Privacy Policy
Last updated: 24 May 2026
1. Who We Are
WealthLenseAI("we", "us", "our") operates this website and provides AI-powered portfolio analysis, financial planning, market intelligence, stock forecasts, earnings previews, and other financial education tools for informational purposes only. The service supports multiple countries including India, United States, United Kingdom, and Australia with country-specific features. Privacy questions: privacy@wealthlenseai.com.
2. Data Architecture — What We Actually Store
What we do store (only for signed-in users): the AI-generated result — your health score, allocation summary, and recommendations — under your Google account so you can revisit it from any device. You can delete any saved report at any time from theMy Reportspage.
| Data Type | Stored Where | How Long |
|---|---|---|
| Uploaded portfolio files (PDF/CSV/Excel/image) | Not stored — in-memory only | Deleted as soon as the request completes |
| Manually entered holdings | Not stored — in-memory only | Deleted as soon as the request completes |
| Planner questionnaire answers | Not stored — in-memory only | Deleted as soon as the request completes |
| AI-generated portfolio analysis result (signed-in users) | Supabase (PostgreSQL) reports table, scoped to your Google UID | Until you delete it from My Reports, or your account |
| Pre-generated stock analysis, earnings previews & DCF valuations (market-data AI) | Supabase (PostgreSQL) — public market data only, no personal data | Refreshed every 45 days; no personal data is stored in these records |
| AI-generated result (anonymous / local-dev users) | Browser sessionStorage only | Cleared when you close the tab |
| In-flight analysis job state (job ID, status, result — no raw portfolio text) | Supabase analysis_jobs table (transient) | Raw portfolio input is never stored. The job row itself auto-expires ~5 minutes after completion. |
| Email address you provide for "email me when ready" | Same Supabase analysis_jobs row, used to send a single email | Removed with the job row at the 5-min TTL |
| Country preference | Your browser's localStorage | Until you clear browser data |
| Google profile (display name, email, photo) | Firebase Authentication | Until you delete your account |
| Newsletter preferences (opt-in status, frequency) | Not currently stored — newsletter feature is in development | N/A |
| Contact form messages | Our operator email inbox (delivered via Resend) | Up to 2 years |
3. How We Process Your Data
⚡ Server-side PII redaction (auto-applied to every upload)
Before any AI provider receives your file's text, our redactor strips known personally-identifying numbers using strict regex patterns. The following identifiers are automatically replaced with placeholders (e.g. [PAN_REDACTED]) before the prompt leaves our server:
- Indian PAN (10-character alphanumeric ID)
- US SSN (9 digits, dash-separated)
- Aadhaar (12 digits in 4-4-4 format)
- UK National Insurance Number
- Singapore NRIC / FIN
- Australian TFN (9 digits in 3-3-3 format)
- Email addresses
- International phone numbers (E.164 format)
We do not auto-redact bank account numbers, names, signatures, or dates of birth — these vary too widely to redact reliably without breaking analysis. We recommend you redact these in your source PDF / Excel before uploading.
- Portfolio analysis: Your uploaded file or manually entered holdings are parsed in server memory, converted to text, passed through the PII redactor above, and sent to an AI provider (Google Gemini by default, with OpenRouter as a fallback if our Gemini quota is exhausted) to generate your health score and insights. The raw file is never saved.
- Stock analysis, earnings previews & valuations (pre-seeded): AI-generated market-data analysis for supported stocks is pre-computed server-side using OpenRouter (GPT-4o) and stored in Supabase for up to 45 days. This data is based entirely on public market information — no personal data is involved or stored. Results are served from cache to avoid latency; users can request a refresh from the stock detail page.
- Financial plan: Your completed questionnaire Excel file is parsed in memory, question answers are extracted, and sent to the AI provider to generate your plan. The file is never saved.
- Stock forecasts & earnings previews: These are generated based on market data and historical information. No personal data is required or stored for these features.
- Market intelligence (news, FII/DII, sector rotation): These features use country-specific market data and AI-generated analysis. No personal data is required.
- Saved reports (signed-in users only): Once the AI returns, the structured result is written to our Supabase database (
reportstable) under your Google UID so you can re-open it from My Reports. You may delete any saved report from My Reports at any time. - Async job tracking (signed-in users only): For long analyses, a transient row is created in our Supabase
analysis_jobstable so the client can poll progress. Raw portfolio input is never stored here — only job status and the final AI result. Rows expire approximately 5 minutes after completion. - Email-when-ready (optional, signed-in users only): If you opt in via the in-page popup that appears after ~50 seconds, we send a single notification email containing your report summary and a link to view the full report on the site. We use the email address associated with your Google sign-in. Delivery is handled by Resend (https://resend.com).
- Newsletter service (optional, signed-in users only): If you opt in to our daily digest or weekly market intelligence newsletter via the prompt on the /news page or account settings, we store your email address and newsletter preferences (opt-in status, frequency, country) server-side. We send country-specific emails containing curated market news and AI-generated insights. You can unsubscribe at any time via the email footer or your account settings. Delivery is handled by Resend.
- Contact form: Submissions are sent to our operator inbox via Resend with your supplied email set as Reply-To. We retain these for up to 2 years for support purposes.
