Sharpefolio

Privacy Policy

Draft v1.0 — Last Updated 2026-05-07

This document is provided in good faith and reflects our current practices. Pending formal legal review. Material changes will be communicated to users via email and in-app notification.

1. Effective Date

This Privacy Policy is effective as of [USER FILL — e.g., 2026-05-15]. We last updated it on [USER FILL — e.g., 2026-05-07]. We will indicate the date of the most recent revision at the top of this document. Material changes are described in §13.

2. Who We Are

Sharpefolio (the "Service", "we", "us", or "our") is a personal investment portfolio analytics platform that provides portfolio tracking, performance analytics, factor and style analysis, options analytics, and risk management tools for individual investors. Sharpefolio does not provide investment advice, financial advice, brokerage services, or investment recommendations of any kind. The Service is a record-keeping and analytics tool only.

Sharpefolio is operated by [USER FILL — full legal name of operator or registered business entity], a [USER FILL — sole proprietor / LLC / etc.] based in [USER FILL — state, country].

  • Privacy contact: [email protected]
  • Website: https://sharpefolio.io
  • Postal address (if applicable): [USER FILL — required if EU, UK, or California users will be served at scale]
  • EU/UK Representative under GDPR Art. 27: [USER FILL — only required if you actively target EU/UK markets; if you do not actively target them, see §11]

If you have questions about this Policy, want to exercise any of the rights described in §8, or wish to make a complaint, please contact us at the email above. We aim to respond within 30 days.

3. Information We Collect

We collect only the information necessary to operate the Service. Categories below correspond one-to-one with the answers we provide on the Apple App Privacy questionnaire.

3.1 Identity and account data

  • Email address (from sign-up, OAuth, or Apple Hide-My-Email private relay address *@privaterelay.appleid.com)
  • Name and avatar URL (when you sign in with Google or Apple, we receive your display name and profile image)
  • OAuth provider identifier (e.g., Google sub claim, Apple sub claim) — used to link future logins to your account
  • A salted bcrypt hash of your password (only if you sign up with the email/password provider; we never store your plaintext password)
  • Phone number (only if you opt in to a phone-number sign-in method)

3.2 Financial data you provide or that we sync at your request

  • Positions (symbol, quantity, cost basis, broker label) entered manually or imported via CSV
  • Trades, dividends, and option lots
  • Daily portfolio and position snapshots derived from the above (90+ days of history are retained for performance analytics)
  • Subscription status, plan tier, and renewal period (received from Stripe for web payments and from RevenueCat / Apple for iOS in-app purchases — we never see your card number, Apple ID password, or full receipt)
  • Broker API credentials are only stored for the platform operator's own account at v1.0; ordinary users do not connect a broker, so no broker credentials are stored for them. If we expand broker connectivity to additional users in the future, we will update this Policy first.

3.3 Usage and analytics

  • Last login timestamp and approximate region inferred from IP (used to detect anomalous logins and to power usage-trend charts in your account)
  • Records of AI analyses you have generated. Note that for a small set of widely-tracked tickers (such as SPY, AAPL, NVDA), the analysis content is generated on a shared schedule and served to many users; in those cases, no user identifier is attached to the cached content
  • Feature usage events such as which dashboards you opened, which subscription feeds you clicked, and what filters you applied — used to improve the product
  • Crash reports, including stack traces and the user identifier of the affected session, sent to Sentry (you may opt out — see §9). Crash reports are minimized: we do not capture form values, position quantities, or ticker symbols inside crash payloads

3.4 Cookies, local storage, and device data

  • A NextAuth session cookie (HttpOnly, Secure) is set after you sign in. Auxiliary cookies (state, pkce, nonce, callback-url) are set during the OAuth handshake and removed shortly after
  • Browser local storage holds your language preference (one of zh / en / ru / ja / fr), your light/dark theme, and a flag indicating whether demo mode is enabled
  • For the iOS app: device model, OS version, app version, and the install identifier issued by Apple to the App Store transaction. We do not collect IDFA and do not display advertising

