Privacy Policy
Last updated: March 18, 2026
AstralLedger ("we", "us", "our") respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use the AstralLedger platform ("the Service").
1. Information We Collect
1.1 Information You Provide
| Data Type | Details | Purpose |
|---|---|---|
| Account Information | Name, email address, password | Authentication and account management |
| Profile Data | Display name, avatar URL, preferences | Personalization |
| Brokerage Connection Data | Plaid-linked account identifiers and server-side access tokens needed to retrieve authorized brokerage data | Portfolio data retrieval and account connection management |
1.2 Information We Collect Automatically
| Data Type | Details | Purpose |
|---|---|---|
| Portfolio Data | Holdings, positions, transaction history | Analytics, AI coaching, risk assessment |
| AI Conversations | Coach chat messages and responses | Conversation continuity, service improvement |
| Price Alerts | Symbols, target prices, trigger status | Alert delivery |
| Investment Goals | Goal names, amounts, target dates | Goal tracking features |
| Session Data | Login timestamps, session tokens | Authentication and security |
1.3 Information from Third Parties
- Google OAuth: If you sign in with Google, we receive your name, email, and profile picture from Google. We do not receive your Google password.
- Brokerage APIs: Portfolio data retrieved from your brokerage account via authorized API connections.
2. How We Use Your Information
- Provide the Service: Portfolio analytics, AI coaching, risk metrics, and market intelligence.
- Personalization: Customizing your dashboard and coaching experience.
- Account Management: Authentication, session management, and security.
- Communication: Price alert notifications, account-related emails.
- Service Improvement: Understanding usage patterns to improve features (aggregated, not individual-level).
We do not sell, rent, or trade your personal information to third parties for marketing purposes.
3. Legal Basis for Processing (GDPR)
If you are in the European Economic Area (EEA), our legal bases for processing your data are:
- Contract Performance: Processing necessary to provide the Service you've signed up for.
- Legitimate Interest: Improving the Service, preventing fraud, ensuring security.
- Consent: Where you've given explicit consent (e.g., accepting Terms of Service).
4. Data Storage & Security
- Your data is stored in Supabase (PostgreSQL) with Row Level Security (RLS) enabled — each user can only access their own data.
- All data is transmitted over HTTPS/TLS encryption.
- Session cookies are HttpOnly and SameSite=Lax to prevent XSS and CSRF attacks.
- Passwords are hashed using Supabase Auth's bcrypt implementation — we never store plaintext passwords.
- Plaid access tokens used for authorized brokerage connections are stored server-side and are not exposed to client-side users.
5. Data Sharing
We share your data only with the following service providers, strictly for operating the Service:
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase | Database and authentication | Account info, portfolio data, conversations |
| OpenAI | AI coaching engine | Portfolio summaries and chat messages (anonymized) |
| OAuth sign-in | Authentication tokens only |
We do not share your data with advertisers, data brokers, or any parties not listed above.
6. Your Rights
Under GDPR, CCPA, and other applicable laws, you have the following rights:
- Right to Access: Request a copy of all data we hold about you. Available in Profile & Settings → Privacy & Data → Export.
- Right to Rectification: Update or correct your personal information via your Profile page.
- Right to Erasure: Delete your account and all associated data. Available in Profile & Settings → Danger Zone.
- Right to Data Portability: Export your data in machine-readable JSON format.
- Right to Object: Object to processing of your data for specific purposes.
- Right to Restrict Processing: Request limitation of processing in certain circumstances.
- Right to Withdraw Consent: Withdraw previously given consent at any time.
7. Data Retention
- Active accounts: Data is retained as long as your account is active.
- Deleted accounts: All personal data is permanently deleted within 30 days of account deletion, including cascading deletion of all related records (portfolios, conversations, alerts, goals).
- Backups: Database backups that may contain deleted data are purged on a rolling 30-day schedule.
8. Cookies
We use only essential cookies required for the Service to function:
| Cookie | Purpose | Duration |
|---|---|---|
| session | Authentication and session management | 7 days |
We do not use tracking cookies, analytics cookies, or third-party advertising cookies.
9. Children's Privacy
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected data from a child under 18, we will promptly delete it.
10. International Data Transfers
Your data may be processed in the United States or other jurisdictions where our service providers operate. We ensure appropriate safeguards are in place for international transfers in compliance with GDPR and other applicable laws.
11. California Privacy Rights (CCPA)
If you are a California resident, you have the right to:
- Know what personal information we collect and how it's used.
- Request deletion of your personal information.
- Opt out of the sale of personal information. We do not sell personal information.
- Non-discrimination for exercising your privacy rights.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. The "Last updated" date at the top indicates when this policy was last revised.
13. Contact Us
For privacy-related questions, data requests, or concerns:
- Email: privacy@astralledger.com
- Profile settings: Export or delete your data