← Home

Privacy Policy

Effective date
March 21, 2026
Operator
Athanor
Service
PortfolioCard

This policy is prepared with reference to Japan's Act on the Protection of Personal Information (APPI) and, where applicable, the EU General Data Protection Regulation (GDPR). EU/EEA residents have additional rights described in Section 7.

1. Data we collect

  • Account data: Email address, display name, and profile image URL obtained via Google OAuth at sign-in.
  • User-entered data: Stock tickers, share counts, average cost basis, card titles, and themes you input.
  • Usage logs: IP address, browser type, access timestamps — retained by Vercel's infrastructure.
  • Session data: Authentication cookies managed by Supabase Auth.

2. How we use your data

  • To provide, maintain, and improve the Service
  • To authenticate users and prevent unauthorized access
  • To detect and prevent fraud or abuse
  • To send important notices about the Service or these policies (via registered email)
  • For aggregated, anonymized analytics to understand usage patterns

3. Legal basis for processing (GDPR)

For users in the EU/EEA, we process personal data under the following legal bases:

  • Contract performance — to provide the Service you signed up for
  • Legitimate interests — security, fraud prevention, service improvement
  • Consent — for optional analytics cookies (where applicable)

4. Third-party services

ServiceRolePrivacy policy
SupabaseAuthentication and database hostingsupabase.com/privacy
VercelWeb hosting and edge functionsvercel.com/legal/privacy-policy
FinnhubMarket data API (your portfolio data is never sent to Finnhub)finnhub.io/privacy
Google OAuthSign-in only; we do not access Drive, Gmail, or other Google datapolicies.google.com/privacy

5. Data retention

Your data is stored in Supabase (data centers primarily in the EU and US). We retain your data for as long as your account is active. Upon an account deletion request, we aim to delete your personal data within 30 days, except where retention is required by law.

6. Data security

We implement industry-standard security measures including TLS encryption in transit, row-level security (RLS) in the database, and access controls. No system is perfectly secure; please notify us immediately if you suspect unauthorized access.

7. Your rights

You may request at any time:

  • Access to the personal data we hold about you
  • Correction of inaccurate data
  • Deletion of your account and associated data
  • (GDPR only) Restriction of processing, data portability, or objection to processing
  • (GDPR only) Withdrawal of consent (where processing is consent-based)
  • (GDPR only) Lodge a complaint with your local supervisory authority

To exercise any of these rights, contact us at info@athanor.uk.

8. International transfers

Your data may be processed outside your country of residence (e.g., on Vercel or Supabase infrastructure in the US or EU). Where required by GDPR, transfers are made subject to appropriate safeguards such as Standard Contractual Clauses.

9. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified via the Service or by email at least 14 days before taking effect for EU users.

Contact / Data controller

Operator
Athanor