Privacy Policy

Version 2026-04-27 · Effective 2026-04-27

Privacy Policy

Effective date: 2026-04-27 Version: 2026-04-27

This Privacy Policy explains how Artem Derevets, a sole operator established in Poland (trading as "Tessera Alpha", "we", "us"), collects, uses, shares, and protects personal data when you use the Tessera Alpha website, web application, mobile applications, and APIs (together, the "Service").

We are the data controller for personal data processed through the Service. You can reach us at support@tesseraalpha.com. We have not appointed a Data Protection Officer because the scale and nature of our processing do not trigger the mandatory requirement under GDPR Art. 37.

This policy applies to all users worldwide. Additional rights for residents of the European Economic Area ("EEA"), United Kingdom ("UK"), and California are described in the relevant sections below.

1. What we collect

1.1 Information you give us directly

Account information — email address, first and last name, password hash, and any optional profile information you add. Authentication and credentials are managed by our identity sub-processor, Clerk.
Payment information — billing name, country, and the last four digits and brand of your payment card. We do not store full card numbers; payment is handled by our payment sub-processor (Stripe or equivalent), which is responsible for PCI-compliant card storage.
User content — watchlists, portfolios, strategy configurations, comments, support tickets, feedback, and any other information you submit.
Legal acceptance records — which versions of our Terms, Privacy Policy, and Disclaimer you accepted, with the timestamp, IP address, and user-agent of each acceptance.
Support communications — the content of emails and in-app messages you send us.

1.2 Information collected automatically

Usage data — pages visited, features used, AI-evaluation counts, search queries, click events, session duration, and crash reports.
Device and connection data — IP address, approximate geographic location (country / region, derived from IP), device type, operating system, browser type and version, language setting, and referring URL.
Cookies and similar technologies — see Section 4 below.

We do not use device fingerprinting, cross-site behavioral tracking, advertising cookies, or third-party analytics that profile individual users. If that ever changes, we will update this policy and obtain consent where required.

1.3 Information from third parties

Authentication providers — if you sign in with a third-party provider through Clerk (e.g., Google), we receive your name, email, and profile photo from that provider.
Market-data providers — Financial Modeling Prep, Finnhub, and FRED supply market data we display. They do not receive your personal data from us.

2. Why we process your data

We process personal data only where we have a lawful basis under the GDPR and UK-GDPR:

To run the Service — account creation, authentication, delivering features, processing payments, responding to support (performance of our contract with you).
To keep the Service safe and reliable — rate limits, security controls, abuse prevention, aggregated analytics, defending legal claims (our legitimate interest).
To comply with law — tax and accounting records, responses to law-enforcement or regulatory requests (legal obligation).
To send marketing emails — only if you opt in (consent, withdrawable at any time).

Where we rely on legitimate interest, we have balanced it against your rights. You can object at any time (see Section 7). We do not make solely-automated decisions that produce legal or similarly significant effects on you (GDPR Art. 22).

3. Who we share data with

We share the minimum data needed to operate the Service with these categories of recipients, all bound by data-protection agreements:

Authentication — Clerk (USA)
Payments — Stripe or equivalent (USA)
AI analysis — Anthropic (USA) — receives prompt content only; no account identifiers unless strictly necessary
Market data — Financial Modeling Prep, Finnhub (USA) — no personal data shared
Hosting & database — Hetzner Online GmbH (Nuremberg, Germany)
Email delivery — Resend / Postmark or equivalent (USA / EU)
Error monitoring — Sentry, if enabled (USA / EU)

US-based providers receive transfers under Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework. We do not sell your data or share it with advertisers or data brokers.

We may also disclose personal data when required by law, to our professional advisers under confidentiality, or to a buyer in a merger or asset sale (who must honor this policy).

4. Cookies and similar technologies

We use a small set of cookies and equivalent storage. We do not use advertising or cross-site tracking cookies.

Type	Purpose	Set by
Strictly necessary	Authentication, session continuity, CSRF protection	Clerk
Preference	UI preferences (e.g., dark mode), feature flags	Tessera Alpha

Strictly necessary cookies are exempt from consent requirements under EU ePrivacy rules. Preference cookies are not used for analytics or profiling. You can delete cookies in your browser settings, but doing so may prevent you from signing in.

