Privacy Policy

1. What We Collect

Account information: Email address and encrypted password hash when you register. We do not collect your name, phone number, or any personal details beyond email.

Billing information: Stripe processes all payment information. ValixData never sees, stores, or handles your credit card number. We store only your Stripe customer ID, subscription status, and plan tier.

Usage data: We count (but do not read) how many AI queries, data requests, and news requests you make per day. This is used only for rate limiting and plan enforcement. We store counts, not content.

Terminal selections: Which of the 130 sector terminals you have chosen for your plan. This is stored to show you the correct terminals when you log in.

Log data: Standard server logs including IP address, browser type, pages visited, and timestamps. We retain these for 30 days for security monitoring and then delete them.

2. What We Do NOT Collect

• The content of your ARIA queries or intelligence searches
• The content of your Morning Brief responses that ARIA generates for you
• The specific actions or recommendations ARIA generates for you
• Your investment portfolio, financial data, or trading history
• Any biometric data, location data, or device identifiers beyond standard server logs

3. Zero Data Retention on AI Queries

When you submit a query to ARIA, your query text is sent to the ValixData AI ARIA API to generate a response. The query is not stored in our database, not logged in our files, not retained after your response is returned, and never used to train AI models. We have no record of what you asked. This is enforced at the infrastructure level, not just policy.

4. How We Use Your Information

• Email: to deliver your account credentials, Morning Brief subscription notifications, and billing receipts. We do not send marketing emails unless you opt in.
• Stripe customer ID: to manage your subscription and allow you to access the Stripe billing portal
• Usage counts: to enforce your plan's daily limits and prevent API cost overruns
• Terminal selections: to display your chosen sector terminals when you log in
• Log data: to detect and respond to security incidents

5. Data Sharing

We share your data with exactly two third parties:

• Stripe — to process subscription payments. Subject to Stripe's Privacy Policy.
• Resend — to deliver the Morning Brief email if you subscribe. Subject to Twilio/Resend's Privacy Policy.

We do not sell your data to data brokers. We do not share your data with advertisers. We do not share your data with AI companies for training purposes. We do not share your data with any other third party except as required by law.

6. Third-Party Data Providers

ValixData fetches market data from third-party APIs including Alpha Vantage, FRED (Federal Reserve Bank of St. Louis), EIA, GNews, SEC EDGAR, BLS, and USASpending. These requests are made from our servers using API keys. Your identity is not shared with these data providers — they see our server IP address, not yours.

7. ValixData AI ARIA API

ARIA intelligence responses are generated by the ValixData AI ARIA API. When you submit a query, it is sent to our secure AI servers to generate a response. our AI provider's data handling is governed by their Privacy Policy. ValixData has selected a zero data retention configuration with ValixData AI where available, meaning your queries are not used for model training. You should review our current AI policies for the most current information.

8. Data Security

We implement the following security measures:

• All connections encrypted via TLS 1.2 or higher (HTTPS enforced)
• Passwords stored as bcrypt hashes — we cannot recover your password
• API keys stored in server-side configuration files, not in code or database
• Data directories protected from web access via .htaccess
• IP-based rate limiting to prevent brute force and DDoS attacks
• Security event logging for unauthorized access attempts
• Session tokens use 48 bytes of cryptographically secure random data

9. Data Retention

• Account data: retained while your account is active and for 12 months after cancellation, then deleted
• Server logs: 30 days, then deleted
• Usage count files: 7 days of daily counts, then deleted
• ARIA query content: never retained (see Section 3)
• Morning Brief text: stored for 24 hours to serve repeat page loads, then overwritten

10. Your Rights

Depending on your jurisdiction, you may have rights to:

• Access the personal data we hold about you
• Correct inaccurate personal data
• Delete your account and associated personal data
• Data portability (export your account data)
• Object to processing

To exercise any of these rights, email . We will respond within 30 days.

11. Cookies

We use one cookie: nd_session — a secure, httpOnly, SameSite=Lax cookie that stores your encrypted session token. This cookie is strictly necessary for login to function. It expires after 30 days of inactivity. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

12. California Privacy Rights (CCPA)

California residents have additional rights under the CCPA. We do not sell personal information as defined by CCPA. You may request to know, delete, or opt out of the sale of your personal information by contacting us at .

13. GDPR (EU/UK Users)

For users in the EU or UK, our lawful basis for processing is contract performance (to provide the services you subscribed to) and legitimate interests (security monitoring). You have the rights described in Section 10 plus the right to lodge a complaint with your supervisory authority.

14. Changes to This Policy

We may update this Privacy Policy. Material changes will be communicated by email. Continued use of the Platform after changes constitutes acceptance.

Contact

Privacy questions: