slug: privacy title: "Privacy Policy" version: "2026-04-22" effectiveDate: "2026-04-22" status: draft

Privacy Policy

Effective date: 2026-04-22 Version: 2026-04-22

This Privacy Policy explains how Artem Derevets, a sole operator based in Poland ("Tessera Alpha", "we", "us"), collects, uses, shares, and protects personal data in connection with the Tessera Alpha website, web application, mobile application, and APIs (collectively, the "Service"). It applies to all users worldwide, with additional rights for residents of the European Economic Area ("EEA"), United Kingdom ("UK"), and California detailed below.

We are the data controller for personal data we collect through the Service. You can reach us at support.tessera.alpha@gmail.com.

1. What we collect

1.1 Information you give us directly

• Account information — email address, first and last name, password hash, and optional profile information. Account credentials are managed by our authentication sub-processor, Clerk.
• Payment information — billing name, country, and the last four digits and brand of your payment card. We do not store full card numbers; payment is handled by our payment sub-processor (Stripe or equivalent), which is responsible for PCI-compliant card storage.
• User content — watchlists, portfolios, strategy configurations, comments, feedback, and any other information you actively submit.
• Legal acceptance records — which versions of our Terms, Privacy Policy, and Disclaimer you have accepted, together with the timestamp, IP address, and user-agent of each acceptance.
• Support communications — the content of emails and in-app messages you send us.

1.2 Information collected automatically

• Usage data — pages visited, features used, AI-evaluation counts, search queries, click events, session duration, crash reports, and similar interaction data.
• Device and connection data — IP address, approximate geographic location (country / region, derived from IP), device type, operating system, browser type and version, language setting, and referring URL.
• Cookies and similar technologies — strictly necessary cookies for authentication and session management (set by Clerk), and preference cookies (e.g., dark-mode). We do not currently use advertising cookies, cross-site tracking, or third-party analytics that profile individual users. If that changes, we will update this policy and request consent where required.

1.3 Information from third parties

• Authentication providers — if you sign in using a third-party provider through Clerk (e.g., Google), we receive your name, email, and profile photo from that provider.
• Market-data providers — Financial Modeling Prep, Finnhub, and FRED supply market data we display; they do not receive your personal data from us.

2. Why we process your data (legal bases under GDPR/UK-GDPR)

We process personal data only where we have a lawful basis. For each category of processing, the applicable basis is:

| Purpose | Legal basis | |---------|-------------| | Providing the Service (account creation, authentication, delivering features you request) | Performance of a contract (Art. 6(1)(b)) | | Processing payments, issuing invoices | Performance of a contract; legal obligation for tax records (Art. 6(1)(c)) | | Enforcing usage limits and security controls | Legitimate interest in running a reliable service (Art. 6(1)(f)) | | Responding to support requests | Performance of a contract; legitimate interest | | Sending service announcements (not marketing) | Legitimate interest | | Sending marketing emails | Consent (Art. 6(1)(a)), withdrawable at any time | | Improving the Service through aggregated usage analytics | Legitimate interest | | Complying with legal, regulatory, or law-enforcement requests | Legal obligation (Art. 6(1)(c)) | | Establishing, exercising, or defending legal claims | Legitimate interest (Art. 6(1)(f)) |

Where we rely on legitimate interest, we have balanced that interest against your rights and freedoms.

3. Who we share data with (sub-processors)

We share the minimum personal data necessary with the following categories of recipients, each bound by contractual confidentiality and data-protection obligations. Current sub-processors are:

| Sub-processor | Purpose | Data shared | Location | |---------------|---------|-------------|----------| | Clerk | Authentication, user identity, session management | Email, name, password hash, IP, session tokens | USA (SCCs / DPF) | | Stripe (or equivalent payment processor) | Payment processing, subscription billing | Name, email, billing address, card details | USA (SCCs / DPF) | | Anthropic | Large-language-model analysis (AI evaluations) | Prompt content (which may include ticker symbols you query); no account identifiers unless strictly necessary for feature delivery | USA (SCCs) | | Financial Modeling Prep | Market data | No personal data | USA | | Finnhub | Real-time prices | No personal data | USA | | Hetzner Online GmbH (Kubernetes / k3s cluster host) | Application hosting, logs, database | IP, usage logs, account data | Nuremberg, Germany (EU) | | Error monitoring (if enabled, e.g., Sentry) | Crash and error diagnostics | IP, stack traces, browser data | USA / EU | | Email delivery provider (e.g., Resend, Postmark) | Transactional emails | Email address, message content | USA / EU |

We do not sell your personal data to third parties. We do not share it with data brokers or advertising networks.

