The Filing Post

Privacy Policy.

Last updated: 5 June 2026. This policy applies to the website thefilingpost.com and the editorial product served at that address.

1. Who we are

The Filing Post is operated by Mathonyx GmbH, Achterum 1, 26736 Krummhörn, Germany. Mathonyx GmbH is the controller of personal data processed in connection with the site, in the sense of Article 4(7) GDPR. Contact: privacy@thefilingpost.com. Our full legal disclosure is in the Impressum.

2. What we collect

We collect only what is necessary to provide the service. Personal data we hold falls into these categories:

  • Account data. Email address, first and last name — submitted by you when you create an account. We use this to identify you, deliver the Morning Brief, and authenticate sign-in via magic-link.
  • Authentication tokens. Short-lived magic-link tokens (15-minute expiry) and a 6-digit fallback code. Trusted-browser cookie (HMAC-signed, 30-day expiry) when you opt in. Last-used-email cookie (90 days) for sign-in convenience.
  • Product state. Followed experts (up to 5 on the Free tier) and watchlisted tickers (up to 10 on the Free tier). Stored to deliver your personalised feed.
  • Operational logs. Server access logs (IP address, request URL, user-agent, timestamp) are retained for 30 days for security, abuse prevention, and debugging.
  • Email engagement. We do not use open-tracking pixels or click-tracking link wrappers on transactional or editorial emails. Standard SMTP delivery telemetry (delivered / bounced / complaint events) is processed by our email provider for deliverability reasons only.

We do not knowingly collect data from minors. The service is not directed to anyone under 16.

3. What we do not collect

We do not place third-party advertising or analytics cookies. We do not track you across other websites. We do not sell, rent, or share your personal data with third parties for marketing. We do not build advertising profiles. We do not require a password and therefore never see one.

4. Legal basis for processing

We process your data on the following bases under Article 6 GDPR:

  • Performance of a contract (Art. 6(1)(b)). Account creation, authentication, the personalised feed, delivery of the Morning Brief once you’ve subscribed.
  • Legitimate interest (Art. 6(1)(f)). Server logs for security and abuse prevention; aggregate, non-identifying usage metrics for product reliability.
  • Consent (Art. 6(1)(a)). Optional features such as trusting a browser for 30 days, or opting into the Manager Deep-Dive weekly email.

5. Subprocessors

We use the following subprocessors to deliver the service. Each is bound to confidentiality and processes data only on our written instructions:

  • Amazon Web Services EMEA SARL — Ireland region (eu-west-1). Hosts our application (EC2), database (RDS MySQL), and email delivery (SES). Personal data resides within the EU. AWS is GDPR-compliant; details: aws.amazon.com/compliance/gdpr-center.
  • Anthropic, PBC — United States. Provides the Claude large language model that generates the Daily Brief, Manager Deep-Dives, and per-filing commentary. We send only publicly filed SEC, House, and Senate disclosure text to the model — never your account data, your follows, your watchlist, or any other personally identifiable information. International transfer is on the basis of the EU Standard Contractual Clauses. Anthropic does not train its models on our submitted prompts. Details: anthropic.com/legal/privacy.

6. International transfers

Application data stays in the EU (AWS Ireland). The only routine transfer outside the EEA is to Anthropic in the United States for editorial content generation; this transfer is covered by the European Commission’s Standard Contractual Clauses (2021/914) and is limited to public filing text. No user account data crosses the Atlantic.

7. How long we keep your data

  • Account data: as long as your account is active, plus 90 days after deletion to support recovery from accidental deletion, then erased.
  • Authentication tokens: magic-link tokens expire after 15 minutes; trusted-browser cookies after 30 days; last-email cookie after 90 days.
  • Server access logs: 30 days, then deleted.
  • Email delivery telemetry: 30 days, then deleted.
  • Editorial archive: indefinitely (the Daily Brief and per-filing commentaries are part of the public record we maintain).

8. Your rights

Under the GDPR you have the right to:

  • Access your personal data (Art. 15) — write to privacy@thefilingpost.com and we will send you a portable export.
  • Rectify inaccurate data (Art. 16).
  • Have your data erased (Art. 17) — see “Delete your account” on the Account page, or write to the address above; we will action within 30 days.
  • Restrict processing (Art. 18) and object to processing based on legitimate interest (Art. 21).
  • Receive your data in a portable format (Art. 20).
  • Withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.
  • Lodge a complaint with the supervisory authority — for residents of Lower Saxony, this is Die Landesbeauftragte für den Datenschutz Niedersachsen (lfd.niedersachsen.de). You may also lodge complaints with the supervisory authority in your country of residence.

9. Cookies

We use only first-party cookies necessary for the service. No third-party cookies, no advertising cookies, no analytics cookies.

  • PHPSESSID (session): httponly, secure, samesite=lax — keeps you signed in during a browser session.
  • tfp_trusted_browser (30 days): httponly, secure, samesite=lax — set only if you tick “Trust this browser” on sign-in.
  • tfp_last_email (90 days): httponly, secure, samesite=strict — pre-fills your email on the sign-in form. Cleared when you click “Use a different email”.

10. Security

Data is encrypted in transit (TLS 1.2+). Database access is restricted to the application servers. Magic-link tokens are single-use and time-bound. Account deletion is permanent after the 90-day grace window.

11. Changes to this policy

We will post changes on this page and update the “Last updated” date at the top. Material changes will be announced via the Morning Brief at least 14 days before they take effect.

12. Contact

For any question about how we handle your personal data, write to privacy@thefilingpost.com. We aim to respond within five business days. Postal address: Mathonyx GmbH, Achterum 1, 26736 Krummhörn, Germany.