Apertture← Back to Apertture
Last updated · 2026-05-24

Privacy Policy

This Privacy Policy explains what personal information Apertture collects, how we use it, who we share it with, and the rights you have. We aim to collect only what we need to operate the Service.

1. Who We Are

Apertture is the controller of the personal information collected through the Service. To contact us about privacy: privacy@apertture.com.

2. What We Collect

Account information you give us:

  • Email address and password (stored hashed).
  • Optional display name.
  • Locale and delivery preferences.
  • Jurisdiction (US or EU) you select during onboarding.
  • Optional Telegram chat identifier if you choose Telegram delivery.

Portfolio information you give us:

  • Holdings (tickers, quantities, target weights).
  • Transactions you record (buy/sell dates and prices).
  • Notes and labels you add.

Service information generated as you use Apertture:

  • Briefs and reports we generate for you, and engagement with them (opens, clicks).
  • Agent run logs (which agents ran, latency, cost, success or failure).
  • Security and error logs.

Payment information (when paid plans go live):

  • Handled by our payment processor. We receive a token, the last four digits of your card, your plan, and your subscription status. We do not store full card numbers.

We do not collect special categories of data (race, religion, health, etc.) and ask you not to provide them.

3. How We Use Your Information

We use personal information to:

  • Operate the Service: build your portfolio view, run agents, generate and deliver briefs, deliver model-change notifications.
  • Support you: answer your questions, troubleshoot issues, restore deleted data on request.
  • Secure the Service: detect abuse, prevent fraud, investigate incidents.
  • Improve the Service: aggregate, de-identified analytics about feature use and brief quality.
  • Comply with law: respond to lawful requests from authorities, meet regulatory obligations.
  • Communicate with you: send transactional emails (brief delivery, account events, security notices, material policy changes). We do not send marketing email without your separate consent.

4. Legal Bases (EU / UK Users)

Where the EU or UK GDPR applies, we rely on:

  • Performance of a contract — to deliver the Service you signed up for.
  • Consent — for optional features (e.g. Telegram delivery), withdrawable at any time.
  • Legitimate interests — to keep the Service secure, prevent abuse, and improve quality, balanced against your rights.
  • Legal obligation — where we must process information to comply with law.

5. Subprocessors and Sharing

We do not sell your personal information.

We share personal information with vendors who process it on our behalf to operate the Service, under contracts that restrict their use to the purposes we set:

  • Supabase — database and authentication (United States).
  • Vercel — web hosting (United States, with global edge).
  • Railway — engine hosting (United States).
  • Resend — transactional email delivery (United States).
  • Polygon.io — market data provider (United States).
  • Anthropic — large language model inference for agent outputs (United States).
  • Stripe — payment processing (United States; Ireland for EU customers) — once paid plans are live.

We may disclose information when required by law, court order, or to protect our rights, our users, or the public.

We may share aggregated, de-identified information that cannot reasonably be used to identify you.

6. International Transfers

Our infrastructure is primarily in the United States. If you access the Service from outside the United States, your information may be transferred to and processed in the United States. Where required, we rely on appropriate safeguards (such as the European Commission's Standard Contractual Clauses) for transfers of EU personal data.

7. Data Retention

We keep personal information only as long as we need it:

  • Account information: while your account is active, plus up to 90 days after deletion to handle restorations and disputes.
  • Portfolio information: while your account is active, plus up to 90 days after deletion.
  • Briefs and reports: retained while your account is active. After deletion, we may keep de-identified copies for historical analysis.
  • Security and error logs: up to 30 days.
  • Payment records: as required by tax and accounting law (typically up to 7 years).

8. Your Rights

Subject to applicable law, you have the right to:

  • Access the personal information we hold about you.
  • Correct inaccurate information.
  • Delete your account and personal information.
  • Export your information in a portable format.
  • Object to or restrict certain processing.
  • Withdraw consent at any time, without affecting prior processing.

To exercise any of these rights, email privacy@apertture.com from the email address on your account. We will respond within 30 days.

If you are in the EU or UK, you also have the right to lodge a complaint with your national data protection authority.

9. California Residents

If you are a California resident, the California Consumer Privacy Act gives you the right to:

  • Know what personal information we collect, use, and share.
  • Request deletion of your personal information.
  • Opt out of the sale or sharing of personal information — we do not sell or share personal information for cross-context behavioural advertising.
  • Non-discrimination for exercising your rights.

To exercise these rights, email privacy@apertture.com.

10. Cookies and Tracking

We use only strictly necessary cookies: an authentication session cookie and a locale preference cookie. We do not currently use marketing, advertising, or third-party analytics cookies.

11. Children

The Service is not intended for users under 18. We do not knowingly collect personal information from minors. If you believe we have collected information from a minor, contact privacy@apertture.com and we will delete it.

12. Security

We use encryption in transit (HTTPS) and at rest, strict access controls, and the security capabilities of our infrastructure providers. No system is perfectly secure; we cannot guarantee absolute security but commit to industry-standard practices.

13. Data Breach Notification

If a personal data breach is likely to result in a risk to your rights and freedoms, we will notify you and any relevant authority without undue delay, in line with applicable law (within 72 hours of becoming aware where the GDPR applies).

14. Changes to This Policy

We may update this Policy. We will notify you of material changes by email and through an in-app notice. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.

15. Contact

Questions about this Policy or our handling of your personal information: privacy@apertture.com.