Circles

Privacy Policy

Last updated: 2026-06-11

InvestCircles is a private investing app for small groups of friends. This policy explains what we collect, why, where it goes, and how to remove it. Plain English. No dark patterns.

1. Who runs InvestCircles

InvestCircles is an independently operated service. The data controller can be reached at dano46639@gmail.com for any privacy matter. We are not a registered broker, custodian, or investment adviser.

2. What we collect

  • Account info: email address, username, optional display name, optional profile photo, optional bio.
  • Authentication: when you sign in with Google or Apple we receive an opaque user identifier from that provider; we do not see your password.
  • Portfolio data you enter: tickers, share counts, prices, trade dates and any notes. You choose what to add.
  • Connected accounts (only if and when you link one): the broker/exchange name, a status flag, the read-only connection key you provide, and the positions it reports. Keys are encrypted at rest with an application-level key (AES-256-GCM) on top of infrastructure encryption. We never receive or store your broker password. CSV imports are parsed on your device — the file itself is never uploaded; only the rows you confirm are stored.
  • Social graph inside Circles: friend requests, the circles you join, and the messages and reactions you post in those circles.
  • Push subscription (only if you opt in to notifications): the Web Push endpoint your browser issues so we can deliver a notification, and a server-stored timestamp.
  • Basic logs: timestamps and request paths needed to run the service and investigate abuse. No advertising identifiers.

3. What we do not collect

  • We do not track you across other apps or websites.
  • We do not buy data about you from third parties.
  • We do not collect your contacts, location, or device sensors.
  • We do not use behavioral advertising trackers.

4. How we use it

  • To show you and the friends in your circles what you choose to share.
  • To deliver push notifications you have opted into.
  • To detect and prevent abuse (spam, impersonation, coordinated trading).
  • To debug crashes and improve the product.

5. Who can see your data

  • Your portfolio, holdings and trades are visible only to members of the circles you have joined, and to friends you have explicitly accepted. Public discoverability does not exist in InvestCircles.
  • Your profile (username, display name, optional bio and photo) is visible to other signed-in users so they can find you for friend requests. Unauthenticated visitors cannot enumerate the user list.
  • You can toggle "names only" in Settings to hide your dollar amounts from circle members while still showing tickers, allocation % and % return. This is enforced on our servers — when masked, your dollar values are never sent to other members' devices.

6. Third-party services

We use the minimum third parties needed to operate the product. Each receives only the data necessary to perform its function.

  • Supabase (database + auth + storage) — stores your account, profile, portfolio and chat.
  • Vercel (hosting) — serves the app. Vercel sees request metadata (IP, user agent, path) needed to route traffic.
  • Google / Apple Sign-In — only if you choose them. We receive an opaque user identifier and email; we do not see your password or social graph from those providers.
  • Market data providers (Yahoo Finance, Finnhub, Financial Modeling Prep, Alpha Vantage, NewsAPI) — our servers send anonymous symbol requests to fetch prices and news. They do not receive your identity.
  • Account aggregation (SnapTrade) — only if you connect a broker through its portal. You authenticate at the broker; we receive read-only positions and never your credentials.
  • Web Push (browser provider) — only if you opt in to notifications. Your browser issues the push endpoint; we use it only to deliver a notification, never advertising.

7. Aggregate data

We do not currently publish any aggregate signals. If we ever do, they will be anonymized with k-anonymity of at least 100(a signal never appears unless at least 100 distinct users contribute to it) and opt-in. We do not sell identifiable data, ever.

8. Retention and deletion

You can delete your account from inside the app at any time (Settings → Delete account). When you confirm, we immediately remove:

  • Your profile, photo and bio.
  • Your portfolios, holdings and transactions.
  • Your watchlists, price alerts and push subscriptions.
  • Your friend graph, connected accounts (including encrypted keys and synced positions) and circle memberships.
  • Any circle you own (and, by extension, its members and messages).

Chat messages you sent in circles you do not own are kept so the remaining conversation makes sense, but they are anonymized to a deleted-user placeholder. Backups may retain residual copies for up to 30 days before they roll off.

9. Children

InvestCircles is intended for users aged 18 and over. We do not knowingly collect data from children under 13 (or the local equivalent age of digital consent).

10. Security

Data is encrypted in transit (HTTPS) and at rest by our infrastructure providers. Connection keys carry an additional application-level encryption layer (AES-256-GCM). Row-level security policies prevent users from reading another user's rows, and privacy masking is applied on the server, not in the app's interface. We disclose security incidents to affected users without undue delay.

11. Your rights

We process your data to provide the service you signed up for (contract), to keep it safe and prevent abuse (legitimate interest), and for anything optional — like notifications or account connections — only with your consent, which you can withdraw at any time. Our servers are operated by providers in the United States under standard contractual clauses. If you are in the EU/UK you have rights under GDPR; if you are in California, under the CCPA. To exercise them (access, correction, deletion, portability, objection) email dano46639@gmail.com — we respond within 30 days. EU residents can also lodge a complaint with their local supervisory authority (in Spain, the AEPD).

12. Changes

Material changes will be announced inside the app and reflected in the "Last updated" date above. Continued use after the date constitutes acceptance.

13. Contact

Questions, requests, security reports: dano46639@gmail.com.