Privacy Policy
Privacy Policy
Last updated: 2026-04-29 Effective date: 2026-04-29
This Privacy Policy describes how Portifoliqa L.L.C ("Portifoliqa," "we," "us," or "our") collects, uses, shares, and protects information when you use PortfoliQa (the "Service") — our investment-analytics platform available at portfoliqa.com.
If you do not agree with this Policy, please do not use the Service.
1. Who we are
Portifoliqa L.L.C is a limited liability company organized under the laws of the State of Michigan, United States.
- Registered address: 22632 Rotunda Ct, Apt 108, Novi, MI 48375, United States
- Service contact: support@portfoliqa.com
For Brazilian users (LGPD purposes), we have designated a Data Protection Officer (Encarregado pelo Tratamento de Dados Pessoais) reachable at support@portfoliqa.com.
For California users (CCPA/CPRA purposes), our designated privacy contact is the same: support@portfoliqa.com.
2. Scope
This Policy applies to personal information processed by Portifoliqa when you (a) create a PortfoliQa account, (b) use the Service in your browser or via our API, (c) subscribe to a paid plan, or (d) communicate with us by email or other support channels.
It does not apply to third-party services that you may access via links or integrations from the Service. Those third parties have their own privacy policies, and we encourage you to read them.
3. Information we collect
3.1 Information you provide directly
| Category | Examples | When collected |
|---|---|---|
| Account identity | Name, email address, profile picture | When you sign in via Google OAuth |
| Subscription / billing | Plan tier, billing email, payment status (we do not store full card numbers — see §6) | When you subscribe to a paid plan |
| User content | Watchlist tickers, portfolio holdings, preferences (theme, language, etc.), chat questions you submit to the AI assistant | While using the Service |
| Support communications | Email content, attachments, the issue you reported | When you contact support |
3.2 Information collected automatically
| Category | Examples | Purpose |
|---|---|---|
| Technical | IP address, browser type, device type, operating system, language, time zone, referrer URL | Service delivery, security, fraud prevention, analytics |
| Usage | Pages viewed, features used, search queries, ticker symbols viewed, session duration, error events | Product improvement, debugging, analytics |
| Cookies & similar | See COOKIE_POLICY.md | Authentication, preferences, analytics |
3.3 Information from third parties
- Google OAuth. When you sign in with Google, Google sends us your name, email, profile picture, and a Google account identifier. We do not receive your Google password.
- Stripe. We receive payment status, subscription state, and the last 4 digits + brand of your card from Stripe so we can show your billing details. We never receive your full card number.
3.4 Information we do not collect
We do not collect: government-issued IDs, social security numbers, brokerage account credentials, real-time bank balances, or biometric data. PortfoliQa is an analytics tool — it does not connect to your brokerage and does not execute trades.
4. How we use information
| Purpose | Legal basis (LGPD Art. 7) | Legal basis (GDPR analog, where applicable) |
|---|---|---|
| Provide the Service (account, watchlist, portfolio, AI chat) | Execution of contract (Art. 7, V) | Performance of a contract |
| Process payments and manage subscriptions | Execution of contract (Art. 7, V) | Performance of a contract |
| Send transactional emails (sign-in alerts, billing receipts, security notices) | Execution of contract / legitimate interest (Art. 7, V / IX) | Performance of a contract / legitimate interest |
| Send product updates and marketing emails | Consent (Art. 7, I) — opt-in, revocable at any time | Consent |
| Improve the Service, debug, run analytics | Legitimate interest (Art. 7, IX) | Legitimate interest |
| Prevent fraud, abuse, and security incidents | Legitimate interest / legal obligation (Art. 7, IX / II) | Legitimate interest / legal obligation |
| Comply with legal obligations, respond to lawful requests | Legal obligation (Art. 7, II) | Legal obligation |
We do not use your information for automated decision-making with significant legal effects on you. The Service uses AI to generate analytical commentary, but that commentary is informational only and does not result in any automated decision affecting your rights (see DISCLAIMER.md).
5. Cookies and similar technologies
We use cookies and similar technologies for authentication, preferences, and analytics. For details and to manage your choices, see COOKIE_POLICY.md.
For users in the European Economic Area, the United Kingdom, and Brazil, we will request your consent before setting non-essential cookies. You can withdraw consent at any time via the cookie banner or your browser settings.
6. How we share information
We share information only as described below. We do not sell personal information within the meaning of the CCPA/CPRA, and we do not "share" personal information for cross-context behavioral advertising.
6.1 Service providers (data processors / operadores)
| Provider | Purpose | Data shared | Region |
|---|---|---|---|
| Amazon Web Services (AWS) | Hosting (Lambda, DynamoDB, S3, API Gateway, SSM) | All Service data | United States (REGION — us-east-1) |
| Google (Google Cloud / Google Sign-In) | Authentication via Google OAuth | Your Google identifier; we receive name/email/picture | Global |
| Google Analytics | Product analytics (only with your consent) | IP (truncated), pseudonymous client ID, page/event data | Global |
| Stripe, Inc. | Payment processing and subscription management | Name, email, billing details, transaction data | Global |
| OpenAI or Groq | Generates AI assistant responses (the active provider depends on configuration) | The text of your chat messages and the financial context we provide for that turn | United States |
| Financial Modeling Prep (FMP), Twelve Data, Polygon.io, CoinGecko, DefiLlama, yfinance | Market data, fundamentals, prices | Ticker symbols you query (no personal data is sent to these providers) | Global |
| Email delivery provider | Transactional & support emails | Your email address, message content | United States (REGION — us-east-1) |
We require all service providers to handle personal information consistent with this Policy and applicable law, and to use appropriate security measures.
