Legal
Privacy Policy
Effective: April 2026
This Privacy Policy describes how Altus Capital GmbH, operating under the brand name Dealytix ("Altus Capital", "Dealytix", "we", "us"), collects, uses, stores, and protects personal data when you use dealytix.com and purchase any report or product. Altus Capital GmbH is the data controller. We are committed to compliance with the Swiss Federal Act on Data Protection (nDSG, in force September 2023) and, where applicable, the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679) and applicable US state privacy laws including the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).
1. Identity of the Data Controller
Controller: Altus Capital GmbH (operating as Dealytix), Canton Schwyz, Switzerland.
Contact for data protection matters: hello@dealytix.com. Response within 5 business days.
Altus Capital GmbH does not have a statutory obligation to appoint a Data Protection Officer (DPO) under nDSG or GDPR at this time. Data protection enquiries are handled directly by the company.
2. Data We Collect
2.1 Data you provide directly:
—Identity and contact data: name and email address provided at purchase or via contact forms.
—Transaction data: reports ordered, listing URLs submitted, order history, product type, pack size, and payment records.
—Submission data: YouTube channel URLs, marketplace listing URLs, and any seller-provided attachments (screenshots, spreadsheets, PDFs) you upload when placing an order.
—Communications: any correspondence sent to Altus Capital GmbH by email or contact form, including support requests and complaints.
2.2 Data collected automatically:
—Usage data: pages visited, time on page, clicks, browser type and version, operating system, device type, screen resolution, and referring URL, collected via standard server logs.
—IP address: collected as part of standard web server operation. Used for security, fraud prevention, and aggregate analytics only. Not used for individual profiling.
—Cookies and similar technologies: see Section 9 for full cookie disclosure.
2.3 Data we do not collect: We do not collect payment card data directly. All payment processing is handled by Stripe Inc. under their own privacy policy. We do not collect government identification numbers, biometric data, or sensitive personal categories as defined under Art. 5 nDSG / Art. 9 GDPR.
3. How We Use Your Data
—To deliver purchased reports to the email address provided at checkout.
—To process payments securely via our payment processor Stripe Inc.
—To send order confirmations, delivery notifications, and transactional emails directly related to your purchase.
—To respond to support requests, complaints, and general enquiries.
—To improve the Dealytix scoring methodology using anonymised, aggregated outcome data only — never using individually identifiable information.
—To detect and prevent fraud, abuse, and security incidents.
—To comply with applicable legal obligations including Swiss commercial record-keeping requirements (OR Art. 958f).
We do not sell, rent, or licence your personal data to any third party. We do not use your data for advertising purposes, behavioural tracking, or targeted marketing. We do not share your identity, email address, purchase history, or submitted listing data with any marketplace, broker, seller, or platform.
4. Legal Basis for Processing
Under Swiss nDSG and, where applicable, GDPR, we process personal data on the following legal bases:
—Performance of contract (Art. 6(1)(b) GDPR / nDSG Art. 31): processing necessary to deliver your purchased report and fulfil our contractual obligations.
—Compliance with legal obligations (Art. 6(1)(c) GDPR / nDSG Art. 31): processing required by Swiss commercial law, tax law, and applicable regulatory requirements.
—Legitimate interests (Art. 6(1)(f) GDPR / nDSG Art. 31): fraud prevention, security monitoring, and anonymised methodology improvement. Our legitimate interests do not override your rights and freedoms.
—Consent (Art. 6(1)(a) GDPR): where we rely on consent (e.g., optional analytics cookies), you may withdraw consent at any time without affecting the lawfulness of prior processing.
5. Data Retention
Transaction and order data is retained for 10 years in accordance with Swiss commercial record-keeping requirements (OR Art. 958f). This includes order confirmations, payment records, and delivered report logs (not the report content itself).
Submitted listing data (URLs, attachments) is retained for 2 years to support any dispute resolution or quality review, then deleted.
Email correspondence is retained for 3 years.
Usage data and server logs are retained for 12 months and then deleted or anonymised.
Anonymised benchmark data (aggregate, non-identifiable scoring patterns) may be retained indefinitely as part of our methodology calibration dataset.
You may request deletion of your personal data at any time. We will action deletion requests within 30 days, subject to any mandatory retention obligations under Swiss law.
6. Third-Party Processors
We use the following third-party processors, each governed by appropriate data processing agreements:
—Stripe Inc. (San Francisco, CA, USA) — payment processing. Stripe processes payment card data directly under its own privacy policy. We receive only a payment confirmation token, never card data. Stripe is certified under PCI DSS Level 1.
—Supabase Inc. — database and storage infrastructure. Order data, listing submission data, and reports are stored on Supabase-hosted servers. Supabase infrastructure is hosted on AWS in regions selected by Altus Capital GmbH.
