← Back to Allvyu

Privacy Policy

Last updated: April 2026 · Pending legal review

1. Who We Are

Allvyu is operated by [Legal Entity Name] (ABN [number]), a company registered in Australia.

2. What We Collect

  • Account information: email, password (hashed by Supabase Auth — never stored or visible to us in plaintext), profile preferences, plan tier, and billing data (handled by Stripe).
  • Financial data you enter: trades, holdings, properties, private investments, cash balances, liabilities, notes, and any documents you upload.
  • Connected-account data: when you link a brokerage or crypto wallet, we receive read-only data about that account from the relevant data provider — see section 3.
  • Error reports (with consent): if you accept cookies, Sentry collects anonymised error reports — error messages and browser/device type, no financial data.

3. Connected Accounts

When you connect an account in Allvyu, we receive read-only data about that account through a regulated data provider. We never receive your broker or exchange credentials, and we cannot move money or place trades on your behalf.

Public blockchain wallets (read directly from the public ledger):

  • Public addresses you supply
  • Transactions and balances visible to anyone on the chain
  • We do not hold private keys, seed phrases, or any custody.

You can disconnect any connected account at any time. Disconnection stops further data sync; deletion of historic data is governed by section 8 below.

4. What We Do NOT Do

  • We do not sell or share your data with third parties for marketing.
  • We do not use advertising trackers or third-party analytics for advertising.
  • We do not track you across other websites.
  • We do not move money on your behalf — we are an aggregator, not a payment service.
  • We do not provide financial product advice. See our Terms of Service.

5. How We Use Your Data

  • Provide the service: calculate net worth, generate charts, produce tax packs, sync connected accounts, and surface insights.
  • Fetch market data: ticker symbols are sent to Yahoo Finance, CoinGecko, and Frankfurter API to retrieve prices. These services receive only the ticker/coin identifier, never your personal or financial information.
  • AI document extraction: if you upload a broker statement or fund document, the extracted data is processed by Anthropic to identify trades, valuations, and other relevant fields. Documents and extracted data are stored in your account only.
  • Fix bugs: error reports via Sentry, only with cookie consent.

6. Cookies

Allvyu uses:

  • Essential cookies: Authentication session cookies managed by Supabase. Required for the app to function.
  • Error tracking (optional): Sentry error monitoring, only activated if you click "Accept" on the cookie banner.

We use localStorage to remember your cookie preference, theme choice, and privacy mode setting. These are stored locally on your device and never transmitted to us.

7. Storage & Security

  • All data is stored in Supabase (PostgreSQL) with row-level security: each user can only access their own data.
  • Data is encrypted in transit via HTTPS/TLS and at rest via Supabase's standard encryption.
  • Passwords are hashed with bcrypt by Supabase Auth.
  • Application hosted on Vercel.

8. Your Rights

Under the Australian Privacy Act 1988 and (where applicable) the GDPR, you have the right to:

  • Access all data we hold about you (Settings → Export, or contact us)
  • Correct inaccurate data (edit directly, or contact us)
  • Delete your data (Settings → Delete Account)
  • Withdraw cookie consent (clear your browser's localStorage)
  • Make a complaint to the Office of the Australian Information Commissioner (oaic.gov.au) or your local data protection authority.

9. Data Retention

  • Account data: retained while your account is active. Deleted within 30 days of account deletion, except for records we are legally required to retain.
  • Backups: rolling 30-day backups; data may persist in backups for up to 30 days after deletion before being overwritten.

10. Sub-processors

We use the following sub-processors. A current and dated list is also published at /sub-processors:

  • Supabase Inc. — database, authentication, storage
  • Vercel Inc. — application hosting
  • Stripe Inc. — payment processing for subscriptions
  • Sentry — error monitoring (optional, with consent)
  • Anthropic PBC — AI document extraction (data sent is limited to the relevant document; no broader account data)
  • Yahoo Finance, CoinGecko, Frankfurter — market data (ticker/coin identifiers only)

11. International Transfers

Some sub-processors may host data outside Australia. We use sub-processors with equivalent privacy protections and where applicable rely on Standard Contractual Clauses or equivalent safeguards. Specific hosting regions are listed at /sub-processors.

12. Changes to This Policy

We may update this policy from time to time. Material changes will be notified to you in-app and by email at least 14 days before they take effect. The "Last updated" date will reflect the most recent revision.

13. Contact

For privacy questions, data requests, or to make a complaint: contact@allvyu.com.