Privacy Policy

RoastMyPortfolio ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our portfolio analysis service.

Information We Collect

Portfolio Data

When you submit your portfolio for analysis, we temporarily store:

• Investment holdings (ticker symbols, quantities, percentages)
• Generated roast analysis content
• Unique roast identifier (UUID)

Data Retention: Portfolio data is stored in Cloudflare KV storage with a 24-hour TTL (time-to-live) and is automatically deleted after this period.

Newsletter Data

When you subscribe to our COT (Commitments of Traders) newsletter, we collect:

• Email address

Legal Basis: Consent (opt-in). You actively subscribe by entering your email address.

Data Retention: Your email address is retained until you unsubscribe. You can unsubscribe at any time via the link in every newsletter or by contacting us.

Payment Information

Payment processing is handled by LemonSqueezy as our Merchant of Record. We do not store your credit card information. LemonSqueezy collects:

• Payment card details
• Billing address (required for VAT/sales tax calculation)
• Country and postal code (for tax compliance)
• Email address
• Transaction metadata

Please review LemonSqueezy's Privacy Policy for details on how they handle your payment data.

Technical Data

We automatically collect certain technical information:

• Browser type and version
• IP address (anonymized)
• Geolocation data (country-level for dynamic pricing)
• Access times and pages visited

How We Use Your Information

We use the collected information to:

• Provide our service: Generate AI-powered portfolio analysis
• Process payments: Handle transactions securely via LemonSqueezy
• Analyze traffic sources: Understand where visitors come from (with your consent via Google Analytics)
• Improve our service: Analyze usage patterns and optimize performance
• Comply with legal obligations: Meet regulatory requirements (GDPR, tax laws)
• Prevent fraud: Detect and prevent fraudulent transactions
• Deliver newsletter: Send weekly COT market analysis to subscribers (with consent)

Newsletter & Email Communications

We offer a weekly COT (Commitments of Traders) newsletter providing AI-generated market analysis. Subscribing is entirely optional and requires your explicit consent.

What We Collect

• Email address: The only personal data collected for the newsletter

How We Use It

• Deliver the weekly COT market analysis newsletter
• Send service-related updates about the newsletter (e.g., schedule changes)

We do not use your newsletter email for marketing other products, and we never share your email with third parties for their own marketing purposes.

Email Analytics

Our email service provider (Brevo) collects aggregated delivery metrics such as email open rates and link clicks. This data is used solely to monitor delivery quality and improve our newsletter — it is not used for individual profiling or targeted advertising.

You can limit this tracking by configuring your email client to block remote images or by using a privacy-focused email provider.

How to Unsubscribe

• Click the unsubscribe link included in every newsletter email
• Contact us at support@roastmyportfolio.com

Upon unsubscribing, your email address is removed from our mailing list. Processing may take up to 48 hours.

Data Sharing and Third Parties

We share data only with essential service providers:

• LemonSqueezy: Payment processing as Merchant of Record (PCI DSS compliant)
  • Handles all payment transactions, tax collection, and refunds
  • Processes billing information and payment card details
  • Data processing locations: EU and US (LemonSqueezy servers)
  • Privacy policy: LemonSqueezy Privacy Policy
• Cloudflare: Infrastructure, KV storage, and CDN services
• Grok AI (xAI): AI-powered portfolio analysis
  • Data sent: Investment symbols, quantities, and portfolio structure only
  • Data NOT sent: Your name, email, payment information, or any personal identifiers
  • Processing location: United States (xAI servers)
  • Retention: Not retained by xAI after analysis completion
  • Purpose: Generate portfolio critique and analysis
• Google Analytics: Website traffic analysis (only with your explicit consent. IP addresses are anonymized.)
• Brevo: Email delivery for our COT newsletter
  • Data sent: Email address only
  • Purpose: Deliver weekly newsletter emails
  • Data processing location: EU (Brevo servers)
  • Data Processing Agreement (DPA) in place per GDPR Article 28
  • Privacy policy: Brevo Privacy Policy

Cookies and Tracking

We use cookies and browser storage to provide our service. We use Klaro, a privacy-friendly consent manager, to give you control over cookie preferences.

Types of Cookies We Use

• Essential Cookies (Required):
  • Cloudflare cookies: Security, DDoS protection, and performance
  • Session storage: Temporary roast data during your session
• Payment Cookies (Optional, enabled by default):
  • LemonSqueezy cookies: Required only when you choose to purchase a roast
• Analytics Cookies (Optional, disabled by default):
  • Google Analytics: Tracks traffic sources and website usage (opt-in required)

We do not use advertising cookies or cross-site tracking. All analytics cookies require your explicit consent.

Google Analytics

We use Google Analytics 4 (GA4) to understand where our visitors come from and how they use our website. This helps us improve our service and understand which marketing channels are most effective.

What Data is Collected

• Traffic sources: How you found us (organic search, social media, direct, referral)
• Website usage: Pages visited, time spent, navigation patterns
• Device information: Browser type, device type, screen resolution
• Geographic location: Country and city (derived from anonymized IP)
• User interactions: Clicks, scrolls, form submissions

Privacy Measures

• Opt-in consent required: Google Analytics only tracks you if you explicitly accept analytics cookies
• IP anonymization: Your IP address is anonymized before being sent to Google
• No personal data: We do not send personally identifiable information to Google Analytics
• Consent Mode V2: We use Google's latest consent framework for GDPR compliance
• Data retention: Analytics data is retained for 14 months, then automatically deleted

How to Opt-Out

You can control Google Analytics tracking in several ways:

• Cookie Settings: Decline analytics cookies in our cookie banner
• Browser Extension: Install Google Analytics Opt-out Browser Add-on
• Do Not Track: Enable "Do Not Track" in your browser settings

Data Processing Agreement

We have entered into Google's Data Processing Amendment for GDPR compliance. Your data is processed according to Google's Privacy Policy and the Google Analytics Terms of Service.

Your Rights (GDPR)

If you are in the European Economic Area (EEA), you have the following rights:

• Right to Access: Request a copy of your data
• Right to Rectification: Correct inaccurate data
• Right to Erasure: Request deletion of your data
• Right to Restriction: Limit how we use your data
• Right to Data Portability: Receive your data in a structured format
• Right to Object: Opt out of certain data processing
• Right to Withdraw Consent: Revoke consent at any time

To exercise these rights, contact us at support@roastmyportfolio.com

Data Security

We implement industry-standard security measures:

• HTTPS encryption for all data transmission
• Secure Cloudflare Workers environment
• Encrypted storage with automatic deletion (24-hour TTL)
• PCI DSS compliant payment processing via LemonSqueezy
• Regular security audits and updates

However, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security.

International Data Transfers

Your data may be processed in countries outside the EEA. We ensure adequate protection through:

• Standard Contractual Clauses (SCCs) with service providers
• Cloudflare's global compliance framework
• LemonSqueezy's GDPR-compliant infrastructure
• Brevo's GDPR-compliant infrastructure (EU-based processing, DPA in place)

Children's Privacy

Our service is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected data from a minor, please contact us immediately.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top will reflect the most recent changes. Continued use of our service after changes constitutes acceptance of the updated policy.