Privacy Policy
Short version: We collect only what we need to run the Service — your account info, your saved data (portfolio, watchlists, alerts), and basic usage logs. We do not sell your data. We do not show you ads. We do not share your information with third parties except as described below. You can export or delete your data at any time.
1. Information We Collect
1.1 Information you provide
| Data | When collected | Why |
|---|---|---|
| Username, email, password hash | On registration | Account authentication and communication |
| Display name, bio, avatar color | Profile settings | Public profile display |
| Portfolio holdings | When you add positions | Portfolio tracking and analytics |
| Watchlists & price alerts | When you create them | Personalization and notifications |
| Practice trades | Practice trading actions | Practice trading simulation |
| Community chat messages | When you post in the community chat room | Showing your messages to other signed-in users |
1.2 Information collected automatically
| Data | Why |
|---|---|
| IP address | Rate limiting, abuse prevention, security logging |
| Page views & API calls | Aggregate analytics — which features are used. Not linked to individual users. |
| Authentication events | Security audit log (login, logout, password changes, failed attempts) |
| Error reports | If Sentry is enabled: unhandled errors with stack trace and user ID (no email). See §6. |
1.3 Information we do NOT collect
- Real financial account numbers or brokerage credentials
- Payment or credit card information (Aperifi is free)
- Device fingerprinting beyond what's strictly necessary
- Your browsing history outside of Aperifi
- Precise geolocation
2. How We Use Your Information
We use the information we collect to:
- Authenticate you and secure your account
- Deliver the Service features — portfolio tracking, watchlists, alerts, practice trading
- Send transactional emails: email verification, password reset. We do not send marketing emails unless you explicitly opt in.
- Detect and prevent fraud, abuse, and security threats
- Improve the Service through aggregate usage analytics
- Comply with legal obligations
We do not use your data to build advertising profiles or target you with ads. Aperifi contains no advertising.
3. Data Storage
All user data is stored in a SQLite database on the production server (hosted on Railway). The database lives on a persistent encrypted volume managed by the host platform, which also handles periodic backups.
Servers are located in the United States. We do not replicate or transfer your data to other regions.
4. Sharing Your Information
We do not sell, trade, or rent your personal information. We may share information in these limited circumstances:
- With your consent — if you explicitly ask us to share something
- Legal compliance — if required by law, subpoena, or valid legal process
- Safety — to protect the rights, property, or safety of Aperifi, our users, or the public
- Service providers — limited third-party tools that help run the Service (see §6), under data processing agreements
5. Cookies and Local Storage
Aperifi uses browser localStorage (not traditional cookies) to store:
- Your authentication token (session token) — required to stay signed in
- Your cached user ID — avoids a round-trip on page load
- UI preferences (theme, layout settings) — improves your experience
- Onboarding state — remembers which steps you've completed
We do not use third-party tracking cookies or advertising cookies. The only cookies that may be set are session-related first-party items.
6. Third-Party Services
| Service | Purpose | Data shared |
|---|---|---|
| Yahoo Finance / market data providers | Real-time and historical market data | None — requests are server-side only, no user data is sent |
| Google Fonts | Typography (Inter, DM Mono) | Your IP address is sent to Google's CDN on page load |
| LightweightCharts (unpkg) | Interactive price-chart library on the Charting page | Your IP address is sent to the unpkg CDN on page load |
| Sentry (optional) | Error monitoring — only enabled if a DSN is configured | Error stack traces + your numeric user ID (no email). See Sentry's privacy policy. |
| Anthropic (Claude) (optional) | Powers "Ask Aperifi" chat and the open-ended AI Screener — only enabled if an API key is configured | Your chat messages are sent to Anthropic. Please don't share sensitive personal information in the AI chat. |
| SMTP provider | Transactional email (email verification, password reset) | Your email address, sent only when you request it |
7. Security
We implement reasonable technical and organizational measures to protect your data:
- Passwords are hashed with PBKDF2-HMAC-SHA256, 310,000 iterations, and a unique random 32-byte salt per user — never stored in plaintext
- Session tokens are 256-bit cryptographically random values with server-side expiry
- Password-reset and email-verification tokens are stored only as SHA-256 hashes
- Login attempts are rate-limited per IP and per username to throttle brute-force attacks
- All production traffic is encrypted in transit via HTTPS (TLS), enforced by HSTS
- Standard browser security headers are set on every response (CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy)
- Every database query is parameterized — SQL injection is not exploitable
No method of transmission over the internet is 100% secure. We cannot guarantee absolute security, but we take it seriously.
8. Data Retention
We retain your data for as long as your account is active. Specific retention periods:
- Account data — retained until you delete your account
- Security logs (auth events, IP logs) — retained for 90 days
- Database backups — daily backups kept for 7 days, weekly for 5 weeks, monthly for 3 months
- Deleted account data — permanently purged within 30 days of account deletion (backup retention may cause data to persist in backups up to 3 months)
9. Your Rights
You have the right to:
- Access — export all your data at any time via Account Settings → Export Data
- Correct — update your profile information in Account Settings
- Delete — delete your account (and all associated data) in Account Settings → Delete Account
- Portability — your export includes all data in a machine-readable JSON format
- Object — contact us if you have concerns about how your data is processed
Depending on your location, you may have additional rights under GDPR, CCPA, or other applicable law. Contact us to exercise these rights.
10. Children's Privacy
The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last updated" date and, where appropriate, by email. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.
12. Contact
If you have questions about this Privacy Policy, your data, or how to exercise your rights, please contact us through the Service. You can also reach the account owner through the admin contact listed in Account Settings.