3.5 Information we do not collect

  • We do not collect Social Security numbers, government-issued IDs, biometric data, precise location (GPS), contacts, photos, microphone, or camera input
  • We do not buy advertising profiles from data brokers
  • We do not sell or rent your personal information to anyone

4. How We Use Your Information

We use the information described in §3 only for the following purposes:

  1. Provide the Service — authenticate you, render your portfolio, run analytics and risk computations, store snapshots, and sync data you have authorized
  2. Process payments — verify subscription status with Stripe (web) or RevenueCat / Apple (iOS) and gate paid features accordingly
  3. Improve the product — aggregated usage analytics, A/B testing of new features, performance profiling
  4. Communicate — transactional emails (sign-up confirmation, payment receipts, security alerts). We do not send marketing email without separate, explicit opt-in
  5. Security and abuse prevention — detect anomalous logins, enforce rate limits, investigate suspected fraud or unauthorized access, comply with our acceptable-use policy
  6. Legal compliance — respond to lawful subpoenas, retain records that financial and tax law require us to keep (see §7)

We will not use your information for materially different purposes without notifying you and, where required, obtaining your consent.

5. Legal Bases for Processing (GDPR / UK GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, the legal bases on which we rely are:

  • Performance of a contract (GDPR Art. 6(1)(b)) — to deliver the analytics and tracking features you signed up for
  • Consent (Art. 6(1)(a)) — for optional features such as Sentry crash reporting where consent is required, and for any future marketing communications
  • Legitimate interests (Art. 6(1)(f)) — for product improvement, fraud prevention, and basic security telemetry. We have weighed these interests against your privacy and concluded the processing is proportionate; you may object at any time (see §8)
  • Legal obligation (Art. 6(1)(c)) — to retain records that financial regulations require us to keep (see §7)

We do not engage in solely-automated decisions producing legal or similarly significant effects on you. Our analytics are decision-support tools that you, the user, interpret.

6. How We Share Your Information

We share information only with the following categories of recipients, each strictly limited to what is necessary for the stated purpose. We have written agreements (Data Processing Addenda where applicable) with these vendors.

| Recipient | Purpose | Data shared | |---|---|---| | Stripe, Inc. | Web payment processing | Email, plan tier, billing country. Card details are entered directly into Stripe and never reach our servers. | | RevenueCat, Inc. | iOS subscription state management | RevenueCat-issued app user ID, transaction state metadata. Apple receipts are validated by Apple, not by us. | | Apple Inc. | iOS in-app purchases, "Sign in with Apple" | Subscription receipts and the sub identifier. Apple's privacy practices apply to this exchange. | | Google LLC | "Sign in with Google" | Email, name, picture URL, sub identifier (only if you choose Google sign-in). | | Sentry (Functional Software, Inc.) | Crash and error reporting | Stack trace, runtime metadata, your user ID. EU users may opt out (see §9). | | Cloudflare, Inc. | DNS, edge protection, transactional email routing for @sharpefolio.io | Standard request metadata required for routing and DDoS protection. | | Tiger Brokers (Tiger Open API) | Position synchronization for the platform operator's own account only at v1.0 | API key signed by the operator. No ordinary user data is sent to Tiger. |

Public market-data sources we query (Yahoo Finance, FRED, SEC EDGAR, Alpha Vantage, NewsAPI, Polymarket) receive only the ticker symbol or economic series identifier. They do not receive your account, position, or identity.

We may also disclose information when we believe in good faith that disclosure is necessary to comply with a lawful subpoena, court order, or other legal process; to protect the rights, property, or safety of Sharpefolio, our users, or others; or in connection with a corporate transaction (merger, acquisition, financing) — in which case the acquiring party will be bound by terms at least as protective as those in this Policy, and you will be notified.