5. International data transfers

We are based in Poland and use sub-processors in the United States, the European Economic Area, and potentially other regions. Where personal data is transferred outside the EEA / UK, we rely on appropriate safeguards, including:

Standard Contractual Clauses (SCCs) approved by the European Commission, with supplementary measures where required;
the EU-US Data Privacy Framework for sub-processors certified under it.

A copy of the relevant transfer mechanism for any specific sub-processor is available on request.

6. Retention

We keep personal data only for as long as necessary for the purposes in this policy, or as required by law:

Account data — life of your account plus 30 days after deletion (for backup rotation and dispute handling).
Billing records — 7 years after the transaction, to comply with Polish tax and accounting law.
Legal acceptance records — 6 years after account closure, to defend potential contractual disputes.
Usage logs and analytics — typically 13 months, after which they are deleted or aggregated to non-identifying form.
Support communications — 2 years from the last interaction.
Marketing contact list — until you unsubscribe, plus a suppression record so we can honor your opt-out.

When retention periods expire, we delete or irreversibly anonymize the data.

7. Your rights

Depending on where you live, you may have the following rights regarding your personal data:

Access — a copy of the personal data we hold about you.
Rectification — correction of inaccurate or incomplete data.
Erasure ("right to be forgotten") — deletion of your data, subject to legal retention obligations.
Restriction — limiting how we process your data while a question is resolved.
Objection — objecting to processing based on legitimate interest, including direct marketing.
Portability — receiving your data in a structured, commonly used, machine-readable format.
Withdrawal of consent — where processing is based on consent, withdrawing it at any time, without affecting the lawfulness of processing carried out before withdrawal.
No solely-automated decisions — we do not subject you to decisions based solely on automated processing that produce legal or similarly significant effects on you (GDPR Art. 22).
Complaint — lodging a complaint with your local data-protection authority. EEA users: see edpb.europa.eu. UK users: the ICO at ico.org.uk. Polish users: the Personal Data Protection Office (UODO) at uodo.gov.pl.
California residents — additional rights under the CCPA / CPRA: see Section 10.

To exercise any right, email support@tesseraalpha.com. We respond within 30 days (extendable by a further 60 days for complex requests, with notice to you). We may need to verify your identity before acting.

8. Security

We implement reasonable technical and organizational measures to protect personal data, including: encryption in transit (TLS 1.2+); encryption at rest for production databases; salted password hashing handled by Clerk; access controls and least-privilege roles; audit logging; routine backups; and restricted access to production systems.

No system is perfectly secure, and we cannot guarantee absolute security. If a personal-data breach is likely to result in a risk to your rights, we will notify affected users and the relevant supervisory authority as required — generally within 72 hours of becoming aware of it.

9. Children

The Service is not directed to, and we do not knowingly collect personal data from, anyone under 18 (or the age of majority in your jurisdiction, whichever is higher). If you believe a minor has provided us with personal data, contact support@tesseraalpha.com and we will delete it.

10. California residents (CCPA / CPRA)

Categories of personal information collected (last 12 months): identifiers (name, email, IP); commercial information (subscription history); internet activity (usage, browser); approximate geolocation (from IP); professional information (if you provide it); inferences (feature preferences).

Sources: you, our sub-processors listed in Section 3, and automatic collection as described in Section 1.

Business purposes for collection: Service provision, billing, security, analytics, and legal compliance.

Sale or "sharing" of personal information: we do not sell or "share" personal information as those terms are defined under the CCPA / CPRA. We do not engage in cross-context behavioral advertising.

Your rights: to know, delete, correct, and opt out of sale / sharing (not applicable here, since we do neither). You may designate an authorized agent. We will not discriminate against you for exercising these rights. To exercise, email support@tesseraalpha.com.

11. Do Not Track

The Service does not currently respond to "Do Not Track" browser signals because we do not engage in cross-site behavioral tracking that DNT was designed to address.

12. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be notified by email and / or in-app notification at least 14 days before they take effect. We track each user's acceptance of specific versions for legal-compliance purposes. The "Effective date" and "Version" at the top of this document indicate the current version.

13. Contact

For privacy questions, requests, or complaints:

Email: support@tesseraalpha.com
Operator: Artem Derevets (Poland)

We are established in Poland, so we are not required to appoint an EU representative under GDPR Art. 27. A UK representative under UK-GDPR Art. 27 may be appointed if and when the Service develops a material UK user base — that decision will be revisited at that time.