Last updated · 2026-05-23
Privacy Policy
This Privacy Policy explains how Ohad Ben Tzvi (trading as Intrinsic Research) (“Intrinsic,” “we,” “us,” or “our”) collects, uses, retains, and discloses your personal data when you use our research platform at byintrinsic.com (the “Service”).
Intrinsic Research
01Who We Are
Intrinsic Research is operated by Ohad Ben Tzvi (trading as Intrinsic Research), a sole proprietor registered in Israel. Our service is accessible at byintrinsic.com.
As the entity that determines how and why your personal data is processed, Ohad Ben Tzvi (trading as Intrinsic Research) is the data controller for the purposes of the EU General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR), the Israeli Privacy Protection Law 5741-1981 (PPL), and applicable US state privacy laws.
Contact us at any time: [email protected]
02Data We Collect
We collect the following categories of personal data:
| Category | Examples | Source |
|---|---|---|
| Account data | Name, email address, hashed password | You provide directly at registration |
| Profile data | Investment preferences, watchlist contents, notes | You provide directly during use |
| Usage data | Pages visited, features used, session duration, clicks | Automatically collected via cookies/analytics |
| Technical data | IP address, browser type, device type, operating system | Automatically collected |
| Payment data | Billing email, subscription plan, transaction ID (no card numbers) | Via our payment processor (when paid billing is active) |
| Communications | Emails and support messages you send us | You provide directly |
| Marketing prefs | Whether you have opted in or out of marketing emails | You provide directly; inferred from behaviour |
We do not collect special categories of personal data (e.g., health data, biometric data, political opinions, racial or ethnic origin).
We do not collect or store full payment card numbers. All payment card data is processed exclusively by our payment processor; we have no access to raw card details.
03How We Use Your Data
The table below sets out each purpose for which we process your personal data and the lawful basis we rely on under GDPR and UK GDPR:
| Purpose | GDPR Lawful Basis (Art. 6) | UK GDPR Lawful Basis |
|---|---|---|
| Provide and operate the Service | Art. 6(1)(b) — contract performance | Art. 6(1)(b) |
| Manage your account and subscription | Art. 6(1)(b) — contract performance | Art. 6(1)(b) |
| Send transactional emails (receipts, alerts) | Art. 6(1)(b) — contract performance | Art. 6(1)(b) |
| Send product updates / marketing (opt-in) | Art. 6(1)(a) — consent | Art. 6(1)(a) |
| Improve and develop the Service | Art. 6(1)(f) — legitimate interests | Art. 6(1)(f) |
| Comply with legal obligations | Art. 6(1)(c) — legal obligation | Art. 6(1)(c) |
| Fraud prevention and security | Art. 6(1)(f) — legitimate interests | Art. 6(1)(f) |
| Enforce our Terms of Service | Art. 6(1)(f) — legitimate interests | Art. 6(1)(f) |
We will not use your personal data for purposes that are incompatible with those described above. Where we rely on consent (e.g., marketing emails), you may withdraw that consent at any time by clicking the unsubscribe link in any email or by contacting [email protected].
04Data Sharing and Sub-Processors
We share your personal data only where necessary to provide the Service. Our current sub-processors are listed below. We contractually require all sub-processors to protect your data to standards equivalent to those in this Policy.
| Sub-processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Cloud hosting provider | Application hosting and infrastructure | United States | Data Processing Agreement + SCCs |
| Email delivery provider(s) | Transactional and product emails | United States | Data Processing Agreement + SCCs |
| Product analytics provider | Aggregate product usage analytics and service improvement | United States | Data Processing Agreement + SCCs |
| Payment processor | Payment processing and invoicing (when paid billing is active) | United States | Data Processing Agreement + SCCs |
We do not sell your personal data to third parties, and we do not share it for third-party advertising purposes.
We may disclose your data if required by law, court order, or regulatory authority, or to protect the rights, property, or safety of Intrinsic Research, our users, or the public.
05International Data Transfers
We are based in Israel. The European Commission has adopted an adequacy decision recognising Israel as providing an adequate level of data protection (Commission Decision 2011/61/EU). Personal data transferred from the EU or UK to us in Israel is therefore protected to an adequate standard.
For transfers of EU personal data to third-country sub-processors (e.g., US-based service providers), we rely on one or more of the following mechanisms:
- Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914), incorporated into our data-processing agreements with sub-processors; or
- The EU-US Data Privacy Framework (DPF), where the recipient is DPF-certified.
For transfers of UK personal data to third-country sub-processors, we rely on:
- International Data Transfer Agreements (IDTAs) adopted by the UK Information Commissioner’s Office; or
- UK Addenda to the EU SCCs (as approved by the Secretary of State).
You may request a copy of the relevant transfer mechanism by contacting [email protected].
06Data Retention
We retain personal data only for as long as necessary for the purposes described in this Policy and to comply with our legal obligations:
| Data Category | Retention Period | Reason |
|---|---|---|
| Account data | Duration of account + 2 years after closure | Contract performance; fraud prevention |
| Usage / analytics data | 26 months | Product improvement; legitimate interests |
| Payment records | 7 years from transaction date | Tax, accounting, and legal obligations |
| Support communications | 3 years | Dispute resolution; legal compliance |
| Marketing consent | Until withdrawn + 3 years | Proof of consent; regulatory compliance |
| Server / access logs | 90 days | Security monitoring; legal compliance |
After the applicable retention period, we securely delete or irreversibly anonymise your personal data.
07Your Privacy Rights
7.1 EU Residents (GDPR)
If you are located in the European Union, you have the following rights under the GDPR:
- Right of access: Request a copy of the personal data we hold about you (Art. 15).