We may disclose personal data to: (a) law-enforcement, regulators, or other government authorities in response to a valid legal request; (b) our professional advisers (lawyers, accountants) under confidentiality; (c) a buyer in the event of a merger, acquisition, or sale of all or substantially all of our assets, in which case we will require the buyer to honor this Privacy Policy.

4. International data transfers

We are based in Poland and use sub-processors in the United States, the European Economic Area, and potentially other regions. Where personal data is transferred outside the EEA/UK, we rely on appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission, together with supplementary measures where required;
• the EU-US Data Privacy Framework for sub-processors certified under it.

A copy of the relevant transfer mechanism for any specific sub-processor is available on request.

5. Retention

We retain personal data only for as long as necessary for the purposes described in this policy, or as required by law:

• Account data — for the life of your account plus 30 days after deletion (for backup rotation and dispute handling).
• Billing records — 7 years after the transaction, to comply with tax and accounting law.
• Legal acceptance records — for 6 years after account closure, to defend against potential contractual disputes.
• Usage logs and analytics — typically 13 months, after which they are deleted or aggregated.
• Support communications — 2 years from the last interaction.
• Marketing contact list — until you unsubscribe, plus a suppression record to honor your opt-out.

When retention periods expire, we delete or irreversibly anonymize the data.

6. Your rights

Depending on where you live, you may have the following rights regarding your personal data:

• Access — a copy of the personal data we hold about you.
• Rectification — correction of inaccurate or incomplete data.
• Erasure ("right to be forgotten") — deletion of your data, subject to legal retention obligations.
• Restriction — limiting how we process your data.
• Objection — objecting to processing based on legitimate interest, including direct marketing.
• Portability — receiving your data in a structured, machine-readable format.
• Withdrawal of consent — where processing is based on consent, withdrawing consent at any time (without affecting the lawfulness of prior processing).
• Complaint — lodging a complaint with your local data-protection authority. EEA users can find their authority at edpb.europa.eu. UK users: the ICO (ico.org.uk).
• California residents — additional rights under the CCPA/CPRA: know, delete, correct, opt-out of "sale" or "sharing" (we do neither), and non-discrimination. See Section 9.

To exercise any right, email support.tessera.alpha@gmail.com. We will respond within 30 days (extendable by a further 60 days for complex requests, with notice to you). We may require verification of your identity before acting on a request.

7. Security

We implement reasonable technical and organizational measures to protect personal data, including: encryption in transit (TLS 1.2+); encryption at rest for databases; hashed and salted passwords managed by Clerk; access controls; audit logging; regular backups; and restricted access to production systems. No system is perfectly secure, and we cannot guarantee absolute security. In the event of a personal-data breach that is likely to result in a risk to your rights, we will notify affected users and the relevant supervisory authority as required by law (generally within 72 hours of becoming aware of the breach).

8. Children

The Service is not directed to, and we do not knowingly collect personal data from, anyone under 18 (or the age of majority in your jurisdiction, whichever is higher). If you believe a minor has provided us with personal data, contact support.tessera.alpha@gmail.com and we will delete it.

9. California residents (CCPA / CPRA)

Categories of personal information collected (last 12 months): identifiers (name, email, IP), commercial information (subscription history), internet activity (usage, browser), geolocation (approximate, from IP), professional information (if you provide it in account settings), inferences (feature preferences).

Sources: you, our sub-processors listed in Section 3, and automatic collection as described in Section 1.

Business purposes for collection: Service provision, billing, security, analytics, legal compliance.

Sale / sharing of personal information: we do not sell or "share" personal information as those terms are defined under the CCPA/CPRA. We do not engage in cross-context behavioral advertising.

Your rights — to know, delete, correct, and opt out of sale/sharing (not applicable here since we do neither). To exercise, email support.tessera.alpha@gmail.com. You may designate an authorized agent. We will not discriminate against you for exercising these rights.

10. Do Not Track

The Service does not currently respond to "Do Not Track" browser signals, because we do not engage in cross-site behavioral tracking that DNT was designed to address.

11. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be notified by email and/or in-app notification at least 14 days before they take effect. We track each user's acceptance of specific versions for legal-compliance purposes. The "Effective date" and "Version" at the top of this document indicate the current version.

12. Contact

For privacy questions, requests, or complaints:

support.tessera.alpha@gmail.com Operator: Artem Derevets (Poland)

We are established in Poland and therefore do not need to appoint an EU representative under GDPR Art. 27. UK representative: if and when the Service develops a material UK user base, a UK representative may be required under UK-GDPR Art. 27. This can be revisited at that point.