Data Handling Policy
Effective Date: March 27, 2026 · Last Updated: March 27, 2026
This Data Handling Policy describes how Top Performer AI, Inc. ("Company," "we," "us," or "our") collects, processes, stores, and protects research data and client information in connection with the Top Performer AI platform ("Platform"). This policy is intended to provide transparency to our enterprise clients regarding our data practices and to demonstrate our commitment to responsible data stewardship.
1. Research Data Collection
1.1 Public Data Sources
The Platform collects and processes data exclusively from publicly available sources. Our primary research data sources include:
| Source | Data Type | Legal Basis |
|---|---|---|
| SEC EDGAR | 10-K, 10-Q, 8-K, S-1, DEF 14A, proxy statements, and other public filings | Public domain; SEC filings are public records under federal securities laws |
| USPTO | Patent applications, granted patents, patent claims | Public domain; USPTO data is published by the U.S. government and is not subject to copyright |
| Earnings Transcripts | Publicly broadcast earnings calls and investor presentations | Fair use; publicly disseminated by companies for investor consumption |
| Press Releases | Corporate announcements, product launches, partnerships | Public dissemination; intended for public distribution |
| News Articles | Published reporting from recognized media outlets | Fair use; factual information extracted, not wholesale reproduction |
| Regulatory Filings | FDIC call reports, Federal Reserve data, OCC disclosures | Public domain; government-published data |
1.2 Proprietary Information — What We Do NOT Collect
Explicit Statement Regarding Bank Proprietary Information
- We do NOT access, collect, store, or process any proprietary, confidential, or non-public information from the banking institutions analyzed on the Platform
- We do NOT obtain information through hacking, unauthorized access, social engineering, or any illegal means
- We do NOT accept or use tips, leaks, or material non-public information (MNPI) from insiders or former employees of analyzed institutions
- We do NOT access internal systems, intranets, proprietary databases, or non-public APIs of any analyzed institution
- All competitive intelligence is derived entirely from the public data sources listed in Section 1.1
2. Client Data Collection and Storage
2.1 Client Query Data
When clients interact with the Platform, the following data is collected and stored:
- Search Queries:Text queries submitted to the Platform's search and analysis interfaces
- Chat History:Conversations with the Platform's AI-powered chat interface, including questions and generated responses
- Report Configurations: Custom report parameters, filters, bank selections, and comparison criteria
- Alert Preferences: Configured monitoring alerts and notification preferences
2.2 Client Data Isolation
Each client's data is logically isolated within our infrastructure:
- Client queries and chat history are associated with individual client accounts and are not shared with or accessible by other clients
- Enterprise clients may request dedicated database instances for enhanced isolation
- Row-level security policies enforce data isolation at the database level
- API access is authenticated and scoped to the requesting client's data
2.3 Data Retention Schedule
| Data Category | Retention Period | Post-Retention Action |
|---|---|---|
| Account information | Account lifetime + 30 days | Permanent deletion |
| Chat / query history | 12 months | Anonymization or deletion |
| Report configurations | Account lifetime | Deletion on account closure |
| Usage analytics | 24 months (aggregated) | Retained in aggregate only |
| Billing records | 7 years | Secure archival per tax law |
| Server / access logs | 90 days | Automatic deletion |
| Research data cache | Refreshed on source update | Overwritten with current data |
3. Security Measures
3.1 Infrastructure Security
- Hosting:Platform hosted on Vercel's enterprise infrastructure with automatic DDoS protection, edge caching, and global CDN
- Database: Supabase-managed PostgreSQL with automated backups, point-in-time recovery, and encryption at rest (AES-256)
- Network: All data transmitted over TLS 1.2+ encrypted connections. HSTS enforced. No plaintext data transmission.
- Payments: Payment processing handled entirely by Stripe, a PCI DSS Level 1 certified service provider. We never store raw credit card data.
