Privacy Policy
Effective date: February 25, 2026
1. Who we are
Dawo ("we", "us", or "our") is an AI-powered investment analysis platform. This Privacy Policy explains how we collect, use, store, and share information about you when you use Dawo.
For privacy questions, contact us at contact@dawo.ai.
2. Information we collect
Account information
When you create an account we collect your email address and, if you sign in through a third-party provider (Google or Apple), a profile identifier from that provider. We do not store your password — authentication is managed by Supabase.
Portfolio data
We store portfolio data you provide: position snapshots (ticker, quantity, average cost, market value), transaction lots (symbol, action, quantity, price, date), and any CSV files you upload. This data is scoped to your user account and never shared with other users.
Broker connection data
If you connect a brokerage account via Plaid or Schwab OAuth, we store encrypted OAuth access and refresh tokens, account identifiers, institution names, and synced positions and transactions. Tokens are encrypted at rest using AES-128-CBC (Fernet). We do not store your broker login credentials.
Usage and log data
We collect standard server logs including IP addresses, request paths, HTTP status codes, and timestamps. These are used for security monitoring, debugging, and abuse prevention. Logs are retained for 30 days.
3. Legal basis for processing (GDPR)
We process your data under the following legal bases as defined by Article 6 of the GDPR:
- Contract performance (Art. 6(1)(b)) — Processing necessary to provide the Dawo service you signed up for, including portfolio analysis, AI chat, and strategy recommendations.
- Legitimate interest (Art. 6(1)(f)) — Security monitoring, fraud prevention, service improvement through anonymized usage analytics.
- Consent (Art. 6(1)(a)) — Marketing communications, optional data sharing, and any processing beyond core service delivery.
International data transfers
Your data may be transferred to and processed in the United States by our sub-processors (Supabase, Neon, OpenAI, Anthropic). These transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent safeguards under UK GDPR.
4. How we use your information
- Provide the service — display your portfolio, compute performance metrics, and generate AI-powered analysis.
- Sync broker data — fetch positions and transactions from connected brokers on your behalf.
- Improve accuracy — use aggregate, anonymized usage patterns to improve screener models and AI prompts. We do not train AI models on your personal portfolio data.
- Security — detect and prevent unauthorized access or abuse.
- Communication — send transactional emails (password reset, email confirmation) via Supabase. We do not send marketing email without your explicit consent.
4. Third-party services
We rely on the following sub-processors to operate the service:
| Service | Purpose | Data shared |
|---|---|---|
| Supabase | Authentication & user management | Email, auth tokens |
| Neon (Postgres) | Database hosting | All structured data |
| Fly.io | Application hosting | Request traffic, logs |
| Plaid | Broker account linking | OAuth tokens, account IDs |
| Schwab | Direct broker OAuth | OAuth tokens, account IDs |
| OpenAI | AI analysis & summaries | Anonymized market data, portfolio metrics — not PII |
| Anthropic (Claude) | AI analysis, chat, & portfolio strategy | Anonymized portfolio metrics, market data — not PII |
Each sub-processor is bound by their own privacy policy and data processing agreements.
5. Data sharing
We do not sell, rent, or trade your personal information. We share data only as described in Section 4 (sub-processors), or when required by law (e.g., valid court order or regulatory request), or to protect the rights and safety of our users and the public.
6. Data retention
- Account data: retained until you delete your account.
- Portfolio positions and lots: retained until you delete them or your account.
- Broker connections and tokens: deleted when you disconnect the broker or delete your account.
- Server logs: 30 days.
- Deleted accounts: residual data purged within 30 days of account deletion.
7. Security
We apply industry-standard security measures including TLS in transit, encrypted storage for OAuth tokens, bcrypt-hashed credentials at the auth provider level, and strict user-scoped data access at the database layer. No internet transmission is 100% secure; we cannot guarantee absolute security.
8. Your rights
Depending on your jurisdiction, you may have the right to:
- Access the personal data we hold about you
- Request correction of inaccurate data
- Request deletion of your data (right to erasure)
- Object to or restrict certain processing
- Data portability (receive your data in a machine-readable format)
To exercise any of these rights, email us at contact@dawo.ai. We will respond within 30 days.
9. Cookies and local storage
Dawo uses browser local storage to cache your authentication session token (managed by Supabase). We do not use third-party advertising cookies or tracking pixels.
10. Children
Dawo is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it promptly.
11. Changes to this policy
We may update this Privacy Policy. When we do, we will update the effective date at the top and, for material changes, notify you by email or in-app notice. Continued use of Dawo after changes constitutes acceptance.
12. Contact
Questions or requests: contact@dawo.ai