We do not sell your personal information for monetary consideration. We do not "share" personal information for cross-context behavioral advertising as those terms are defined under the California Consumer Privacy Act ("CCPA") as amended by the CPRA.

7. Data Retention — Important Notice About Financial Records

Different categories of data are retained for different periods.

Active accounts. While your account is active, we retain your personal information and the financial records you have entered or synced for as long as is necessary to operate the Service.

Account deletion. When you request deletion of your account (see §8), we perform a soft-delete: your identity profile is anonymized within seven (7) days, your email is replaced with a non-recoverable random value, your OAuth links are severed, and you can no longer sign in.

Financial transaction records — 7-year retention. Even after you delete your account, the financial transaction records associated with your account (positions, trades, dividends, option lots, daily portfolio snapshots) are retained for seven (7) years from the date of the underlying transaction. They are retained in a de-identified form — disconnected from your name, email, OAuth identifiers, and contact information — but the financial data itself remains.

We retain these records for two reasons:

  1. Industry standard for financial books and records. U.S. financial regulators (FINRA Rule 4511, SEC Rule 17a-4) require investment advisers, broker-dealers, and similar regulated entities to retain books and records for periods that typically range from three to seven years. Although Sharpefolio is not itself a registered broker-dealer or investment adviser today, we follow the seven-year retention standard so that our books and records are admissible if a regulated relationship arises in the future, if a tax or audit dispute requires reconstruction, or if law enforcement requests records under a lawful order.
  2. User-side tax and audit needs. U.S. taxpayers commonly need to reconstruct cost basis and dividend history going back several years. By retaining de-identified records, we are able to assist users who later request reactivation or re-export.

You may request accelerated deletion of your identity information at any time, and we will honor it. You cannot, however, override the seven-year retention of de-identified financial records described above. If this is unacceptable to you, please do not enter sensitive data into the Service.

Other data. Backups are retained for up to 35 days. Server access logs are retained for up to 90 days. Sentry crash reports are retained per Sentry's default of 90 days. Aggregated, non-identifying analytics may be retained indefinitely.

8. Your Rights and Choices

Depending on where you live, you have one or more of the following rights. We honor all of them globally to the maximum extent we reasonably can, regardless of your jurisdiction.

  • Right of access — request a copy of the personal information we hold about you. We provide an account export in JSON and CSV form
  • Right to correction — update your email, name, or any incorrect data through the in-app settings page or by contacting us
  • Right to deletion — request that we delete your account; the soft-delete process is described in §7. Subject to the seven-year retention of de-identified financial records
  • Right to data portability — receive your data in a structured, commonly-used, machine-readable format (we provide JSON and CSV)
  • Right to object to processing — object to processing based on our legitimate interests (§5). We will assess each request individually
  • Right to restrict processing — ask us to pause use of your data while a dispute is resolved
  • Right to withdraw consent — where we rely on consent (e.g., Sentry crash reporting in the EU), withdraw it at any time
  • Right to opt out of "sale" or "sharing" (CCPA/CPRA) — we do not sell or share your personal information; you nonetheless have the right to confirm this
  • Right against discrimination (CCPA/CPRA) — we will not deny you service or charge a different price for exercising any privacy right
  • Right to lodge a complaint — EU/UK users have the right to complain to their national supervisory authority (find yours at https://edpb.europa.eu/about-edpb/about-edpb/members_en or https://ico.org.uk for the UK)
  • Right to designate an authorized agent (CCPA/CPRA) — California residents may designate someone to act on their behalf

To exercise any right, email [email protected] from the email address associated with your account, or use the in-app "Export my data" or "Delete my account" buttons. We will verify your identity before honoring requests that materially affect your account. We respond within 30 days (extendable to 90 days where the request is complex, with prior notice).

If you are a California resident, you may also request the categories of personal information we have collected, used, disclosed, or sold/shared in the past 12 months. Our answer is in §3 and §6 above; we have not sold or shared personal information.

