Privacy Policy

1. Scope and Applicability

This Policy applies to all users of the Clavix Service located in the United States. Clavix is intended solely for individuals who are 18 years of age or older. By accessing or using the Service, you represent that you are at least 18 years old. We do not knowingly collect personal information from anyone under 18. If we learn that we have inadvertently collected such information, we will delete it promptly.

2. Information We Collect

We collect only what is necessary to provide the Service:

2.1 Information You Provide

• Account information - your email address, used for registration, authentication, and product communications.
• Portfolio holdings - investment positions you enter manually or connect through a linked brokerage account.

2.2 Information Collected Automatically

• Usage data - features accessed, session duration, and interaction patterns, used solely to improve the Service.
• Session cookies - minimal cookies required to keep you authenticated. We do not use tracking or advertising cookies.
• Log data - IP address, browser type, and timestamps, collected for security and operational purposes.

2.3 Information from Third-Party Integrations

When you connect a brokerage account, we receive account holdings and transaction data via OAuth or read-only API access. We store only an encrypted access token - never your brokerage login credentials.

3. How We Use Your Information

We use your information for the following purposes, each of which constitutes a legitimate business interest or is necessary to perform our contract with you:

• To provide and operate the Service, including delivering personalized portfolio risk analysis and daily briefings.
• To sync with brokerage accounts you have authorized.
• To send transactional and product communications to your registered email address.
• To improve the Service through analysis of aggregated, de-identified usage data.
• To detect, investigate, and prevent fraudulent transactions and other illegal activity.
• To comply with applicable legal obligations.

We do not use your portfolio data to make trading decisions for our own account.

4. How We Share Your Information

We do not sell, rent, or trade your personal information. We share your information only in the following limited circumstances:

4.1 Service Providers (Subprocessors)

We use trusted third-party vendors who process data on our behalf, under written data processing agreements that restrict their use of your data:

• Supabase - cloud database and authentication, hosted in the United States.
• Email delivery provider (e.g., Resend) - used to send transactional and product emails.
• Brokerage API provider (e.g., Plaid or Alpaca) - used to facilitate read-only connections to your brokerage accounts.

4.2 Legal Requirements

We may disclose your information if required to do so by law, court order, or government authority, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Andover Digital LLC, our users, or the public.

4.3 Business Transfers

In the event of a merger, acquisition, or sale of all or substantially all of our assets, your information may be transferred as part of that transaction. We will notify you via email or a prominent notice on the Service before your information becomes subject to a different privacy policy.

5. Data Storage and Security

All data is stored on Supabase infrastructure hosted in the United States.

• Encryption in transit: TLS
• Encryption at rest: AES-256
• Access to personal data is restricted to authorized Andover Digital personnel on a need-to-know basis.
• Brokerage credentials are never stored. We store only encrypted OAuth access tokens.

In the event of a data breach that is likely to result in risk to your rights or interests, we will notify affected users without undue delay and in accordance with applicable law. No method of electronic transmission or storage is 100% secure. While we implement commercially reasonable safeguards, we cannot guarantee absolute security.

6. Brokerage Connections

When you connect a brokerage account, your credentials are handled directly by your brokerage or a regulated API intermediary (such as Plaid or Alpaca) via OAuth or read-only API access. Clavix stores only an encrypted access token. You may disconnect your brokerage at any time through the Clavix app or through your brokerage's own account settings, which will immediately revoke our access.

7. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. If you request deletion of your account, we will delete or anonymize your personal data within 30 days, except where we are required to retain it for legal, regulatory, or fraud-prevention purposes.

8. Your Rights and Choices

Regardless of your state of residence, Andover Digital LLC honors the following rights for all U.S. users:

• Access - you may request a copy of the personal information we hold about you.
• Correction - you may request that we correct inaccurate or incomplete information.
• Deletion - you may request deletion of your account and associated personal data.
• Portability - you may request your data in a structured, machine-readable format.
• Opt-out of marketing - you may unsubscribe from non-essential emails at any time via the unsubscribe link in any email or by contacting us directly.
• Withdraw brokerage access - you may revoke brokerage connections at any time as described in Section 6.

To exercise any of these rights, email us at [email protected]. We will respond within 30 days. We will not discriminate against you for exercising any of these rights.

8.1 California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), as amended by the CPRA. We do not sell or share your personal information as those terms are defined under the CCPA. You have the right to know what categories of personal information we have collected, the right to delete, and the right to correct. To submit a verifiable consumer request, contact us at [email protected]. You may also designate an authorized agent to make requests on your behalf.

9. Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [email protected] and we will promptly delete that information.

10. Cookies and Tracking Technologies

Clavix uses only session cookies strictly necessary to keep you logged in. We do not use advertising cookies, cross-site tracking cookies, or third-party analytics scripts that track you across other websites. You may disable cookies in your browser settings; however, doing so may prevent certain features of the Service from functioning.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email at the address associated with your account and/or by posting a prominent notice within the Service at least 14 days before the changes take effect. The updated "Last Updated" date will be reflected at the top of this Policy. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Policy.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:

Andover Digital LLC - operator of Clavix
Email: [email protected]

© 2026 Andover Digital LLC. All rights reserved. This document does not constitute legal advice.