3.2 Application Security
- Authentication via Supabase Auth with support for SSO, MFA, and enterprise identity providers
- Row-level security (RLS) policies on all database tables containing client data
- API rate limiting and abuse detection
- Input validation and sanitization on all user-submitted data
- Content Security Policy (CSP) headers to mitigate XSS attacks
- Regular dependency auditing and automated vulnerability scanning
3.3 Operational Security
- Principle of least privilege for all internal access to production systems
- Environment variables and secrets managed through secure secret management (never committed to source code)
- Incident response plan with defined escalation procedures and notification timelines
- Business continuity and disaster recovery procedures with defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)
4. Compliance with Financial Data Regulations
4.1 Securities Regulations
The Platform is designed as a competitive intelligence tool and is NOT a registered investment advisor, broker-dealer, or financial services provider. However, we maintain the following practices to ensure responsible handling of financial data:
- We only process publicly available financial data — no MNPI is collected or used
- Our outputs are clearly labeled as informational and not investment advice
- We maintain audit logs of data source provenance to demonstrate public origin of all information
- We do not make buy/sell/hold recommendations or provide personalized investment guidance
4.2 Fair Use of Public Data
Our use of publicly available financial data is grounded in the following legal principles:
- SEC EDGAR data: Federal government publications are not subject to copyright protection. SEC filings are public records.
- USPTO patent data: Published by the U.S. government and explicitly in the public domain.
- Factual information: Under U.S. copyright law, facts are not copyrightable (Feist Publications, Inc. v. Rural Telephone Service Co., 499 U.S. 340, 1991).
- Transformative analysis: Our AI-powered analysis creates new, transformative outputs from underlying factual data, supporting fair use.
4.3 CFPB Considerations
The Platform does not provide consumer financial products or services and is not subject to CFPB supervision. The Platform is a B2B enterprise intelligence tool sold to institutional clients. We do not collect, process, or analyze consumer financial data, credit information, or personal banking information.
4.4 Gramm-Leach-Bliley Act (GLBA)
The Platform does not access or process non-public personal information (NPI) as defined under the GLBA. Our data sources consist exclusively of publicly available corporate and institutional data, not individual consumer financial information.
5. Data Processing for AI Systems
5.1 AI Model Inputs
The Platform utilizes AI models (including large language models) to analyze public financial data and generate intelligence outputs. The following principles govern AI data processing:
- Client queries are processed through AI models to generate responses but are not used to train or fine-tune models without explicit client consent
- Public financial data is processed through our analytical pipeline to generate structured intelligence outputs
- AI model providers (e.g., OpenAI, Anthropic) receive de-identified query data only as needed for inference processing, subject to data processing agreements that prohibit use for model training
5.2 Output Provenance
All AI-generated outputs include provenance tracking that links analytical conclusions back to underlying public data sources. This enables:
- Verification of claims against original source documents
- Transparency regarding the basis for analytical conclusions
- Audit trail for compliance and due diligence purposes
6. Enterprise Client Controls
Enterprise clients under Exclusive or Custom license agreements may request:
- Data export: Full export of all client data in machine-readable format (JSON, CSV)
- Data deletion: Complete deletion of all client data upon written request, completed within thirty (30) days
- Audit rights: Annual audit of data handling practices by client or client-designated third-party auditor
- Custom retention: Modified retention schedules to align with client internal policies
- DPA execution: Execution of formal Data Processing Agreements (DPAs) that meet client regulatory and compliance requirements
- Security questionnaires: Completion of vendor security assessments and due diligence questionnaires
7. Incident Response and Breach Notification
In the event of a data breach or security incident affecting client data:
- We will notify affected clients within seventy-two (72) hours of confirming a breach, or sooner as required by applicable law
- Notification will include: nature of the breach, data affected, remediation steps taken, and recommended actions for clients
- We will cooperate with client security and compliance teams in incident investigation
- Post-incident reports will be provided to affected enterprise clients
Contact Information
For data handling inquiries:
Top Performer AI, Inc.
Security: security@topperformer.ai
Privacy: privacy@topperformer.ai
General: legal@topperformer.ai