9. Cookies and Local Storage

A summary of every browser-side storage item we use:

  • Authentication cookiesnext-auth.session-token (HttpOnly, Secure, SameSite=Lax) and short-lived OAuth handshake cookies (state, pkce, nonce, callback-url) which are SameSite=None to support Apple's form_post redirect flow. Strictly necessary; cannot be disabled
  • Local storage — language preference, light/dark theme, and the demo-mode flag. Strictly functional
  • No advertising cookies, no third-party analytics cookies (e.g., Google Analytics, Facebook Pixel) are set. We use only first-party server-side analytics
  • Sentry telemetry — disabled by default for users whose IP geolocates to the EU/UK; opt-in toggle in Settings → Privacy

If your jurisdiction requires a cookie consent banner (notably the EU ePrivacy Directive), you will see one on first visit. Continuing to use the Service without selecting "Accept" implies the strictly-necessary cookies only.

10. Children's Privacy

The Service is rated 4+ in the App Store for content reasons (no objectionable material), but it is not intended for users under the age of 13 (or under 16 in the EU/UK where the higher age applies). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, contact [email protected] and we will delete it.

11. International Data Transfers

Our servers are located in [USER FILL — e.g., the United States]. If you access the Service from outside that country, your information will be transferred to and processed in that country.

For users in the European Economic Area or the United Kingdom, transfers to the United States are made under the European Commission's Standard Contractual Clauses (2021/914/EU) where required, supplemented by the technical and organizational measures described in §12. You may request a copy of these clauses by contacting us.

For users in mainland China: Sharpefolio is not officially distributed in mainland China and the v1.0 iOS app is not available on the Chinese App Store. If you nevertheless access the web version from mainland China, please be aware that your usage may be subject to local laws (including the Personal Information Protection Law) and to local network conditions which we do not control.

12. Security Measures

We take security seriously. Specifically:

  • Passwords are hashed using bcrypt with a per-user salt; we never store plaintext passwords
  • Transport security — HTTPS is enforced on every connection; HSTS is set
  • At-rest storage — production database is hosted with disk-level encryption; database WAL files are protected by file-system permissions
  • Multi-user isolation — every API route enforces user-scoped queries through a centralized helper (requireUserId). We perform internal audits of cross-user data isolation; the results are tracked under our internal QA program (see qa-multi-user-isolation-audit.md)
  • OAuth flows — PKCE is enforced for all OAuth providers; state and nonce are validated; Sign in with Apple uses native iOS flows where possible
  • Payment security — card data never touches our servers; Stripe and Apple handle PCI-DSS compliance
  • Access controls — production database access is restricted to a small number of authorized engineers via SSH key; secrets are stored in environment variables and never committed to source control
  • Incident response — in the event of a personal data breach affecting EU/UK users, we will notify the relevant supervisory authority within 72 hours where required by GDPR Art. 33; affected users will be notified directly when the breach is likely to result in a high risk to their rights and freedoms

No system can be guaranteed 100% secure. By using the Service, you acknowledge this inherent risk.

13. Changes to This Policy

We may update this Policy from time to time. The "Last Updated" date at the top of this document reflects the most recent revision. For material changes — such as a new category of data collected, a new third-party recipient, or a change in retention period — we will provide at least 30 days' advance notice via email and via an in-app banner before the changes take effect. Continued use of the Service after the effective date of an updated Policy constitutes acceptance of the updated Policy. If you do not agree, you may stop using the Service and request deletion of your account at any time.

14. Contact Us

For privacy questions, requests under §8, or to lodge a complaint:

  • Email: [email protected]
  • Postal address: [USER FILL — required if you have substantial EU or California users]
  • Operating entity: [USER FILL — full legal name]

If we do not respond satisfactorily, EU/UK users have the right to complain to their national data protection supervisory authority. California residents may complain to the California Privacy Protection Agency (https://cppa.ca.gov). Canadian residents may complain to the Office of the Privacy Commissioner of Canada (https://www.priv.gc.ca).