Draft notice. This document describes our actual data practices in plain English. It is not yet a legal-counsel-reviewed policy. If you are operating from the EU/UK and need a formally compliant GDPR statement, please contact us before relying on this document for compliance purposes.
What we collect
DeepVane collects only what is necessary to operate the product:
Email address — used for authentication, account recovery, and alert delivery. We never share or sell it.
Authentication session — a cryptographic token stored as a cookie by our auth provider (Supabase). Used solely to keep you signed in.
Product state — your watchlist, alert rules, virtual portfolio entries, and onboarding progress. Tied to your account and visible only to you.
Server logs — request URLs, IP addresses, response codes, retained 30 days for security monitoring and abuse prevention.
We do not collect demographic data, browsing history outside DeepVane, location beyond IP-derived country, or behavioural advertising profiles.
What we do not collect
Real names (we never ask for one).
Phone numbers, postal addresses, or government identifiers.
Payment data — no Pro tier yet, no card-on-file. When billing launches it will be processed by Stripe; we will never store full card numbers ourselves.
Third-party advertising trackers, pixels, or fingerprinting scripts.
Cookies and local storage
Three categories of state are saved on your device:
Auth cookie (essential) — signed token from Supabase that proves you are logged in. Cleared when you sign out.
Session cache (functional) — temporarily holds API responses (e.g. fund holdings) so we don't re-fetch on every page navigation. Cleared when you close the tab.
We do not use third-party advertising or cross-site tracking cookies. Because all the cookies we set are essential or functional under the ePrivacy framework, we display a single-line consent banner on first visit but do not gate the site behind a granular consent dialog.
Where data is stored
Account data and product state live in a Supabase Postgres database hosted in the EU region (Frankfurt). Compute runs on Vercel (serverless functions, edge cache). Outbound emails route through Brevo (formerly Sendinblue, EU-based). Each of these processors has their own published privacy policy.
Who else sees it
Personal data is shared only with subprocessors strictly required to operate the service:
Anthropic — when you trigger an AI explanation, the relevant ticker context is sent to Anthropic's API. We do not include your email address or any personally identifying data in those requests.
We do not sell user data, share it with advertisers, or hand it to data brokers. We may disclose data if compelled by a valid legal order — in such cases we will challenge overbroad requests and notify affected users where lawfully possible.
Your rights
Wherever you are, you can:
Request a copy of the data we hold for your account.
Correct or delete that data — for most fields you can do this from inside the product (watchlist, alerts, virtual trades). For full account deletion, email support@deepvane.com.
Lodge a complaint with your local data-protection authority. EU/UK users can contact their respective DPA without going through us first.
We aim to respond to all rights requests within 14 days.
Data retention
Active account data is kept until you delete your account. Server logs are retained 30 days. Email send-history (in Brevo) is retained 12 months for deliverability monitoring. Backups roll on a 30-day window — meaning a deletion request takes effect immediately in the live database and within 30 days in backup snapshots.
Children
DeepVane is not directed at users under 16. We do not knowingly collect data from children. If you believe a minor has registered for an account, email support@deepvane.com and we will delete the account.
Changes to this policy
When this policy changes materially we will email registered accounts and update the “last updated” date at the top of the page. Minor wording or clarifying edits ship without notice.