- Right to rectification: Request correction of inaccurate or incomplete data (Art. 16).
- Right to erasure: Request deletion of your data where there is no compelling reason for continued processing (Art. 17).
- Right to restriction: Request that we restrict processing of your data in certain circumstances (Art. 18).
- Right to data portability: Receive your data in a structured, machine-readable format and transmit it to another controller (Art. 20).
- Right to object: Object to processing based on legitimate interests or for direct marketing purposes (Art. 21).
- Right to withdraw consent: Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.
- Right to lodge a complaint: Lodge a complaint with the data-protection supervisory authority in your EU member state of habitual residence.
To exercise any of these rights, email [email protected] with the subject line “GDPR Request.” We will respond within 30 days (extendable by a further 60 days in complex cases, with notice).
7.2 UK Residents (UK GDPR)
UK residents have equivalent rights under the UK GDPR and the Data Protection Act 2018. Requests should be sent to [email protected]. Complaints may be lodged with the Information Commissioner’s Office (ICO) at ico.org.uk.
7.3 US Residents (CCPA / State Privacy Laws)
We comply with the following US state privacy laws:
California (CCPA/CPRA) · Virginia (VCDPA) · Colorado (CPA) · Connecticut (CTDPA) · Texas (TDPSA) · Oregon (OCPA) · Montana (MCDPA) · and other applicable state laws.
If you are a US resident, you have the right to:
- Know what personal information we collect, use, disclose, or sell about you;
- Access a copy of the personal information we hold about you;
- Delete personal information we have collected from you (subject to certain exceptions);
- Correct inaccurate personal information;
- Opt out of the sale or sharing of your personal information;
- Opt out of targeted advertising and profiling that produces legal or similarly significant effects;
- Non-discrimination: we will not discriminate against you for exercising any of these rights.
California residents: We do not sell personal information (as defined by the CCPA) to third parties. We do not share personal information for cross-context behavioural advertising. To submit a verifiable consumer request, email [email protected] with subject line “CCPA Request” from the email address associated with your account. We will respond within 45 days, extendable once by a further 45 days.
Other state residents: To exercise any applicable right, please contact [email protected] with the subject line “Privacy Rights Request” and specify your state of residence.
7.4 Israeli Residents (Privacy Protection Law 5741-1981)
If you are located in Israel, you have the following rights under the Privacy Protection Law (PPL) and the Privacy Protection Regulations (Data Security) 5777-2017:
- Right to review: Request to inspect personal information we hold about you in our database.
- Right to correction: Request correction of inaccurate, outdated, incomplete, or unclear personal information.
- Right to deletion: Request that we delete personal information where we are no longer required to retain it.
To exercise these rights, contact [email protected]. We will respond within 30 days.
The collection and processing of personal data in connection with the Service constitutes a database under Israeli law. This database is held and maintained by Ohad Ben Tzvi (trading as Intrinsic Research) for the purposes described in this Policy.
08Security and Data Breach Notification
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration. These measures include encryption of data in transit (TLS/HTTPS), hashed password storage, access controls, and regular security reviews.
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible, as required by GDPR Article 33. Where the breach is likely to result in a high risk to individuals, we will also notify affected individuals directly without undue delay.
Despite our reasonable precautions, no system is completely secure. By using the Service you acknowledge this residual risk.
09Cookies
We use cookies and similar tracking technologies on our website. Cookies are small text files placed on your device that help the Service function correctly and allow us to understand how users interact with it.
We use the following categories of cookies:
- Strictly necessary cookies: Essential for the website and Service to function. These include session and authentication cookies. They cannot be disabled without breaking core functionality and do not require your consent.
- Functional cookies: Used to remember your preferences (e.g., display settings). These are set on the basis of our legitimate interest in providing a usable interface.
- Analytics cookies (opt-in only): Used to collect aggregate data about how users navigate and use the Service, so we can improve it. These are only set with your explicit consent, which you can give or withdraw via the cookie consent banner displayed on your first visit.
We do not use advertising or cross-site tracking cookies.
You can manage or delete cookies through your browser settings at any time. Note that disabling strictly necessary cookies will prevent you from logging in. For a full list of the specific cookies we set, or to ask any questions about our use of cookies, please contact us at [email protected].
10Children’s Privacy
The Service is not directed to or intended for use by persons under the age of 18. We do not knowingly collect personal data from children under 18. If we become aware that we have inadvertently collected data from a child, we will delete it promptly. If you believe we have collected data from a child, please contact [email protected] immediately.
11Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will notify you by email and/or by a prominent notice on our website at least 30 days before the changes take effect. The “last updated” date at the top of this Policy reflects the most recent revision. Continued use of the Service after the effective date of a revised Policy constitutes your acceptance of the changes.
12Contact Us and Complaints
If you have any questions about this Privacy Policy or wish to exercise any of your rights:
Data Controller:
Ohad Ben Tzvi (trading as Intrinsic Research)
[email protected]
byintrinsic.com
If you are not satisfied with our response, you have the right to lodge a complaint with the relevant data protection authority:
- European Union: Your national supervisory authority (full list at edpb.europa.eu/about-edpb/about-edpb/members_en)
- United Kingdom: Information Commissioner’s Office — ico.org.uk — Tel: 0303 123 1113
- Israel: Privacy Protection Authority — gov.il/en/departments/the_privacy_protection_authority
© 2026 Ohad Ben Tzvi (trading as Intrinsic Research). All rights reserved.
Questions? Email [email protected]. See also our Terms, Privacy, and Refund policy.