RH Risk Harvest← Back to site

Privacy Notice

Last updated: June 21, 2026 · Effective: June 21, 2026

1. Who We Are

Risk Harvest (“we,” “us,” “our”) is a research and educational service that publishes systematic portfolio research, backtests, and daily allocation signals. It is not investment advice and does not execute trades or hold your assets. This notice explains what personal data we collect, why, who we share it with, and your rights. It applies to our website, applications, and related services (the “Service”) and is incorporated into our Terms of Use. We are the data controller for the personal data described here.

2. Information We Collect

2.1 Information you provide

  • Account data — your email and authentication credentials, handled through our auth provider (Supabase). We don’t store your password; the provider manages it.
  • Portfolio settings you save — the holdings, cash balance, strategy selections, weights, and risk preferences you enter and save, so the Service can generate your signals and report. These are general configuration values, not brokerage or account-number data.
  • Payment data — if you buy a paid plan, billing details are collected and processed by our payment processor. We don’t store full card numbers.
  • Communications — messages you send us and your email-report preferences.

2.2 Information collected automatically

  • Technical and usage data — IP address, browser and device type, and server logs, used for security, debugging, and reliability.
  • Essential session storage — an auth/session token in your browser so you stay logged in (see §3).
  • Product analytics — we use Google Analytics 4 to understand how the Service is used (pages viewed, sign-up and checkout steps reached) so we can improve it. This sets first-party analytics cookies and shares usage data, including a pseudonymous identifier and IP-derived approximate location, with Google as a processor. We use it for our own product analytics only — not advertising — and we don’t sell this data. See §3 for how to opt out.

2.3 What we do not collect

We don’t use advertising networks, marketing/ad pixels, social-login trackers, or cross-site ad targeting, and we don’t collect special-category/sensitive data. Our analytics (§2.2) is for product usage only and isn’t used to advertise to you. Market data shown in the Service (e.g. from our data provider, Tiingo) concerns securities prices, not you, and your personal data is not shared with that provider.

3. Cookies and Local Storage

We use strictly necessary cookies and browser local/session storage to authenticate you, keep you signed in, and maintain security. We also use first-party Google Analytics 4 cookies for product analytics, as described in §2.2 — these measure usage, not advertising. You can opt out at any time by using a browser or extension that blocks Google Analytics, or your browser’s “do not track”/cookie controls; the Service remains fully functional without them. We don’t set advertising or marketing cookies.

4. How We Use Your Information

We use personal data for the purposes below, on these legal bases (GDPR / UK GDPR):

PurposeLegal basis
Create and manage your account; provide the ServicePerformance of a contract
Save your settings and generate signals / reportsPerformance of a contract
Process payments and prevent payment fraudContract; legal obligation
Secure, debug, and improve the ServiceLegitimate interests
Send service and (optional) report emailsContract; consent where required
Comply with law and enforce our TermsLegal obligation; legitimate interests

5. How We Share Your Information

We share personal data only with service providers acting on our instructions under data-processing agreements:

  • Authentication & database — Supabase (account auth and storage of your saved settings).
  • Email delivery — our email provider, to send service and report emails.
  • Payments — our payment processor, for paid plans.
  • Product analytics — Google (Google Analytics 4), which processes pseudonymous usage data to help us measure and improve the Service.
  • Hosting & infrastructure — our hosting provider, which processes server logs.

We may also disclose information where required by law or a lawful regulator request, or in connection with a merger, acquisition, or sale of assets (with notice where required).

WE DO NOT SELL YOUR PERSONAL INFORMATION, AND WE DO NOT “SHARE” IT FOR CROSS-CONTEXT BEHAVIORAL ADVERTISING, AS THOSE TERMS ARE DEFINED UNDER THE CCPA/CPRA. WE HAVE NOT SOLD OR SHARED PERSONAL INFORMATION IN THE PRECEDING 12 MONTHS.

6. International Data Transfers

We and the providers we use may store or process data in countries other than yours, including the United States and the European Union. For cross-border transfers we rely on appropriate safeguards — such as the European Commission’s Standard Contractual Clauses (and the UK Addendum/IDTA), adequacy decisions where available, and data-processing agreements with each provider.

7. Data Retention

We keep data while your account is active and delete or anonymize it within a reasonable period after, keeping it longer only where the law requires:

Data typeRetention
Account & saved settingsWhile active; deleted within a reasonable period after closure
Payment / transaction recordsAs required by tax and accounting law
Server / security logsA short rolling period for security and debugging
Support emailsAs needed to handle your request and keep records

8. Data Security

We apply appropriate technical and organizational measures, including encryption in transit (HTTPS/TLS), access controls and authentication, row-level isolation for per-user settings, and reputable infrastructure providers. Payment data is handled by a PCI-DSS processor; we don’t store full card numbers. No method of transmission or storage is completely secure, and we can’t guarantee absolute security.

9. Your Rights — EU / EEA / UK (GDPR)

If the GDPR or UK GDPR applies to you, you have the rights to:

  • access a copy of your personal data;
  • rectify inaccurate data and complete incomplete data;
  • erasure (“right to be forgotten”);
  • restrict or object to processing, including processing based on legitimate interests;
  • data portability in a machine-readable format;
  • withdraw consent at any time, without affecting prior processing; and
  • lodge a complaint with your local supervisory authority.

To exercise these rights, email [email protected]; we respond within the period required by law (generally one month).

10. Your Rights — California (CCPA / CPRA)

If you’re a California resident, you have the rights to:

  • know what personal information we collect, use, and disclose;
  • delete personal information we hold about you;
  • correct inaccurate personal information;
  • opt out of the “sale” or “sharing” of personal information; and
  • not be discriminated against for exercising your rights.

We do not sell or share your personal information, so there’s nothing to opt out of, but you may exercise your other rights by emailing [email protected]. The categories we collect are identifiers (e.g. email, IP), customer/commercial records (e.g. subscription and saved settings), and internet/usage activity (e.g. logs); purposes and recipients are in §§4–5.

11. Other Jurisdictions

If you’re in a jurisdiction whose law grants you privacy rights, we will honour those rights as required by that law. Email [email protected] to make a request.

12. Children’s Privacy

The Service is intended for users aged 18 and over and is not directed to children. We don’t knowingly collect personal data from children; if we learn we have, we’ll delete it promptly. If you believe a child has provided us personal data, contact [email protected].

13. Changes to this Notice

We may update this notice from time to time. We’ll post the updated version with a new “Last updated” date and, for material changes, take reasonable steps to notify you. Continued use after the effective date means you accept the updated notice.

14. Contact

For any privacy question or to exercise your rights, contact the data controller, Risk Harvest, at [email protected]. EU/EEA and UK users may also complain to their local data-protection supervisory authority.

Build a portfolio that you can hold for decades.

Start your portfolioReview the track record
RHRisk Harvest

Systematic portfolio research and daily allocation signals. Built to last and quietly compounding.

Product
Track recordHow it worksPricingThe desk
Company
Log inEmail the deskTerms of usePrivacy
Important disclaimerNot financial advice. Risk Harvest provides systematic portfolio research and signals for informational and educational purposes only. It is not a registered investment adviser, broker-dealer, or fiduciary, and nothing here is a recommendation to buy or sell any security. Backtested and historical performance is hypothetical, does not represent actual trading, and is not indicative of future results. Investing involves risk, including the possible loss of principal.
© 2026 Risk Harvest. All rights reserved.