Privacy Policy

1. What we collect

Account information. Your name and email address to create and manage your account. Optional: your TOTP secret if you enable two-factor authentication. We store passwords only as bcrypt hashes and TOTP secrets encrypted at rest.

Stock analyses and research data. Analyses you run on publicly traded companies (DCF models, memos, comps, valuations), your watchlists, custom thesis notes, price alerts, and any written annotations you save. These are scoped to your account and are not shared with other users.

Portfolio data. Positions you manually add (ticker, shares, cost basis, thesis). If you connect a brokerage account, we also store the positions synced from that account (see "Brokerage connection data" below).

Brokerage connection data. If you connect a brokerage account via our SnapTrade integration, we store a SnapTrade user identifier and an encrypted API secret that allows us to fetch your positions on your behalf. We also store the institution name, account type, balance, and holdings returned by SnapTrade. We never receive, see, or store your brokerage login credentials, passwords, or MFA codes — that authentication happens directly between you and your broker through SnapTrade's OAuth flow.

Payment information. Processed entirely by Stripe. We never see or store card numbers, CVCs, or billing addresses. We receive only a Stripe customer ID and subscription status.

Usage metadata. Counts of analyses run per week (for plan limits), timestamps of authentication events, IP addresses associated with login attempts (for security). We do not run third-party advertising trackers.

Security audit log. Every authentication event, admin action, and billing change is written to an immutable audit log with actor, IP, and timestamp. This is a core security control; see our Security page.

2. How we use your data

• To provide and improve the Volaren service
• To manage your account and subscription
• To enforce usage limits and fair-use controls
• To communicate with you about your account (e.g., password resets, security notices, access approval)
• To sync and display your brokerage positions, if you have connected an account
• To detect and prevent abuse, fraud, and security incidents
• To meet legal and accounting obligations (billing records, audit retention)

We do not sell, rent, or share your data with third parties for marketing purposes. We do not train AI models on your data.

3. Subprocessors

To deliver the service, we rely on a small number of carefully vetted subprocessors. Each handles a specific, scoped function:

• Railway — application hosting and primary database.
• Vercel — frontend hosting.
• Stripe — all payment processing.
• Twilio SendGrid — transactional email delivery.
• Anthropic — AI model inference. Data sent is covered by their enterprise no-training agreement.
• SnapTrade — brokerage account aggregation (read-only). SnapTrade handles the OAuth flow with your broker; we store only the resulting credentials and position data. SnapTrade is SOC 2 Type II certified.
• Sentry — error tracking (PII scrubbed before transmission).
• UptimeRobot — uptime monitoring (sees only public URLs).

Current list is also available on our Security page.

4. How we protect your data

• TLS 1.3 encryption for all network traffic
• Database volumes encrypted at rest by our infrastructure provider
• Application-level encryption (Fernet) on sensitive fields: MFA secrets, password reset tokens, brokerage API secrets
• Passwords stored as bcrypt hashes with per-password salts
• Logs scrubbed of secrets before reaching our logging provider
• Per-account data isolation: all queries are scoped to your user ID; no data is shared across accounts
• Automatic lockout after repeated failed login attempts; two-factor auth available
• Weekly automated vulnerability scans; annual manual security review

Full control inventory: volaren.ai/security.

5. Data retention

• Account data — kept until you delete your account.
• Stock analyses, portfolio positions, watchlists, alerts, and notes — kept until you delete them, or until your account is closed.
• Brokerage positions — retained as long as your brokerage account is connected. Positions marked as closed (sold) are retained for historical context until you disconnect the account.
• Security audit log — 365 days (may be retained longer where required by law).
• Login attempt history — 30 days.
• Expired password reset tokens — purged within 7 days of expiry.
• Billing records — retained for 7 years as required by US tax law.

6. Your rights

Depending on where you live, you have various rights over your personal data:

• Access — download a structured archive of all the data we hold about you. Self-serve at /stocks/settings.
• Deletion — permanently erase your account and associated data. Self-serve at /stocks/settings.
• Correction — edit profile fields from /stocks/settings. For fields you can't edit directly, email support@volaren.ai.
• Portability — the export format (JSON in a ZIP) is interoperable and machine-readable.
• Brokerage disconnection — you can disconnect your brokerage account at any time from your portfolio or settings page. This removes the stored credentials and position data immediately.
• Objection / restriction — contact support@volaren.ai to restrict specific uses of your data.
• Complaint — you may lodge a complaint with your local supervisory authority (e.g. an EU Data Protection Authority).

We respond to verified requests within 30 days. We may ask you to re-authenticate before taking irreversible actions.

7. International data transfers

Our primary infrastructure is in the United States. If you access Volaren from outside the US, your data will be transferred to and processed in the US. We rely on Standard Contractual Clauses and equivalent mechanisms with our subprocessors where required by law.

8. Children

Volaren is a product for adults. We do not knowingly collect information from anyone under 18. If you believe we have collected information from someone under 18, contact support@volaren.ai and we will delete it.

9. Changes to this policy

We may update this policy to reflect new features, legal requirements, or operational changes. Material changes are announced by email to registered users at least 30 days before they take effect. The "last updated" date at the top of this page always reflects the current version.

10. Contact

Privacy, data, and general inquiries: support@volaren.ai
Security issues: support@volaren.ai (see also our vulnerability disclosure policy)

Data controller: Volaren. For EU/UK residents, written requests may be sent to the contact email above.