What we collect,
what we don't, and why.
Effective May 24, 2026. We'll edit this if our data practices change.
The short version
We collect the minimum needed to run the Service: your email for login and newsletters, your submissions and comments, your votes and verifications, and a few technical things like IP address and basic page analytics. We don't sell your data, we don't run third-party ad networks, and we don't share your email with brands.
1. Who we are
EOD is operated by EOD. We're the data controller for the personal information described below. Reach us at privacy@instrumentcapital.com for any privacy-related question or request.
2. What we collect
We collect personal data in three buckets:
You give it to us. Your email address (for login, newsletter, and account recovery); your username and display name; any optional profile bio you add; the contents of finds, comments, verifications, and event RSVPs you submit; your billing details if you become a paid Insider (held by Stripe, we never see card numbers).
We collect it automatically. Your IP address and browser user-agent (logged at the edge for spam prevention and security); cookies for session management and CSRF protection; page-view analytics including which pages you visit and what referred you (we use Vercel Web Analytics, which is cookieless and doesn't fingerprint you).
Other services give it to us. If you sign in with Google, Google shares your name, email, and profile photo. Stripe shares billing status and the last four digits of your card so we can show it to you in the customer portal.
3. Why we collect it (legal basis)
For users in the EU/UK, we rely on the following legal bases under GDPR:
- Contract, to provide the Service you signed up for (login, newsletter delivery, membership).
- Legitimate interest, to keep the Service secure (IP logging, rate limiting) and to understand usage at an aggregate level (analytics).
- Consent, for the newsletter (collected via double opt-in) and for any optional cookies.
- Legal obligation, to retain records required by tax and consumer-protection law.
4. Who we share it with
We share personal data only with service providers that help us operate the Service. They're bound by contract to use it only on our behalf. Currently:
- Supabase (US), our database and authentication provider. Stores your account, your submissions, and your activity.
- Vercel (US), hosting and edge platform. Sees IP and request metadata.
- Stripe (US), payment processing for Insider memberships. Holds your billing details under their own privacy policy.
- Google (Gmail API), sends transactional and newsletter email. Sees the recipient address and message content.
- Anthropic via Vercel AI Gateway, runs the AI evidence-pass model on each find. The model receives only the product name and category, never your submission's prose or your account identifiers.
- NCBI PubMed, runs anonymous citation queries on our behalf. No personal data goes to NCBI.
- Skimlinks / Mavely, affiliate networks that rewrite outbound links. They see the destination URL and a click event; they don't see your email or account.
We don't sell or rent your personal data to anyone. We don't share it with brands featured on the site. We don't run third-party ad networks.
We may disclose data if compelled by valid legal process (subpoena, court order). Where legally permitted, we'll notify you first so you can object.
5. International transfers
Our service providers are primarily located in the United States. If you're in the EU/UK, your data will be transferred to the US under Standard Contractual Clauses or equivalent safeguards that our providers maintain.
6. How long we keep it
We keep your account data for as long as your account is active. When you delete your account, we delete your personal identifiers (email, name, IP history) within 30 days. We retain your public contributions (published finds, comments) in a de-identified form because removing them would break the historical archive, the submitter byline becomes “[deleted]” but the content stays. If you want a published find removed entirely, email privacy@instrumentcapital.com and we'll consider it case-by-case.
We keep billing records for 7 years to comply with US tax law.
Newsletter unsubscribes are honored immediately; we retain the unsubscribe record indefinitely so we never accidentally re-add you.
7. Your rights
Wherever you live, you can:
- Access the personal data we hold about you.
- Correct inaccuracies.
- Delete your account and associated personal data.
- Export your data in a portable format (we'll send you a JSON dump).
- Object to processing for direct marketing, including unsubscribing from the newsletter at any time.
EU/UK users have additional rights under GDPR (right to restrict processing, right to object to legitimate-interest processing, right to lodge a complaint with your supervisory authority).
California users have rights under the CCPA / CPRA: to know what we've collected, to delete it, to correct it, and to opt out of “sale” or “sharing” of personal information. We don't sell or share personal information in the CCPA sense, so the opt-out is a no-op, but you can still make the request.
To exercise any of these rights, email privacy@instrumentcapital.com. We'll respond within 30 days.
8. Cookies and tracking
We use essential cookies for session management (so you stay logged in) and CSRF protection. We don't use third-party tracking cookies, advertising cookies, or fingerprinting.
Our analytics provider (Vercel Web Analytics) is cookieless and aggregates data without identifying individual users. The Skimlinks script on outbound links uses its own cookies for attribution; you can opt out at skimlinks.com/optout.
9. Children
The Service is intended for adults. We don't knowingly collect personal data from anyone under 16. If you believe a minor has created an account, email us and we'll delete it.
10. Security
We use HTTPS for all traffic, encrypted-at-rest databases, and industry-standard auth practices (magic-link with limited-lifetime tokens, OAuth via Supabase, no plaintext password storage, there's no password to begin with). We can't promise perfect security; if we detect a breach affecting your data, we'll notify you per applicable breach-notification law.
11. Changes to this policy
If we change how we collect or use personal data, we'll update this page and, for material changes, notify active members by email at least 14 days before the change takes effect.
12. Contact
EOD
123 Placeholder Street, New York, NY 10001
privacy@instrumentcapital.com
This policy is a working document drafted for an early-stage product and doesn't constitute legal advice. Before launching the production domain, have it reviewed by a privacy-qualified attorney in your jurisdiction. The CCPA, GDPR, and breach-notification requirements have material teeth.
EOD publishes opinions and summaries of research about supplements, services, and protocols. It is not medical advice. Consult a qualified healthcare provider before changing your supplement, exercise, sleep, or medication regimen.
Some outbound links on EOD are affiliate links. If you buy through them we may earn a small commission, at no extra cost to you. It never influences what we publish or how it's ranked. Full disclosure.
EOD · 123 Placeholder Street, New York, NY 10001