Privacy Policy

Effective date: May 2, 2026 • Last updated: May 2, 2026

Short version: We collect your email, your usage patterns, and the portfolio data you choose to enter. We use it to run the service and personalise your AI assistant. We don't sell your data. You can request deletion at any time.

This Privacy Policy describes how Okulez ("we," "us," or "our") collects, uses, and shares information about you when you use the Okulez platform and services. By using our Service, you agree to the collection and use of information in accordance with this policy.

1. Information We Collect

1.1 Information you provide directly

Data	Why we collect it
Email address	Account creation, login, transactional emails (billing, password reset, signals)
Password	Stored as a bcrypt hash — we cannot read your password
Portfolio positions	Personalises your AI chat and morning briefing
Income sector and risk profile	AI personalisation (Pillar 1 of the Okulez model)
Lifestyle expense data (Shield tier)	Generates your inflation hedge basket — stored only if you enter it
Contact messages	Support — forwarded to our admin inbox and not stored long-term

1.2 Information collected automatically

Data	Why we collect it
IP address	Security audit log, rate limiting, fraud prevention
Device/browser hint	Active session display on your Account page
AI chat messages and responses	Multi-turn memory (last 6 exchanges), cost tracking
AI token usage and cost	Per-user daily cost cap enforcement and billing oversight
Last seen timestamp	Account page display; inactivity monitoring

1.3 Cookies

We use a single HttpOnly session cookie to keep you logged in. This cookie contains a signed JWT with your user ID and tier. We do not use advertising cookies, tracking pixels, or third-party analytics scripts.

2. How We Use Your Information

Service delivery — powering signals, AI chat, portfolio tracking, and morning briefings
AI personalisation — your income sector, risk profile, and portfolio context are assembled into the AI's context on each request, then discarded from memory. We do not use your data to train AI models.
Transactional emails — billing receipts, trial expiry warnings, password reset, and new signal notifications
Security — detecting and preventing unauthorised access, abuse, and fraud
Legal compliance — where required by applicable law

We do not use your data for advertising. We do not build behavioural profiles for sale or exchange.

3. Third Parties We Share Data With

Third party	Purpose	Data shared
Stripe	Payment processing	Email address, subscription tier. Stripe processes payment card data directly — we never see your card number.
SMTP provider (configured separately)	Transactional email delivery	Your email address and the content of transactional emails.
Anthropic	AI chat (Claude API)	Your assembled context block (portfolio summary, macro data) and your chat messages. Subject to Anthropic's Privacy Policy. Anthropic's API data is not used for training by default under their commercial terms.

We do not sell, rent, or trade your personal data to any other third party.

4. Data Retention

Data type	Retention
Account and subscription data	Retained while your account is active; deleted within 90 days of a verified deletion request
AI conversation history	Rolling 6-turn window used for multi-turn memory; full history retained for up to 12 months then purged
Security audit log	12 months
Portfolio and trade data	Retained while your account is active; deleted on account deletion
Cost tracking records	13 months (for billing dispute resolution)

5. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

Access — request a copy of the personal data we hold about you
Correction — update inaccurate data via your Account page, or by contacting us
Deletion — request deletion of your account and associated data
Portability — request an export of your portfolio and trade data in machine-readable format
Opt-out of non-essential communications — use the unsubscribe link in any email, or update preferences on your Account page

To exercise any of these rights, email [email protected]. We will respond within 30 days.

6. Security

We implement the following security measures:

Passwords stored as bcrypt hashes (cost factor 12) — plaintext passwords are never stored or transmitted
All cookies are HttpOnly and SameSite=Strict, preventing JavaScript access and CSRF
Authentication tokens are short-lived JWTs signed with a secret key
All production traffic is served over HTTPS
Security events are logged to an append-only audit log

No security measure is perfect. If you discover a security vulnerability, please report it responsibly to [email protected].

7. Children's Privacy

The Service is not directed at children under 18. We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected data from a minor, we will delete it promptly.

8. International Users

The Service is operated from servers that may be located outside your country of residence. By using the Service, you consent to the transfer and processing of your data in those locations. If you are located in the European Economic Area, United Kingdom, or Switzerland, we process your data on the legal basis of contractual necessity and, where applicable, your consent.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you by email at least 14 days before material changes take effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy.

10. Contact

For privacy questions or to exercise your rights:

Email: [email protected]
Subject line: "Privacy Request — [your request type]"