Privacy Notice
1. Who We Are
Risk Harvest (“we,” “us,” “our”) is a research and educational service that publishes systematic portfolio research, backtests, and daily allocation signals. It is not investment advice and does not execute trades or hold your assets. This notice explains what personal data we collect, why, who we share it with, and your rights. It applies to our website, applications, and related services (the “Service”) and is incorporated into our Terms of Use. We are the data controller for the personal data described here.
2. Information We Collect
2.1 Information you provide
- Account data — your email and authentication credentials, handled through our auth provider (Supabase). We don’t store your password; the provider manages it.
- Portfolio settings you save — the holdings, cash balance, strategy selections, weights, and risk preferences you enter and save, so the Service can generate your signals and report. These are general configuration values, not brokerage or account-number data.
- Payment data — if you buy a paid plan, billing details are collected and processed by our payment processor. We don’t store full card numbers.
- Communications — messages you send us and your email-report preferences.
2.2 Information collected automatically
- Technical and usage data — IP address, browser and device type, and server logs, used for security, debugging, and reliability.
- Essential session storage — an auth/session token in your browser so you stay logged in (see §3).
- Product analytics — we use Google Analytics 4 to understand how the Service is used (pages viewed, sign-up and checkout steps reached) so we can improve it. This sets first-party analytics cookies and shares usage data, including a pseudonymous identifier and IP-derived approximate location, with Google as a processor. We use it for our own product analytics only — not advertising — and we don’t sell this data. See §3 for how to opt out.
2.3 What we do not collect
We don’t use advertising networks, marketing/ad pixels, social-login trackers, or cross-site ad targeting, and we don’t collect special-category/sensitive data. Our analytics (§2.2) is for product usage only and isn’t used to advertise to you. Market data shown in the Service (e.g. from our data provider, Tiingo) concerns securities prices, not you, and your personal data is not shared with that provider.
4. How We Use Your Information
We use personal data for the purposes below, on these legal bases (GDPR / UK GDPR):
| Purpose | Legal basis |
|---|---|
| Create and manage your account; provide the Service | Performance of a contract |
| Save your settings and generate signals / reports | Performance of a contract |
| Process payments and prevent payment fraud | Contract; legal obligation |
| Secure, debug, and improve the Service | Legitimate interests |
| Send service and (optional) report emails | Contract; consent where required |
| Comply with law and enforce our Terms | Legal obligation; legitimate interests |
6. International Data Transfers
We and the providers we use may store or process data in countries other than yours, including the United States and the European Union. For cross-border transfers we rely on appropriate safeguards — such as the European Commission’s Standard Contractual Clauses (and the UK Addendum/IDTA), adequacy decisions where available, and data-processing agreements with each provider.
7. Data Retention
We keep data while your account is active and delete or anonymize it within a reasonable period after, keeping it longer only where the law requires:
| Data type | Retention |
|---|---|
| Account & saved settings | While active; deleted within a reasonable period after closure |
| Payment / transaction records | As required by tax and accounting law |
| Server / security logs | A short rolling period for security and debugging |
| Support emails | As needed to handle your request and keep records |
8. Data Security
We apply appropriate technical and organizational measures, including encryption in transit (HTTPS/TLS), access controls and authentication, row-level isolation for per-user settings, and reputable infrastructure providers. Payment data is handled by a PCI-DSS processor; we don’t store full card numbers. No method of transmission or storage is completely secure, and we can’t guarantee absolute security.
9. Your Rights — EU / EEA / UK (GDPR)
If the GDPR or UK GDPR applies to you, you have the rights to:
- access a copy of your personal data;
- rectify inaccurate data and complete incomplete data;
- erasure (“right to be forgotten”);
- restrict or object to processing, including processing based on legitimate interests;
- data portability in a machine-readable format;
- withdraw consent at any time, without affecting prior processing; and
- lodge a complaint with your local supervisory authority.
To exercise these rights, email [email protected]; we respond within the period required by law (generally one month).
10. Your Rights — California (CCPA / CPRA)
If you’re a California resident, you have the rights to:
- know what personal information we collect, use, and disclose;
- delete personal information we hold about you;
- correct inaccurate personal information;
- opt out of the “sale” or “sharing” of personal information; and
- not be discriminated against for exercising your rights.
We do not sell or share your personal information, so there’s nothing to opt out of, but you may exercise your other rights by emailing [email protected]. The categories we collect are identifiers (e.g. email, IP), customer/commercial records (e.g. subscription and saved settings), and internet/usage activity (e.g. logs); purposes and recipients are in §§4–5.
11. Other Jurisdictions
If you’re in a jurisdiction whose law grants you privacy rights, we will honour those rights as required by that law. Email [email protected] to make a request.
12. Children’s Privacy
The Service is intended for users aged 18 and over and is not directed to children. We don’t knowingly collect personal data from children; if we learn we have, we’ll delete it promptly. If you believe a child has provided us personal data, contact [email protected].
13. Changes to this Notice
We may update this notice from time to time. We’ll post the updated version with a new “Last updated” date and, for material changes, take reasonable steps to notify you. Continued use after the effective date means you accept the updated notice.
14. Contact
For any privacy question or to exercise your rights, contact the data controller, Risk Harvest, at [email protected]. EU/EEA and UK users may also complain to their local data-protection supervisory authority.