Privacy Policy
Effective Date: January 17, 2026
Last Updated: January 17, 2026
Trovest ("we," "our," or "us") operates the Trovest website (trovest.io), mobile applications, and related services (collectively, the "Services").
This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Services. By using Trovest, you agree to the collection and use of information in accordance with this policy.
If you do not agree with this Privacy Policy, please do not use our Services.
1. Information We Collect
A. Information You Provide Directly
We collect the following information when you create an account or use our Services:
- Name — First name and last name
- Email address — Used for account login and communications
- Password — Stored securely using bcrypt hashing (never stored in plaintext)
- Phone number — Optional, used for SMS verification
- User preferences — Preferred sectors, preferred industries
- Watchlists — Companies you track and lookup history
- Manual portfolios — Portfolio names, descriptions, and holdings you manually add
B. Financial & Portfolio Data (via Plaid)
If you choose to connect your brokerage account, we collect:
- Linked brokerage accounts — Institution name, account type
- Portfolio holdings — Ticker symbols, security names, quantity, cost basis, current value
- Account information — Account name, type (e.g., brokerage, IRA)
Important: We use Plaid for brokerage connections. We have read-only access and cannot execute trades, transfer funds, or access your brokerage credentials.
C. Payment Information (via Stripe)
- Subscription status — Plan tier (free/premium), billing period
- Stripe customer ID — Links your account to Stripe for billing
Payment details (credit card numbers) are handled entirely by Stripe and never stored on our servers.
D. Device & Technical Data
- Device tokens — For push notifications (Firebase Cloud Messaging)
- Platform — iOS, Android, or web
- App version — For compatibility and support
E. Usage Data
- Company lookups — Which stocks you analyze, frequency
- Login activity — Last login timestamp
- Feature usage — Report generation, score refreshes
F. Automatically Collected Data
- Authentication tokens — JWT tokens stored in browser localStorage
- Email verification tokens — Temporary tokens (24-hour expiry)
- Password reset tokens — Temporary tokens (1-hour expiry)
- SMS verification codes — 6-digit codes (10-minute expiry)
G. Biometric Authentication (Optional)
If you enable biometric authentication such as Face ID, Touch ID, or device-based biometric login, biometric data is processed entirely on your device using your device's secure hardware and operating system (such as Apple's Secure Enclave or Android's Trusted Execution Environment).
- Trovest does not receive, transmit, store, or have access to your biometric data.
- Trovest only receives confirmation that authentication was successful.
H. Social Login (Google Sign-In)
If you choose to sign in using Google, Trovest may receive certain information from Google, including:
- Name
- Email address
- Profile picture (optional)
- Google user identifier
Trovest does not receive or have access to your Google password. Your use of Google Sign-In is also subject to Google's Privacy Policy.
2. How We Use Your Information
We use the information we collect for the following purposes:
- Provide the Services — Create and manage your account, display portfolio holdings, generate stock scores and analysis
- Process Payments — Handle subscription billing through Stripe
- Communicate with You — Send transactional emails (verification, password reset), service updates, and respond to inquiries
- Send Notifications — Deliver push notifications for alerts, reports, and material changes (if enabled)
- Improve the Services — Analyze usage patterns, fix bugs, and develop new features
- Security & Fraud Prevention — Protect against unauthorized access, detect suspicious activity, and ensure platform integrity
- Legal Compliance — Meet legal obligations, respond to lawful requests, and enforce our Terms of Service
- Customer Support — Respond to your questions and resolve issues
We do NOT:
- Sell your personal information to third parties
- Use your data for targeted advertising
- Share your portfolio data with other users
Use of Data for Model Improvement
Trovest may use aggregated and anonymized data to improve system performance, model accuracy, and product features. Personal data and identifiable portfolio information are not used to train public or third-party AI models.
Aggregated and Anonymized Data
We may retain and use aggregated, anonymized, or de-identified data for analytics, research, and product improvement purposes. This data cannot be used to identify you individually.
