Privacy Policy

Last updated: March 28, 2026

Business Diver is operated by ResourceHub Cph (CVR DK46200462), a Danish enkeltmandsvirksomhed (sole proprietorship) based in Copenhagen, Denmark. This privacy policy explains what data we collect, why we collect it, and how we protect it.

1. Data We Collect

Account data

When you create an account, we collect:

• Email address - used for authentication, account recovery, and service communications.
• Password hash - if you sign up with email and password, your password is hashed using bcrypt before storage. We never store your plain-text password.
• OAuth reference - if you sign up with Google, we store a reference to your Google account. We do not receive or store your Google password.
• Display name - optional, set by you in your account settings.
• Subscription tier - your current plan (Free, Pro, or Business) and associated billing identifiers if applicable.

Automatically collected data

Our web server automatically logs standard access data including IP addresses, request timestamps, and HTTP methods. These logs are used for security monitoring, debugging, and abuse prevention. Server logs are retained for a limited period and are not linked to your user account.

Usage data

We track the number of research reports you generate each month, broken down by mode (managed key or BYOK). This is used for quota enforcement on your subscription tier.

Search history

When you generate a research report, we store the company name, a URL-safe slug, the full report content (as JSON), the AI provider used, the research mode (fast or deep), and a timestamp. This enables you to access your past reports from any device.

What we do NOT collect

We do NOT store your API keys. If you use Bring Your Own Key (BYOK) mode, your API key is stored exclusively in your browser's localStorage. It is sent to our backend only during active research requests, held in memory for the duration of one API call, and then discarded. It is never logged, written to disk, or stored in any database. Read our full security details.

2. Legal Basis for Processing

We process your personal data on the basis of contractual necessity (GDPR Art. 6(1)(b)). The data we collect is necessary to provide the Business Diver service: authenticating your account, enforcing usage limits, and storing your research history so you can access it later.

3. Data Processors and Sub-processors

We use the following third-party services to operate Business Diver. Each processes data on our behalf under their respective data processing agreements:

• Supabase Inc. - Authentication and database hosting. Stores account data, usage records, and search history. Based in the US. Your data is hosted in the EU (Ireland, eu-west-1). DPA
• Google LLC - OAuth authentication (Google Sign-In). Receives your Google account reference during login.
• Railway Corp. - Backend hosting. Our research engine runs on Railway servers. Research data passes through Railway infrastructure during processing.
• Stripe Inc. - Payment processing (for paid subscriptions). Receives your payment details directly. We do not store credit card numbers.

4. Data Retention

Your data is retained for as long as your account is active. When you delete your account, all your data is permanently removed from our systems, including your profile, usage history, and all stored research reports. This deletion is irreversible.

Anonymized, publicly available company reports that we publish for SEO purposes (such as the sample reports visible on the website) do not contain any personal data and are not affected by account deletion.

5. Your Rights Under GDPR

As a data subject, you have the following rights:

• Right to access (Art. 15) - You can export all your data (profile, usage history, and research reports) as a JSON file from your account page.
• Right to erasure (Art. 17) - You can delete your account at any time from your account page. This permanently removes all your personal data from our systems.
• Right to data portability (Art. 20) - The JSON export provides your data in a structured, machine-readable format that you can take to another service.
• Right to rectification (Art. 16) - You can update your profile information (display name, email) from your account page.

To exercise any of these rights, use the controls on your account page or contact us at info@businessdiver.com.

6. Cookies and Local Storage

Authentication cookies

We use authentication cookies issued by Supabase to maintain your login session. These are strictly necessary for the service to function and do not require consent under the ePrivacy Directive. They contain no tracking data and are used solely to verify that you are logged in.

Analytics

We use Vercel Analytics and Speed Insights for aggregate performance monitoring. If Google Analytics 4 (GA4) is enabled, it uses cookies for visitor analytics. GA4 cookies require consent before activation. We do not use advertising pixels, third-party trackers, or cross-site tracking of any kind.

Local storage

If you use BYOK mode, your API key is stored in your browser's localStorage with a 24-hour auto-expiry. This data never leaves your browser except during active research requests. You can clear it at any time using the "Delete Key" button in the research tool or by clearing your browser storage.

7. Data Security

We implement appropriate technical and organizational measures to protect your data, including:

• HTTPS-only transmission (HSTS enforced)
• Content Security Policy headers on all pages
• Row Level Security on all database tables (users can only access their own data)
• Passwords hashed with bcrypt
• API keys scrubbed from all error messages
• Rate limiting on all endpoints

For more details, see our security page.

8. International Data Transfers

Some of our data processors (Supabase, Google, Railway, Stripe) are based in the United States. Transfers to the US are covered by the EU-US Data Privacy Framework or Standard Contractual Clauses as applicable. By using Business Diver, you acknowledge that your data may be processed outside the EEA under these safeguards.

9. Children

Business Diver is not intended for use by individuals under the age of 16. We do not knowingly collect data from children. If you believe a child has created an account, please contact us and we will delete the account promptly.

10. Contact

For privacy-related questions, data subject requests, or complaints, contact us at:

ResourceHub Cph
CVR DK46200462
Email: info@businessdiver.com

You also have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet) at datatilsynet.dk.

11. Changes to This Policy

We will update this policy as our service evolves. Material changes will be communicated via email to registered users. The "Last updated" date at the top of this page reflects when the most recent changes were made.