Privacy Policy
Last updated: 2026-06-06 · Effective date: 2026-06-06
This Privacy Policy explains how [Operator Entity](“we”, “us”, “our”) collects, uses, shares, and protects personal information when you use Legendary Investor (the “Service”). By using the Service, you agree to this Policy.
1. Information We Collect
We collect the following categories of personal information:
- Account data — email, name, username, avatar, and authentication identifier (e.g. Google OAuth sub) when you create an account.
- Profile & preferences — risk tolerance, goals, onboarding answers.
- Portfolio & watchlist — the tickers, share counts, and cost basis you choose to record.
- Usage activity — the tickers you research, queries you send to the AI, pages you visit, and features you use. This includes the
user_searcheslog that powers personalized AI responses. - Device & technical data — IP address, browser type, operating system, locale, and approximate location derived from IP, plus cookies and similar identifiers (see Section 6).
- Communications — messages you send us via email or in-product channels.
We do not knowingly collect special categories of personal data (e.g. health, biometric data) or financial account credentials.
2. How We Use Information
We use personal information to:
- provide the Service, including AI-generated commentary personalized to your holdings, watchlist, and recent searches;
- authenticate you and secure your account;
- operate, maintain, and improve features and infrastructure;
- monitor for abuse, fraud, and security threats;
- comply with legal obligations;
- communicate service-related notices and, where you opt in, product updates.
3. Legal Bases for Processing (EEA/UK)
If you are in the European Economic Area, the United Kingdom, or Switzerland, our legal bases under GDPR Art. 6 are:
- Contract — to provide the Service you request.
- Legitimate interests — to secure, improve, and analyze the Service in a way that does not override your rights.
- Consent — for non-essential cookies, marketing emails, and AI personalization where required.
- Legal obligation — to comply with applicable law.
4. AI Processing
When you interact with AI features, the prompt (and limited user context such as your first name and current holdings) is sent to one or more large language model providers (e.g. Anthropic, OpenAI via OpenRouter, Google). We instruct these providers not to use your inputs to train their general models where the provider supports such a flag, but we cannot guarantee provider behavior. Do not paste sensitive personal data, secrets, or non-public material information into AI inputs.
5. How We Share Information
We share personal data only with:
- Sub-processors who help us run the Service:Supabase (database, authentication, storage),Vercel (hosting, analytics, web vitals),Pinecone (vector search for retrieval-augmented features),OpenRouter / Anthropic / OpenAI / Google (AI model inference), and market-data providers (e.g. Finnhub, Alpha Vantage, Stooq, Yahoo).
- Identity providers — Google when you sign in with Google.
- Authorities — when required by law, regulation, valid legal process, or to protect rights, property, or safety.
- Business transfers — in connection with a merger, acquisition, or sale of assets, with notice to you where required.
We do not sell your personal information for money, and we do not knowingly “share” it for cross-context behavioral advertising within the meaning of the California Consumer Privacy Act (CCPA/CPRA).
6. Cookies & Similar Technologies
We use first-party cookies for authentication, session management, and preference storage, and limited third-party analytics (Vercel Analytics, Vercel Speed Insights) to understand traffic and performance. We do not use third-party advertising cookies. Where required by law, we request your consent for non-essential cookies via an in-product banner.
7. Data Retention
We retain personal data only as long as needed for the purposes described above, to comply with legal obligations, and to resolve disputes. Account data is retained while your account is active and deleted (or anonymized) within 90 days of account closure, except where retention is required by law. Server logs are typically retained for up to 90 days.
8. Security
We implement administrative, technical, and organizational measures designed to protect personal data, including TLS in transit, row-level security at the database, encrypted credentials, and least-privilege access controls. No method of transmission or storage is 100% secure; you use the Service at your own risk.
9. Your Rights
Depending on where you live, you may have the right to:
- access, correct, or delete your personal data;
- obtain a portable copy;
- restrict or object to certain processing;
- withdraw consent;
- opt out of the sale or sharing of personal information (CCPA/CPRA — we already do not sell);
- lodge a complaint with your local data-protection authority.
To exercise these rights, emailgovindw007@gmail.com from the email tied to your account. We will respond within the period required by applicable law. We will not discriminate against you for exercising your rights.
10. International Transfers
The Service is operated globally, and your personal data may be transferred to and processed in countries other than your country of residence. Where we transfer personal data out of the EEA, UK, or Switzerland, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses and the UK International Data Transfer Addendum.
11. Children
The Service is not directed to, and we do not knowingly collect personal data from, individuals under 18. If you believe a minor has provided personal data, contact us and we will delete it.
12. Changes
We may update this Policy from time to time. Material changes will be flagged by updating the “Last updated” date and, where appropriate, by email or in-product notice.
13. Contact
Privacy questions, requests, or complaints:govindw007@gmail.com. See also our Terms of Service and Legal & Risk Disclosures.