How does BullrunData calculate recession probability?

Our model weighs 15 economic indicators including the 10Y-2Y yield curve spread, unemployment trend (Sahm Rule), initial jobless claims, high-yield credit spreads, and the Chicago Fed National Financial Conditions Index. Dynamic weight adjustments are applied based on Fed policy stance and market regime.

What data sources does the API use?

BullrunData aggregates data from the FRED API (35 economic indicators), CFTC Commitments of Traders reports (institutional futures positioning), Yahoo Finance (11 S&P sector ETFs), and Treasury International Capital (TIC) data for foreign holdings of US Treasuries.

Can I use BullrunData with AI agents and MCP?

Yes. BullrunData is available as both a REST API and an MCP (Model Context Protocol) server for AI agents like Claude and ChatGPT. The MCP server exposes tools for recession analysis, capital rotation scoring, and investment property calculators.

How often is the data updated?

FRED indicators are fetched every 6 hours with a recession probability snapshot saved on each update. CFTC data updates weekly. Sector rotation data is calculated live on each request.

Privacy Policy

Last updated: May 11, 2026

What We Collect

When you sign up, we collect:

Your GitHub account email and profile name (via OAuth)
API usage counts (which endpoints you call and how many times per day)

When you use the API, we log:

Your API key (to enforce rate limits)
Daily request counts per key
Request metadata (timestamp, endpoint path, HTTP method, status code, response latency, IP address, user-agent string) — used for rate limiting, abuse prevention, and operational monitoring
We do not log request bodies, query parameters, or response data

What We Don't Collect

No tracking cookies or analytics scripts on the website
No third-party advertising trackers
No personal financial data (our calculators run server-side and results are not stored)
No conversation content from AI tools (Claude, ChatGPT, etc.) that use our MCP server

How We Use Your Data

To authenticate your API requests
To enforce daily rate limits based on your plan tier
To detect and prevent abuse, fraud, and service disruption
To send you service-related emails (downtime alerts, account changes)
We will never sell your data or share it with third parties for marketing

Lawful Basis for Processing (GDPR Article 6)

For users in the European Economic Area (EEA), United Kingdom, and other jurisdictions with similar laws, we process your personal data on the following lawful bases:

Contract (Art. 6(1)(b)): Account data and API key are necessary to provide the service you signed up for.
Legitimate interests (Art. 6(1)(f)): Request metadata, IP address, and usage logs are processed for rate limiting, abuse prevention, and service security. These interests are balanced against your rights and freedoms.
Legal obligation (Art. 6(1)(c)): Where applicable, to comply with tax, accounting, and other regulatory requirements.

Data Storage and Sub-Processors

Your account data and API usage records are stored in a PostgreSQL database hosted on Neon (US East region). All data is encrypted in transit via TLS 1.2+. The following sub-processors handle your personal data on our behalf:

Neon (Postgres database hosting, US East) — account data, API keys, request logs
Vercel (frontend + remote MCP server hosting, global edge) — request routing, TLS termination
Railway (REST API backend hosting, US) — handles API requests
Cloudflare (DNS and CDN) — DNS resolution, edge caching
GitHub (OAuth identity provider) — handles login authentication; we receive your email and profile name from GitHub
Stripe (payment processing, paid plans only) — handles billing and card data; we never see your full payment card information
Resend (transactional email) — delivers service-related emails to your inbox

All sub-processors are bound by data processing agreements that require equivalent or stronger data protection standards.

Data Retention

Account data (email, profile, API key): retained for the lifetime of your account, deleted within 30 days of an account deletion request
API request logs (timestamp, endpoint, IP, status): retained for 90 days, then deleted
Daily usage counters (per key, per day): retained for 12 months for billing reconciliation, then aggregated and anonymized
Economic data snapshots: retained indefinitely (these are our model outputs, not your personal data)
Email logs (from Resend): retained per Resend's default policy

Your Rights

Regardless of where you live, you have the right to:

Access: Request a copy of the personal data we hold about you
Rectification: Ask us to correct inaccurate or incomplete data
Deletion ("Right to be Forgotten"): Request deletion of your account and all associated data
Portability: Receive your data in a structured, machine-readable format (JSON)
Restriction: Ask us to limit processing of your data in certain circumstances
Objection: Object to processing based on legitimate interests
Withdraw consent: Where processing is based on consent, withdraw it at any time

To exercise any of these rights, email support@bullrundata.com. We will respond within 30 days. If you are in the EEA or UK and believe we have not handled your data properly, you have the right to lodge a complaint with your local supervisory authority.

International Data Transfers

Some of our sub-processors (Neon, Railway, Vercel) operate primarily from the United States. When we transfer personal data outside the European Economic Area, we rely on the European Commission's Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms to ensure your data receives an adequate level of protection.

Children's Privacy

BullrunData is not directed at children under 16, and we do not knowingly collect personal data from anyone under 16. If you believe we have inadvertently collected such data, please email us and we will delete it.

MCP Server Usage

When you use the BullrunData MCP server through Claude, ChatGPT, Cursor, or other AI tools, the same API key authentication and rate limiting applies. We do not have access to your conversations with these AI tools. We only see the API requests your MCP client makes to our endpoints (request metadata as described above).

Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to active accounts and reflected in the “Last updated” date at the top of this page. Continued use of the service after changes constitutes acceptance of the updated policy.

Contact & Data Protection Requests

For privacy questions, data subject requests, or any GDPR-related inquiries: support@bullrundata.com

BullrunData is operated as a sole-proprietor service. We have not appointed a formal Data Protection Officer (DPO) under GDPR Article 37 as our processing does not meet the threshold criteria. The contact email above is the canonical point of contact for all data protection matters.