Privacy Policy

1. Data Minimization

Optionality Ventures LLC ("Optionality," "we," "us") collects and stores only the financial data necessary to provide user-requested portfolio analytics, net worth tracking, and financial insight features. We do not collect or retain data beyond what is required to operate the Service.

2. Information We Collect

We collect the following categories of information:

• Account information: name, email address, and authentication credentials (password hash or Google ID).
• Financial data you provide: income, expenses, assets, liabilities, and other financial information you enter during onboarding or profile updates.
• Brokerage data accessed through authorized integrations: account names, account types, holdings (ticker, quantity, market value), cash balances, and transaction history. This data is accessed read-only through authorized third-party data aggregation providers (e.g., SnapTrade) using secure OAuth or token-based authentication. See Section 5 for details.
• Uploaded files: screenshots, PDFs, and documents you upload for portfolio import. These are processed to extract financial data and are not retained beyond what is necessary for processing.
• Usage data: pages visited, features used, and interaction patterns to improve the Service.

3. How We Use Your Information

We use your information solely to:

• Provide and operate the Service, including portfolio analytics, financial dashboards, projections, and AI-assisted insights.
• Display aggregated portfolio data from linked brokerage accounts.
• Process uploaded documents to extract portfolio holdings.
• Communicate with you about the Service, including security notifications and material changes.
• Improve and develop new features based on anonymized, aggregated usage patterns.

We do not use your financial data for advertising, profiling for third parties, or any purpose unrelated to operating the Service.

4. Data Sharing

We do not sell, rent, or trade your personal or financial data. We may share data with the following categories of service providers, solely to the extent necessary to operate the Service:

• AI service providers: financial data is sent to AI providers to generate insights upon your explicit request. Data is transmitted securely (TLS 1.2+) and is not retained by the provider beyond the duration of the request.
• Brokerage data aggregation providers: we use authorized data aggregation services (e.g., SnapTrade) to access your linked brokerage accounts. These providers operate under their own data protection agreements and do not receive data beyond what is necessary for the connection.
• Infrastructure providers: hosting, database, and operational services necessary to run the platform. All infrastructure providers are bound by data processing agreements.
• Legal requirements: when required by applicable law, regulation, legal process, or enforceable governmental request.

5. Data Security

We implement industry-standard security measures to protect your data:

• Encryption in transit: all data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (HTTPS).
• Encryption at rest: sensitive credentials, including brokerage connection tokens and secrets, are encrypted using AES-256-GCM before storage.
• Authentication security: passwords are hashed using BCrypt. Brokerage connections use OAuth-based authentication where supported by the provider.
• Secure token storage: third-party access tokens and secrets are stored in encrypted form and are never exposed in logs, client-side code, or API responses.
• Access controls: production data access is restricted to authorized personnel and systems. Least-privilege principles are applied to all integrations.
• Secure cloud infrastructure: data is hosted on secure cloud infrastructure with industry-standard physical and logical safeguards.
• Session management: sessions are secured with HttpOnly, Secure, and SameSite cookie attributes. HSTS is enforced.

No method of electronic transmission or storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

6. Brokerage Data: Access, Sync, and Retention

When you connect a brokerage account, the following applies:

• What data is accessed: account metadata (name, type, institution), holdings (ticker symbols, quantities, market values), cash balances, and recent transaction history. Optionality accesses this data in read-only mode.
• Sync frequency: portfolio data is synchronized on-demand when you request a sync or when triggered by webhook notifications from the data aggregation provider. Optionality does not perform continuous or high-frequency background polling.
• Data retention: financial account data retrieved via authorized integrations is retained only while the user maintains an active account with Optionality and the brokerage connection remains linked. Inactive accounts may have associated financial data removed after a defined period of inactivity.
• Revoking access: you may revoke data access permissions at any time by:
  • Disconnecting linked financial accounts through your account settings in the application.
  • Revoking access directly through your financial institution.
  Once access is revoked, Optionality stops data synchronization and initiates deletion of the stored brokerage data.
• Requesting deletion: you may request deletion of your data at any time by:
  • Disconnecting linked financial accounts.
  • Deleting your Optionality account.
  • Contacting support@optionalityhq.com or privacy@optionalityhq.com.
  Upon verified request, consumer financial data is removed from production systems within a reasonable operational timeframe.

7. API Usage Compliance

Optionality accesses third-party financial data exclusively through authorized APIs provided by regulated data aggregation partners. Specifically:

• Optionality does not scrape brokerage websites, mobile applications, or any other unauthorized interfaces.
• Optionality uses authorized APIs only, in compliance with each provider's terms of service and rate-limit policies.
• Background sync frequency is limited and webhook-driven. Optionality does not perform aggressive or high-frequency polling of brokerage APIs.
• All API credentials and access tokens are stored securely and are never shared, logged in plaintext, or exposed to end users.

8. Data Retention

We retain your data for as long as your account is active. Inactive accounts may have associated financial data removed after a defined period of inactivity. Upon account deletion:

• All personal and financial data is removed from production systems within a reasonable operational timeframe.
• Uploaded files are deleted immediately upon processing or upon account deletion.
• Brokerage connection tokens are revoked and encrypted secrets are destroyed.
• Anonymized, aggregated data that cannot be linked back to you may be retained for service improvement purposes.

You may request deletion of your account and all associated data at any time by disconnecting linked accounts, deleting your account, or contacting privacy@optionalityhq.com.

9. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your data.
• Object to or restrict certain processing.
• Data portability (receive your data in a structured, machine-readable format).
• Withdraw consent for data processing at any time.

To exercise these rights, contact us at privacy@optionalityhq.com.

10. Cookies

We use session cookies solely to maintain your login state. We do not use tracking cookies, third-party analytics cookies, or advertising pixels.

11. Changes to This Policy

This policy is periodically reviewed and updated as Optionality's services evolve and as regulatory requirements change. We will notify you of material changes via the Service or email.

12. Contact

For privacy-related questions, contact us at privacy@optionalityhq.com or write to Optionality Ventures LLC, support@optionalityhq.com.