6.2 Compliance & safety
We may share information when we believe in good faith that it is necessary to: (a) comply with a law, regulation, subpoena, court order, or other legal process; (b) protect the rights, property, or safety of Portifoliqa, our users, or the public; (c) detect or prevent fraud, security, or technical issues.
6.3 Business transfers
If Portifoliqa is involved in a merger, acquisition, financing, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you (e.g. by email and/or a notice on the Service) of any change in ownership or use.
6.4 With your consent
We may share information with your consent or at your direction.
7. International data transfers
PortfoliQa is hosted in the United States. If you access the Service from outside the United States — including from Brazil, the EU/EEA, or the UK — your information will be transferred to, stored, and processed in the United States and any other country where we or our service providers operate.
For transfers from Brazil, we rely on the international transfer mechanisms permitted under LGPD Art. 33 (including specific contractual safeguards with our processors, and your consent where required).
By using the Service, you understand that your information may be processed in countries whose data protection laws may differ from those of your country of residence.
8. Data retention
We retain personal information only as long as necessary for the purposes described in this Policy or as required by law.
| Category | Retention |
|---|---|
| Account profile (name, email, etc.) | While your account is active; deleted within [30] days after account closure |
| Watchlist, portfolio, preferences | While your account is active; deleted with the account |
| Chat history with the AI assistant | [90] days from the date of the message, then automatically deleted |
| Billing & tax records | As required by US tax law (typically 7 years) |
| Server logs (IPs, request metadata) | [30–90] days |
| Backups | Up to [30] days after the source record is deleted |
When information is no longer needed, we delete it or anonymize it so it can no longer be associated with you.
9. Security
We implement administrative, technical, and organizational measures designed to protect your information, including:
- Encryption in transit (TLS) for all client-server communication
- Encryption at rest for data stored in DynamoDB and S3
- Authentication via Google OAuth (we do not store passwords)
- Least-privilege IAM roles and isolated AWS environments per stage
- Centralized logging with retention limits
- Regular dependency updates and security review of changes
No method of transmission or storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security. If we become aware of a security breach affecting your personal information, we will notify you and the relevant authorities as required by applicable law (LGPD Art. 48, US state breach notification laws).
10. Your rights
10.1 Rights for all users
You may:
- Access the personal information we hold about you
- Correct information that is inaccurate or incomplete
- Delete your account and personal information (subject to legal retention requirements)
- Export a copy of your information in a portable format
- Object to or restrict certain processing
- Withdraw consent for processing based on consent (without affecting prior lawful processing)
- Lodge a complaint with a supervisory authority
To exercise any of these rights, email support@portfoliqa.com from the email address on your account. We will respond within the time required by applicable law (typically 15 days under LGPD; 45 days under CCPA, extendable by 45 days).
10.2 Brazilian users (LGPD)
In addition to the rights above, under the Lei Geral de Proteção de Dados (Lei nº 13.709/2018) you have the right to:
- Confirmation of the existence of processing
- Access to your data
- Correction of incomplete, inaccurate, or outdated data
- Anonymization, blocking, or deletion of unnecessary, excessive, or non-compliant data
- Portability to another service provider
- Deletion of personal data processed with your consent
- Information about public and private entities with which we have shared your data
- Information about the possibility of not providing consent and the consequences of refusal
- Revocation of consent
You may also file a complaint with the Autoridade Nacional de Proteção de Dados (ANPD) at https://www.gov.br/anpd.
Our DPO / Encarregado: support@portfoliqa.com.
10.3 California users (CCPA / CPRA)
If you are a California resident, you have the right to:
- Know what personal information we collect, use, disclose, and (if applicable) sell or share
- Access a copy of your personal information
- Correct inaccurate personal information
- Delete personal information we collected from you
- Opt out of "sale" or "sharing" — we do not sell or share personal information for cross-context behavioral advertising, so there is no opt-out link required at this time
- Limit the use of sensitive personal information — we do not use sensitive personal information for purposes beyond those permitted without a right to limit
- Non-discrimination for exercising your rights
We do not knowingly collect personal information from California minors under 16 without parental consent (the Service is for adults — see §11).
To make a request, email support@portfoliqa.com. We may need to verify your identity before responding (e.g. by confirming you can access the email on your account). You may designate an authorized agent to make a request on your behalf.
10.4 Other US states
Residents of other US states with comprehensive privacy laws (including but not limited to Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana) have rights similar to those described in §10.3. Email support@portfoliqa.com to exercise them.
11. Children
The Service is intended for users 18 years of age or older. We do not knowingly collect personal information from anyone under 18. If you believe a child has provided us with personal information, contact support@portfoliqa.com and we will delete it.
12. Third-party links and integrations
The Service may link to third-party websites or display content from third parties (e.g., financial news sources, market-data providers). We are not responsible for the privacy practices of those third parties. Their handling of your information is governed by their own privacy policies.
13. Changes to this Policy
We may update this Policy from time to time. When we do, we will update the "Last updated" date at the top. For material changes, we will provide additional notice (e.g. by email or a prominent notice on the Service) before the changes take effect.
Your continued use of the Service after the effective date of an updated Policy constitutes your acceptance of the updated Policy.
14. Contact us
If you have any questions, complaints, or requests regarding this Privacy Policy or our data practices:
Portifoliqa L.L.C 22632 Rotunda Ct, Apt 108 Novi, MI 48375 United States
Email: support@portfoliqa.com
For LGPD inquiries, address the message to "DPO / Encarregado".