Privacy Policy

1. Who We Are

Convex S.A.C. ("Convex," "we," "us," or "our") operates the websites convex.ltd and app.convex.ltd, along with related services (collectively, the "Service"). Convex is an AI-powered stock analysis platform designed for retail investors. We are not a broker, financial advisor, or investment manager.

For any privacy-related questions, you can reach us at hello@convex.ltd.

2. Data We Collect

2.1 Account Data

When you create an account, we collect your name, email address, phone number, DNI or ID document number, and a password (stored in hashed form). This data is necessary to perform our contract with you and to provide the Service.

2.2 Profile Data

You may optionally complete a risk profile questionnaire. This includes your investment goals, risk tolerance, age range, income range, portfolio size, sector interests, and profession. We process this data based on your consent and to personalize your experience.

2.3 Usage Data

As you use the Service, we record data such as analyses you run, stocks you analyze, your watchlist, portfolio positions (manually entered), and chat messages. We process this data to perform our contract with you and based on our legitimate interest in improving the Service.

2.4 Brokerage Data (Optional)

If you choose to connect a brokerage account through our SnapTrade integration, we receive read-only portfolio holdings data. This connection is initiated entirely by you and processed based on your explicit consent. We never place trades or modify your brokerage account.

2.5 Technical Data

We automatically collect your IP address, browser type and version, device information, and usage analytics. This data is processed based on our legitimate interest in maintaining security and improving performance.

3. How We Use Your Data

Provide the Service — run stock analyses, manage your watchlist and portfolio, generate AI-driven research narratives, and deliver personalized recommendations.
Improve our analysis — refine our conviction engine, fair value models, and data pipelines using aggregated, anonymized usage patterns.
Communicate with you — send transactional emails (account verification, password reset), service updates, and, with your consent, marketing communications.
Ensure security — detect fraud, prevent abuse, and enforce rate limits.
Comply with legal obligations — respond to lawful requests from authorities and meet regulatory requirements.

4. AI Processing Disclosure

Convex uses artificial intelligence (powered by Anthropic Claude) to generate stock analysis narratives and to power the in-app chat feature. Here is how AI interacts with your data:

Stock analysis: When we generate an analysis, we send financial and market data about the stock (prices, ratios, financial statements) to the AI model. No personal user data (name, email, ID, portfolio positions) is sent to the AI provider.
Chat: If you use the chat feature, your chat messages are processed by the AI model to generate responses. Chat messages may include text you type, which could contain personal information you choose to share. We advise against including sensitive personal data in chat messages.
No training: Your data is not used to train third-party AI models. We use the Anthropic API under terms that prohibit model training on customer inputs.

5. Data Sharing

We do not sell your personal data. We share data only with the following categories of service providers (data processors), each bound by data processing agreements:

Supabase — database hosting and authentication. Stores account data, profile data, and usage data.
Google Cloud Platform — application hosting (Cloud Run). Processes requests and temporarily handles data in transit.
Cloudflare — CDN, DDoS protection, and Turnstile CAPTCHA. Processes IP addresses and request metadata.
Anthropic — AI analysis and chat. Receives stock data and chat messages only; no personal account data.
SnapTrade — brokerage integration. Receives a user identifier and retrieves read-only portfolio holdings, only when you explicitly connect a brokerage.
Google Analytics — usage analytics. Receives anonymized usage events, IP addresses (anonymized), and device data.
Financial data providers (FMP, yfinance, CoinGecko, NewsAPI, FRED) — receive ticker/symbol queries only. No personal data is sent to these providers.
Sanity — content management for blog articles. No personal data is stored or processed.

We may also disclose data if required by law, court order, or to protect the rights, property, or safety of Convex, our users, or the public.

6. Data Retention

Account and profile data: retained for as long as your account is active, plus 30 days after account deletion to allow for recovery.
Usage data (analyses, watchlist, portfolio): retained for as long as your account is active. Deleted within 30 days of account deletion.
Chat messages: retained for up to 90 days, then automatically deleted.
Analytics data: anonymized after 26 months via Google Analytics data retention settings.
Technical logs: retained for up to 90 days for security and debugging purposes.

7. Your Rights Under GDPR

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights regarding your personal data:

Access — request a copy of the personal data we hold about you.
Rectification — request correction of inaccurate or incomplete data.
Erasure — request deletion of your personal data ("right to be forgotten").
Data portability — receive your data in a structured, machine-readable format.
Restriction — request that we limit the processing of your data.
Objection — object to processing based on legitimate interest.
Withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at hello@convex.ltd. We will respond within 30 days.

8. Your Rights Under Peruvian Law (Ley 29733)

If you are located in Peru, you have the following ARCO rights under the Personal Data Protection Law (Ley 29733):

Acceso (Access) — obtain information about the personal data we process about you.
Rectificacion (Rectification) — update or correct your personal data.
Cancelacion (Cancellation) — request the deletion of your personal data when it is no longer necessary for the purpose for which it was collected.
Oposicion (Opposition) — object to the processing of your personal data for specific purposes.

To exercise your ARCO rights, send a request to hello@convex.ltd including your full name, ID document number, and a description of the right you wish to exercise. We will respond within 10 business days as required by law.

9. International Data Transfers

Your data may be transferred to and processed in countries outside your country of residence, including the United States. Our infrastructure providers (Google Cloud Platform, Anthropic, SnapTrade, Supabase) operate servers in the US and other jurisdictions.

Where required, we rely on appropriate safeguards for these transfers, including Standard Contractual Clauses (SCCs) approved by the European Commission and equivalent mechanisms recognized under applicable law.

10. Cookies and Tracking Technologies

We use the following categories of cookies and similar technologies:

Essential cookies — required for authentication, session management, and security. These cannot be disabled.
Security cookies (Cloudflare) — used for bot detection, DDoS protection, and Turnstile CAPTCHA verification.
Analytics cookies (Google Analytics) — used to understand how visitors interact with the Service, including page views, session duration, and feature usage. You can opt out of Google Analytics by installing the Google Analytics Opt-out Browser Add-on.

We do not use advertising cookies or third-party tracking pixels for ad targeting.

11. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a person under 18, we will take steps to delete that data promptly. If you believe a child has provided us with personal data, please contact us at hello@convex.ltd.

12. Security Measures

We implement appropriate technical and organizational measures to protect your data, including:

Encryption in transit — all data transmitted between your browser and our servers is encrypted using TLS.
Encryption at rest — data stored in our database is encrypted at rest.
Row-Level Security (RLS) — database access policies ensure users can only access their own data.
Rate limiting — API endpoints are rate-limited to prevent abuse.
JWT authentication — all authenticated requests are verified using signed JSON Web Tokens with expiry validation.
Password hashing — passwords are never stored in plain text.

While we strive to protect your data, no method of transmission or storage is 100% secure. We encourage you to use strong passwords and enable multi-factor authentication (MFA) where available.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (sent to the address associated with your account) or through a prominent notice within the Service before the changes take effect. We encourage you to review this page periodically.

14. Contact Us

If you have questions about this Privacy Policy, your personal data, or wish to exercise any of your rights, please contact us:

Email: hello@convex.ltd
Website: convex.ltd