- Country selection: You can manually select your country via URL parameter (e.g., ?country=IN) or it defaults to India. We store your preference in localStorage.
- Google Sign-In: If you sign in, Firebase Authentication receives your Google profile (display name, email, photo). This is used to identify your session and scope your saved reports to your account.
- We do not sell your data and do not use your portfolio data for advertising targeting.
4. Third-Party Services
| Service | Purpose | Data Received |
|---|---|---|
| Google Gemini AI | Primary AI provider — generates portfolio analysis, financial plan, stock forecasts, earnings previews | Portfolio text / questionnaire answers / market data |
| OpenRouter | Primary AI provider for stock analysis, earnings previews & DCF valuations; fallback for portfolio analysis when Gemini quota is exhausted | Public market data for stock features; portfolio text / questionnaire answers only on fallback for portfolio analysis |
| Supabase (PostgreSQL) | Primary database — stores saved reports, analysis job state, pre-generated stock/earnings/valuation data, market data cache, and admin configuration | Saved reports and job state scoped to your Google UID. Market/stock data is public only — no personal data in those tables. |
| Firebase Authentication (Google Cloud) | Google Sign-In identity verification only — no data storage | Display name, email, photo (used to identify your session) |
| Vercel | Hosting / serverless function execution | Standard request metadata (IP, user-agent, route) for routing & logging |
| Inngest | Durable workflow runner — executes long-running AI analysis, market data refresh, and digest generation jobs | Job ID + user ID for routing. Input data is passed via event payload only — never stored long-term in Inngest. |
| Resend | Email delivery (report email, contact-form delivery, newsletter service) | Recipient email address, message content, sender metadata. Resend acts as a data processor for email delivery under our instructions. |
| Google Analytics | Aggregate usage analytics | Anonymised page views, session data |
| Google AdSense | Advertising | Cookies for ad personalisation |
| Country selection | User preference (localStorage + URL parameter) | Your selected country (stored locally in your browser) |
Each service is governed by its own privacy policy (Google: policies.google.com/privacy; Vercel: vercel.com/legal/privacy-policy; Resend: resend.com/legal/privacy-policy; OpenRouter: openrouter.ai/privacy). We are not responsible for the data practices of these third parties.
5. Cookies
- Analytics cookies (_ga, _gid) — Set by Google Analytics. Tracks aggregate usage.
- Advertising cookies — Set by Google AdSense. Can be opted out via Google Ad Settings.
- No functional session cookies — We do not set server-side session cookies. Analysis results live only in your browser's session storage.
Disabling cookies will not affect core portfolio analysis functionality.
6. Your Rights by Jurisdiction
- UK / EU (GDPR) — Access, correct, delete, restrict, or port your data; withdraw consent at any time; right to object to processing
- India (DPDP Act 2023) — Access, correct, and erase personal data; grievance redressal; nominate an individual to exercise rights on your behalf
- Singapore (PDPA) — Access and correct personal data we hold
- Australia (Privacy Act 1988) — Access and correct personal information
- California, USA (CCPA) — Know what data is collected; request deletion; opt out of data sales (we do not sell personal data)
DPDP Act 2023 — India-Specific Rights
If you are a resident of India, the Digital Personal Data Protection Act 2023 grants you the following rights:
- Right to Access: Request a summary of personal data we process about you
- Right to Correction: Request correction of inaccurate or incomplete personal data
- Right to Erasure: Request deletion of your personal data (we comply unless required by law to retain)
- Right to Grievance Redressal: File a grievance with our Grievance Officer regarding any data processing concern
- Right to Nominate: Nominate another individual to exercise your rights on your behalf in case of death or incapacity
Grievance Officer Contact:
Email: privacy@wealthlenseai.com
We acknowledge your grievance within 48 hours and resolve it within 30 days, or provide a written reason for extension.
Self-service controls (regardless of jurisdiction): Privacy Settings lets you (a) view + revoke cookie and AI-processing consent, (b) download all data we hold about you (right of access), and (c) permanently delete your account and all associated data (right to erasure). Individual saved reports can also be deleted from My Reports.
Because we do not retain raw portfolio uploads, the underlying file is already gone. The only persistent data we hold per user is the Google profile (display name, email, photo), newsletter preferences, and the AI-generated report results — both of which you control directly.
For all other requests, contact: privacy@wealthlenseai.com
7. International Transfers
The following sub-processors operate primarily on US-based infrastructure: Google (Gemini AI, Firebase Authentication, Analytics, AdSense), Supabase (PostgreSQL database, hosted on AWS us-east-1), Vercel (hosting), Resend (email delivery), and OpenRouter (fallback AI). By using our service, you consent to your data being transferred to and processed in the USA. For UK/EU users, Google, Supabase, Vercel, and Resend operate under Standard Contractual Clauses approved by the European Commission.
8. Children's Privacy
Our services are not directed to individuals under 18. We do not knowingly collect personal data from children. If you believe a child has used our service, please contact us immediately.
9. Changes to This Policy
We may update this policy periodically. The "Last updated" date at the top reflects the most recent revision. Continued use after changes constitutes acceptance of the revised policy.