Table of Contents
1. Overview
PortfolioShield ("we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains what data we collect, how we use it, and the choices you have. It applies to your use of PortfolioShield at all of our web properties.
By creating an account you agree to the collection and processing of your data as described in this Policy. If you do not agree, please do not use the Service.
2. Data We Collect
| Category | Examples | Source |
|---|---|---|
| Account data | Name, email address, profile photo | Google OAuth at sign-in |
| Portfolio data | Positions, orders, account balances, P&L | Broker API (IBKR, Tastytrade) |
| Profile preferences | Experience level, income target, risk profile | Onboarding wizard |
| Usage data | Pages visited, features used, session duration | Automatically collected |
| Device data | Browser type, OS, IP address, device fingerprint | Automatically collected |
| Consent records | Which consents you gave and when | Consent flow at registration |
We do not collect Social Security numbers, bank account numbers, or payment card details. Payment processing is handled by our payment processor (Stripe) under their own privacy policy.
3. How We Use Data
We use your data to:
- Provide the Service — Calculate Greeks, health scores, generate signals and recommendations
- Personalize your experience — Apply your risk profile, income targets, and preferences to analytics
- Security — Detect suspicious login activity, enforce session limits, prevent fraud
- Communications — Send account notifications, alerts, and (with your consent) marketing emails
- Improve the Service — Analyze aggregated usage patterns to improve features and performance
- Legal compliance — Maintain consent records and honor data rights requests
We do not use your financial data to make autonomous trading decisions on your behalf, nor do we share individual portfolio data with advertisers.
4. Data Sharing
We do not sell your individual personal data. We never link your name, email address, or individual trading account to any data set shared externally.
We may license or sell anonymized, aggregated statistical abstractions derived from platform-wide behavioral data to research institutions, financial data providers, and quantitative research firms. These abstractions are produced under strict anonymization standards: k-anonymity ≥ 5 users, one-way hashing of user identifiers, and value bucketing of sensitive metrics. No individual user can be identified or reconstructed from these outputs.
We may share data with:
- Service providers — Cloud hosting, email delivery, payment processing — bound by data processing agreements
- Research & data partners — Anonymized, aggregated behavioral abstractions only. No individual data, account data, or portfolio positions are ever included.
- Broker APIs — We transmit data to Interactive Brokers and Tastytrade only as required to fetch your portfolio and execute your trade instructions
- Legal authorities — When required by law, court order, or to protect the rights and safety of PortfolioShield and its users
- Business transfers — In the event of a merger or acquisition, under equivalent privacy protections with advance notice to you
You may opt out of the anonymized data sharing pipeline at any time. See Section 11 — Your Privacy Choices.
5. Broker & Financial Data
When you connect a brokerage account, PortfolioShield receives read-only access to your portfolio data via OAuth tokens or API keys. We do not store your broker username or password.
Financial data (positions, balances, orders) is:
- Stored encrypted in our database
- Used exclusively to power the analytics and recommendations visible to you
- Never shared with third parties for commercial purposes
- Deleted within 30 days of account closure (subject to legal retention requirements)
You can revoke broker access at any time from your broker's OAuth settings. Revoking access will prevent PortfolioShield from fetching updated data but will not delete historical data already stored.
6. Behavioral & Analytics Data
PortfolioShield captures detailed behavioral events for every action you take within the platform. This data is essential to delivering personalized signals, cognitive bias detection, and inaction alerts. Below is a complete disclosure of what is captured.
Navigation & Feature Usage
- Which pages you visit and how long you spend on each
- Which scanner filters you apply and in what combination
- Which modules you open most frequently (Hedge Manager, Trade Advisor, Market Analyzer, etc.)
- Which trade signals you expand, dismiss, or act on
Decision Timing & Inaction Patterns
- Response latency — Time elapsed between a signal appearing and your first action (or inaction), measured to the second
- Inaction detection — Alerts or signals generated with no corresponding trade within a configurable window
- Delay patterns — Systematic delays in acting on specific signal types (e.g., consistently ignoring roll signals during high-IV periods)
Cognitive Bias Patterns — 23 bias types monitored
- Loss aversion, sunk-cost fallacy, overconfidence, recency bias, anchoring, confirmation bias, disposition effect, endowment effect, herding, FOMO, framing effects, planning fallacy, availability heuristic, status quo bias, illusion of control, gambler's fallacy, representativeness heuristic, mental accounting, outcome bias, hindsight bias, authority bias, in-group bias, and selective attention
Market Context — Automatically attached to every behavioral event
- VIX level and volatility regime at the time of each action
- GEX regime (positive or negative gamma environment)
- Portfolio Greeks snapshot at the moment of decision
Legal basis (GDPR): Art. 6(1)(b) — contract performance for signal personalization; Art. 6(1)(f) — legitimate interest in platform improvement and behavioral research. Per Recital 26, once data is properly anonymized it falls outside GDPR scope.
