected individuals, we will also notify you directly without undue delay.

8. Data Retention

We retain your personal data for the following periods:

Data TypeRetention Period
Account data (name, email, preferences)Duration of your account, plus 30 days after deletion
Payment and subscription records7 years after the transaction (UK accounting and HMRC requirements)
Analytics data (Google Analytics)14 months (GA4 configured retention)
Email delivery logs (SendGrid)30 days
Authentication logs90 days
Linked Discord account identifiersUntil you unlink the account, plus 30 days

When you delete your account, we will delete or anonymise your personal data within 30 days, except where we are required by law to retain certain records (for example, payment records retained for HMRC).

9. Your Data Protection Rights

Depending on your location, you have the following rights regarding your personal information:

  • Right to Access: You have the right to request copies of your personal data.
  • Right to Rectification: You have the right to request that we correct any information you believe is inaccurate or complete information you believe is incomplete.
  • Right to Erasure: You have the right to request that we erase your personal data, under certain conditions.
  • Right to Restrict Processing: You have the right to request that we restrict the processing of your personal data, under certain conditions.
  • Right to Object to Processing: You have the right to object to our processing of your personal data, under certain conditions.
  • Right to Data Portability: You have the right to request that we transfer the data we have collected to another organisation, or directly to you, under certain conditions.
  • Right to Withdraw Consent: Where we process your data based on consent (e.g. analytics cookies, notification emails), you may withdraw consent at any time.

If you make a request, we have one month to respond. Contact us at [email protected].

9.1. Right to Complain to a Supervisory Authority

If you believe we have not handled your personal data properly, you have the right to lodge a complaint with a data protection supervisory authority:

  • United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk
  • France: Commission Nationale de l'Informatique et des Libertés (CNIL) — cnil.fr
  • Other EU/EEA countries: Your local data protection authority

10. Children's Privacy

Our Service is intended for adults. Because Pelosi Tracker involves financial information and a paid subscription, we require users to be at least 18 years old. We do not knowingly collect personally identifiable information from anyone under the age of 18. If you are a parent or guardian and are aware that your child has provided us with personal data, please contact us and we will delete the information promptly.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "date" field at the top. For material changes, we will notify registered users by email at least 30 days before the changes take effect.

You are advised to review this Privacy Policy periodically. Changes are effective when posted on this page (or, for material changes, after the 30-day notice period).

12. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

  • By email: [email protected]
  • By post: Vantara Labs Ltd, Gibson House, Hurricane Court, Hurricane Close, Stafford, ST16 1GZ, United Kingdom

13. California Residents (CPRA)

If you are a California resident, you have the following rights under the California Privacy Rights Act (CPRA) in addition to the rights set out in Section 9:

  • Right to Know what personal information we have collected, used, disclosed, and the purposes for which it was collected
  • Right to Delete the personal information we have collected about you, subject to legal exceptions
  • Right to Correct inaccurate personal information we hold about you
  • Right to Limit Use of Sensitive Personal Information to purposes reasonably necessary to provide the Service
  • Right to Opt Out of Sale or Sharing of personal information for cross-context behavioural advertising
  • Right to Non-Discrimination for exercising your privacy rights

We do not sell or share your personal information for cross-context behavioural advertising. To exercise any of the rights above, contact us at [email protected]. We will verify your identity using information associated with your account before acting on your request.

Pelosi TrackerJoin our Discord
PoliticiansPortfoliosPricingLegalTerms of ServicePrivacy Policy
Français
© 2026 - All rights reserved. Powered by Vantara Labs
This website is an independent, third-party platform. It is not affiliated with, endorsed by, or in any way associated with Nancy Pelosi, her office, or her representatives. Any use of her name is solely for the purpose of discussing publicly available information.The information provided on this website is for informational and educational purposes only and is not intended to serve as, nor should it be construed as, financial or investment advice. The data presented here is sourced from publicly available filings and records. While we strive for accuracy, timeliness, and completeness, we do not guarantee that all information is error-free or current.