Privacy Policy

Capital Compass AI ("we", "our", "the service") is a research-and-analysis web app for an autonomous AI portfolio that trades paper money. This policy describes what information we collect when you visit capitalcompassai.com or create an account, why we collect it, and what we do with it.

This document is a plain-English working policy. It is not legal advice. We'll update it as the product and our operations change.

• Account information. If you create an account, we collect the email address you sign up with and a hashed password. We never store passwords in plaintext.
• Session data. We use a session cookie and a refresh token cookie (both first-party) to keep you signed in. Guests browsing without an account are not tracked across sessions beyond a transient session-storage flag.
• Usage telemetry. When the app encounters a runtime error, we log the message, the URL, and a stack trace to our server so we can debug it. We do not send this telemetry to third-party analytics services.
• Server logs. Like every web service, our hosting provider records IP addresses, request paths, and timestamps for operational purposes (rate-limiting, abuse prevention, debugging). These logs are retained for at most 30 days.
• Billing data. If you subscribe, payment is processed by Stripe. We never see or store your card number — only Stripe's customer ID and a flag indicating whether your subscription is active.

• We do not run third-party ad trackers, fingerprinting scripts, or social-network pixels.
• We do not collect any real brokerage credentials. The model portfolio is paper money.
• We do not sell, rent, or share your email address with anyone.

• To authenticate you and keep your session active.
• To deliver the product and the rebalance/trade-ticket emails you opted into.
• To debug crashes and fix bugs.
• To process payments (via Stripe) and manage subscriptions.
• To enforce rate limits and prevent abuse.

We use first-party cookies to keep you signed in (a short-lived access token and a longer-lived refresh token). We also use localStorage on your device to remember your theme preference. We do not use cookies for advertising or cross-site tracking.

• Supabase — database and authentication.
• Railway — backend hosting.
• Vercel — frontend hosting.
• Stripe — subscription billing.
• Resend — transactional email (rebalance digests, trade tickets).
• Telegram — optional trade-ticket delivery, only if you opt in.
• Polygon, FRED, Anthropic — market data and AI inference. These vendors do not receive your account information.

You can request a copy of the data we hold about you, or ask us to delete your account and all associated data, by emailing support@capitalcompassai.com. We'll respond within 30 days. If you live in the EU, UK, or California, additional rights under GDPR / UK GDPR / CCPA apply on request.

We use HTTPS for every request. Passwords are hashed with bcrypt. Sensitive secrets are stored as environment variables in our hosting provider, not in source control. We do not claim our security is perfect; if you spot a vulnerability, please email security@capitalcompassai.com and we'll respond.

When we change this policy in a way that affects what we collect or how we use it, we'll update the "Last updated" date at the top of this page and (for material changes) notify signed-in users by email.

Questions? Email support@capitalcompassai.com.