Behavioral data on our servers is stored linked to your pseudonymous user ID. Before any external use, it is aggregated and anonymized: k-anonymity ≥ 5 users, one-way hashed user identifiers, and value-bucketed sensitive metrics. No individual can be identified from these outputs.
Internal capture is required to deliver core functionality (bias detection, personalized signals, inaction alerts) and cannot be disabled without disabling those features. You may opt out of the external licensing pipeline at any time — see Section 11 — Your Privacy Choices.
7. Cookies & Sessions
PortfolioShield uses the following types of cookies and tokens:
- Session cookie (
ps_access) — An HTTP-only secure cookie containing your JWT session token. Required for authentication; cannot be disabled while logged in. - CSRF state — Stored in
sessionStorageduring OAuth flows to prevent cross-site request forgery. Automatically cleared after login. - Preferences — UI preferences (theme, column widths) stored in
localStorage. No personal data.
We do not use third-party advertising cookies.
8. Security
We implement industry-standard security measures including:
- HTTPS/TLS encryption for all data in transit
- Encrypted storage of sensitive data at rest (AES-256)
- JWT-based authentication with short-lived access tokens
- IP-restricted admin access with mandatory 2FA
- Regular security audits and dependency updates
No security measure is 100% foolproof. In the event of a data breach that affects your personal data, we will notify you within 72 hours as required by applicable law.
9. Data Retention
- Active accounts: Data retained for the life of the account
- Closed accounts: Personal data deleted within 30 days; anonymized analytics may be retained indefinitely
- Audit logs: Login history and consent records retained for 7 years for legal/compliance purposes
- Market data: Historical price and volatility data retained indefinitely (no personal data)
10. Your Rights
Depending on your location, you may have the following rights regarding your personal data:
- Access — Request a copy of the data we hold about you
- Rectification — Correct inaccurate personal data
- Erasure — Request deletion of your account and personal data ("right to be forgotten")
- Portability — Receive your data in a machine-readable format
- Opt-out — Withdraw consent for marketing emails or anonymized analytics at any time
- Restriction — Request that we restrict processing of your data in certain circumstances
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. We may ask you to verify your identity before processing your request.
If you are in the European Economic Area (EEA), you also have the right to lodge a complaint with your local data protection authority.
If you are a California resident, the CCPA grants you additional rights, including the right to opt out of the "sale or sharing" of your personal information. Even though PortfolioShield does not sell individual-level data, anonymized aggregates derived from your behavioral data may qualify as "sharing" under California law. You may exercise this right at any time from Settings → Privacy → "Do Not Sell or Share My Data". We will honor your request within 15 business days.
11. Your Privacy Choices
Do Not Sell or Share My Data (CCPA & Global)
California residents — and as a courtesy, all users — may opt out of having their anonymized behavioral data included in external research and data licensing pipelines. To opt out:
- Go to Settings → Privacy
- Toggle "Do Not Sell or Share My Data" to ON
- Your preference is saved immediately and applied to all future data exports within 15 business days
- Historical anonymized aggregates already exported cannot be recalled — they contain no individual identifiers and cannot be linked back to you
Behavioral Analytics (Always Active)
Internal behavioral event capture is required to deliver personalized signals, cognitive bias detection, and inaction alerts. This cannot be disabled without disabling core Service functionality. The Do Not Sell or Share toggle above controls whether your data enters external pipelines — it does not affect internal processing.
Marketing Communications
You may withdraw consent for marketing emails at any time using the unsubscribe link in any marketing email, or from Settings → Notifications.
12. Children's Privacy
PortfolioShield is not directed at, and does not knowingly collect data from, persons under the age of 18. If we become aware that a minor has provided us with personal data, we will delete it promptly. If you believe a minor has submitted data to us, contact us at [email protected].
13. Contact
For privacy questions, data requests, or to report a concern:
- Email: [email protected]
- Website: portfolioshield.app
For general questions, see our Terms of Service.