—Anthropic, PBC (San Francisco, CA, USA) — AI analysis engine. Submission data including listing URLs and seller-uploaded attachments are processed by Anthropic's Claude API to generate report content. Anthropic's API usage policy prohibits training on API inputs.
—Resend (email delivery) — transactional email delivery for order confirmations and report notifications.
—Railway (infrastructure) — Node.js application hosting for the report generation pipeline.
—Framer (website hosting) — hosting of the dealytix.com website frontend.
All processors are contractually required to: process data only on documented instructions from Altus Capital GmbH; implement appropriate technical and organisational security measures; not engage sub-processors without our approval; and assist with data subject rights requests.
7. International Data Transfers
Your data may be transferred to and processed in countries outside Switzerland and the European Economic Area, including the United States. The United States does not have an adequacy decision from the Swiss Federal Council equivalent to GDPR Article 45. Where such transfers occur, we rely on:
—Standard Contractual Clauses (SCCs) approved by the European Commission and recognised by the Swiss Federal Data Protection and Information Commissioner (FDPIC) for transfers to countries without an adequacy determination.
—Processor-specific adequacy frameworks where applicable (e.g., Stripe's EU-US Data Privacy Framework certification).
You may request information about the specific safeguards applied to any transfer by contacting hello@dealytix.com.
8. Your Rights
Depending on your jurisdiction, you have the following rights regarding your personal data:
—Right of access (Art. 25 nDSG / Art. 15 GDPR): obtain confirmation of whether we process your data and receive a copy.
—Right to rectification (Art. 32 nDSG / Art. 16 GDPR): request correction of inaccurate or incomplete data.
—Right to erasure (Art. 32 nDSG / Art. 17 GDPR): request deletion of your personal data, subject to legal retention obligations.
—Right to restriction of processing (Art. 18 GDPR): request that we limit processing of your data in certain circumstances.
—Right to data portability (Art. 20 GDPR): receive your data in a structured, machine-readable format.
—Right to object (Art. 21 GDPR): object to processing based on legitimate interests.
—Right to withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior processing.
—California residents (CCPA/CPRA): right to know, right to delete, right to correct, right to opt out of sale (we do not sell data), right to non-discrimination for exercising privacy rights.
To exercise any of these rights, contact hello@dealytix.com. We will respond within 30 days (extendable by a further 60 days for complex requests, with notice). We may need to verify your identity before actioning a request. There is no fee for standard requests; we reserve the right to charge a reasonable administrative fee for manifestly unfounded or excessive requests.
If you are unsatisfied with our response, you have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) at www.edoeb.admin.ch, or with the supervisory authority in your EU member state of residence.
9. Cookies and Tracking Technologies
9.1 What we use. We use minimal cookies and tracking. Our website uses cookies for the following purposes:
—Strictly necessary cookies: session management and security tokens required for the website to function. These cannot be disabled.
—Analytics cookies (optional, consent required): aggregate, anonymised visitor statistics to understand how the website is used. We do not use advertising cookies or cross-site tracking.
9.2 What we do not use. We do not use advertising cookies, retargeting pixels, social media tracking pixels, or any technology that tracks your behaviour across other websites.
9.3 Managing cookies. You can control non-essential cookies through your browser settings. Disabling analytics cookies does not affect your ability to use the website or purchase reports.
10. Security
Altus Capital GmbH implements the following technical and organisational measures to protect personal data: TLS encryption for all data in transit; access controls limiting data access to authorised personnel only; API key authentication for all service integrations; Supabase row-level security policies; and regular review of third-party processor security certifications.
No security system is completely impenetrable. In the event of a personal data breach that poses a risk to your rights and freedoms, Altus Capital GmbH will notify the relevant supervisory authority within 72 hours of becoming aware of the breach (where required by nDSG or GDPR), and will notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
11. Children's Privacy
The Service is not directed at children under the age of 18. Altus Capital GmbH does not knowingly collect personal data from anyone under 18. If you believe we have inadvertently collected data from a minor, contact hello@dealytix.com and we will delete it promptly.
12. Changes to This Policy
Altus Capital GmbH may update this Privacy Policy from time to time. The updated version will be posted at dealytix.com/privacy with a revised effective date. For material changes affecting how we use your personal data, we will notify registered users by email at least 14 days before the change takes effect. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.
13. Contact for Privacy Matters
For any privacy-related enquiry, to exercise your rights, or to lodge a concern, contact Altus Capital GmbH at: hello@dealytix.com. Altus Capital GmbH, Canton Schwyz, Switzerland. We aim to respond to all privacy enquiries within 5 business days.
© 2026 Altus Capital GmbH. All rights reserved.