3. Third-Party Services
We use the following third-party services to operate Trovest:
| Service | Purpose | Data Shared |
|---|---|---|
| Plaid | Brokerage account linking | User ID, email, institution selection |
| Stripe | Payment processing | Email, name, subscription details |
| Resend | Transactional emails | Email address, name |
| Firebase (FCM) | Push notifications | Device tokens |
| AWS SNS | SMS verification | Phone number |
| Financial Modeling Prep | Stock data | Company tickers only (no personal data) |
| SEC EDGAR | SEC filings | Company identifiers only (no personal data) |
| Anthropic Claude | AI analysis | Company financial data only (no personal data) |
Third-party services are used strictly for their intended purposes and only receive the minimum data necessary to function.
4. Data Retention
How Long We Keep Your Data
| Data Type | Retention Period |
|---|---|
| Account information | Until you delete your account |
| Portfolio data (Plaid) | Until you disconnect or delete your account |
| Watchlists & preferences | Until account deletion |
| Subscription data | As required by tax/legal obligations |
| Server logs | 90 days |
Temporary Data
- SMS verification codes — 10 minutes
- Password reset tokens — 1 hour
- Email verification tokens — 24 hours
- JWT authentication tokens — Until logout or expiration
After Account Deletion
When you delete your account, personal data is permanently deleted within 30 days. Anonymized, aggregated analytics data may be retained. Data required for legal compliance (e.g., billing records) may be retained as required by law.
5. Your Rights
Rights Available to All Users
- Access — Request a copy of your personal data
- Correction — Update inaccurate information
- Deletion — Delete your account and associated data
- Portability — Receive your data in a machine-readable format
- Withdraw Consent — Revoke permissions (e.g., disconnect Plaid)
- Opt-Out — Unsubscribe from marketing communications
Additional Rights for California Residents (CCPA)
- Right to know what personal information we collect
- Right to delete personal information
- Right to opt-out of the "sale" of personal information — Note: Trovest does NOT sell your personal information
- Right to non-discrimination for exercising your rights
Additional Rights for EU/UK Residents (GDPR)
- Right to access, rectification, and erasure
- Right to restrict processing
- Right to data portability
- Right to object to processing
- Rights related to automated decision-making
How to Exercise Your Rights
You may exercise any of the above rights by:
- Using the settings within the Trovest app
- Emailing us at privacy@trovest.io
- Using the contact form on our website
We will respond to your request within 30 days (or sooner as required by applicable law).
6. Children's Privacy
Trovest is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that data has been collected from a minor, we will delete it promptly.
7. International Data Transfers
Your information may be processed and stored in countries outside your country of residence, including the United States, where data protection laws may differ. By using Trovest, you consent to such transfers.
8. Data Security
We implement reasonable administrative, technical, and organizational safeguards to protect personal information, including encryption, access controls, and secure infrastructure. However, no system can be guaranteed to be completely secure.
9. Legal Basis for Processing (GDPR)
Where applicable under GDPR, Trovest processes personal data based on:
- Performance of a contract — Providing the Services
- User consent — Account creation, optional features
- Legitimate interests — Security, fraud prevention, product improvement
- Legal obligations — Compliance with applicable laws
Automated Processing
Trovest uses automated systems to generate investment insights and scores; however, we do not make automated decisions that produce legal or similarly significant effects on users. All investment decisions remain under your control.
10. Updates to This Policy
We may update this Privacy Policy from time to time. When we make significant changes:
- We will notify you via email or in-app notification
- We will update the "Last Updated" date at the top of this page
- Continued use of Trovest after changes constitutes acceptance
11. Contact Us
For questions about this Privacy Policy or how we handle your data:
- Privacy Inquiries: privacy@trovest.io
- General Support: support@trovest.io
- Website: trovest.io/contact
If you have concerns about how your data is being processed, you may also contact the relevant data protection authority in your jurisdiction.