Privacy Policy

1. Our principles

We collect the minimum information needed to run the Service and we do not sell or rent your personal data. Specifically:

• We do not sell your data.Not to advertisers, not to data brokers, not to “partners.”
• We do not train AI models on your personal data. Your portfolios, queries, and research history are not used to train any model, ours or our providers'.
• We do not share your data with third parties for marketing purposes.
• Brokerage access is read-only. We cannot and do not initiate trades or move money.

2. Information we collect

a. You provide directly

• Email address, name, and password (hashed) on sign-up.
• Waitlist entries (email, optional name and portfolio size).
• Profile preferences: risk tolerance, goals, horizon (optional).
• Research queries (tickers you analyze) and portfolio review requests.

b. Automatically collected

• IP address, browser/user-agent, device type — for security, rate limiting, and abuse prevention.
• Session cookies — to keep you signed in. We do not use third-party tracking or advertising cookies.
• Rate-limit counters keyed by user ID and IP.
• Usage counters (token consumption, estimated spend, query volume) for plan-limit enforcement.

c. From brokerage integrations (if you link)

• Via SnapTrade: account balances, holdings, positions, and transactions.
• We never receive your brokerage login credentials. SnapTrade holds the authorization on your behalf; we store an encrypted user secret that lets us query your data.

d. From AI providers

• We send prompt content (including your queried ticker and the verified public data block) to Anthropic, OpenAI, and Google Cloud for inference. We do not send your email, name, or other identifiers in these prompts.

3. How we use your information

• To operate the Service — authentication, running analyses, syncing holdings, rendering the UI.
• To protect the Service — rate limiting, abuse detection, fraud prevention.
• To enforce usage caps — stopping a user from accidentally running up a large AI bill.
• To maintain a personal track record — every recommendation is stored so we can show you how our past calls played out.
• To contact you about your account, security issues, or material Service changes.
• To comply with law and respond to valid legal process.

4. Sub-processors we rely on

We share information with the following processors solely to run the Service:

• Neon — Postgres database hosting.
• Vercel — web hosting, serverless compute, logs.
• Anthropic — Claude model inference.
• OpenAI — GPT model inference.
• Google Cloud (Vertex AI) — Gemini model inference.
• SnapTrade — brokerage account linking and data.
• Resend — transactional email (verification, password reset).
• SEC, FRED, Yahoo Finance — public data sources. These providers do not receive identifying information from us.

Each processor's own privacy policy governs how they handle data on our behalf.

5. Security

• Encrypted connections (HTTPS) for all traffic.
• Passwords are hashed using industry-standard algorithms (Better Auth default: scrypt).
• Brokerage user secrets are encrypted at rest using AES-256-GCM.
• Rate limiting and authentication on all sensitive endpoints.
• Access to production data is limited to authorized engineering staff.

No system is perfectly secure. In the event of a breach that affects your information, we will notify you as required by applicable law.

6. Retention

• Account data is retained for as long as your account is active.
• Recommendations and outcome history are retained indefinitely (they are the core track-record product). You can request deletion (see §10).
• Logs (server, rate-limit buckets) are retained for no more than 90 days.
• Inactive accounts may be purged after 24 months of inactivity following a notice email.

7. Cookies

We use only essential cookies needed for session management and security. We do not use third-party advertising, analytics, or fingerprinting cookies. By default we respect “Do Not Track” signals.

8. Children

The Service is not directed to individuals under 18. We do not knowingly collect personal information from children. If you believe a minor has provided information, contact us and we will delete it.

9. International users

The Service is hosted in the United States. If you access it from outside the U.S., you consent to the transfer of your information to the U.S. for processing as described in this Policy. We do not currently offer the Service in the European Economic Area or the United Kingdom in a manner targeting residents there.

10. Your rights

You have the right to:

• Access — request a copy of the personal data we hold.
• Correction — ask us to correct inaccurate data.
• Deletion — ask us to delete your account and associated personal data (subject to limited retention for legal or fraud-prevention reasons).
• Export — receive a machine-readable export of your portfolio, history, and preferences.
• Opt-out of marketing — at any time via the unsubscribe link in any email.

Exercise any of these rights by emailing privacy@clearpath-invest.com.

11. California residents (CCPA)

California residents may request (a) the categories and specific pieces of personal information we have collected about them, (b) the categories of sources, (c) the business purposes for collection, and (d) the categories of third parties with whom we share. We do not sell personal information. California residents may also ask us to delete personal information, subject to legal exceptions.

12. Changes

We may update this Policy. If changes are material, we will notify you by email or via the Service. The date at the top reflects the most recent update.

13. Contact

Questions? privacy@clearpath-invest.com. See also our Terms and Disclosures.