Legal Information

Privacy Policy

Last updated: March 18, 2026
zeyvest (“we”, “us”, or “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use our portfolio tracking service.

1. Information We Collect

To provide our institutional-grade portfolio analytics, we collect limited, specifically structured data subsets:

  • Account Credentials — Your email address establishing your identity. We do not store or process passwords natively; all authentication payload is encrypted via cryptographic hashing and managed securely by Supabase Auth protocols.
  • Portfolio Data telemetry — Financial transaction records, ticker holdings, quantitative data entries, and capital assignments manually entered by the User.
  • Technical Metadata — Minimal server-side logs including localized IP routing, access timestamps, and agent profiles, solely utilized to mitigate malicious intrusion and brute-force events.

2. Utilization of Information

zeyvest functions strictly as a data processor for your capital management operations. Information is used exclusively for the following authorized activities:

  • Executing intrinsic portfolio tracking scripts, P&L aggregation, and fee extrapolation algorithms.
  • Issuing synchronous notifications pertaining to significant platform architectural updates or security breaches.
  • Relaying localized risk-management alerts, algorithmic execution limits, and CSE market volatility indices.

We categorically prohibit the monetization, leasing, or syndication of user financial data to hedge funds, marketing entities, or third-party brokerages.

4. Cryptography & Data Sanctity

Your portfolio constructs are maintained within an aggressively shielded environment utilizing industry-grade enterprise architectures.

  • Zero-Trust Segregation (RLS) — Postgres Row-Level Security explicitly bounds session tokens to strictly verified data rows. It is mathematically impossible for adjacent users to overlap database queries.
  • Encryption At-Rest — Total persistence drives execute AES-256 standard encryption on the physical cluster tier.
  • Transport Layer Protocols — Complete end-to-end traffic flows via encrypted TLS v1.3 pipelines preventing man-in-the-middle vectoring.
  • JWT Containment — Authorization tokens run strictly via HTTP-only state mechanisms, rendering cross-site scripting (XSS) payload harvesting null.

5. Third-Party Sub-Processors

To sustain our infrastructure, we engage heavily vetted infrastructure processors. They operate under strict Data Processing Agreements (DPAs):

  • Supabase, Inc. — Core Postgres cluster allocation and OAuth. Refer to the Sub-processor Policy.
  • Vercel Inc. — Frontend edge-network delivery and edge computing logs. Refer to the Vercel Legal Framework.
  • Colombo Stock Exchange (CSE) Dependencies — We connect structurally to automated market feeds. Crucially: Zeyvest never transmits your holdings, trades, or net worth signals outward to the CSE mainframe or any connected brokers. The API pipeline is strictly unidirectional (Receive-Only).

6. Stateless Engineering (Cookies)

We abhor modern web bloat tracking. Zeyvest deploys an extremely rigorous technical cookie schema limited entirely to functional necessities:

  • Authorization Signatures — Handled exclusively by Supabase backend modules to map a user session securely to database queries.
  • Ephemeral Demo Tokens — Identifiers utilizing the cse_guest_sim namespace for non-committed simulator users (terminates dynamically within 24 hours).

Absence Statement: Zeyvest unequivocally operates with zero advertising pixels, zero third-party behavioral analytics nodes, and no cross-site tracking markers.

7. Lifecycle & Data Destruction

Capital data constitutes intellectual property. Zeyvest retains logic structures purely adjacent to active accounts. Upon issuing an account self-termination protocol via your client settings, execution is absolute. All related table rows (holdings, alerts, trade sequences) are wiped via cascading delete schemas at the database core immediately. You retain the capacity to demand an export of your raw parameters prior to erasure by contacting we@zeyvest.com.

8. User Mandates & Legal Rights

Regardless of jurisdiction, we afford all end-users granular control rights generally mapped onto strict GDPR/CCPA parity:

  • Data Extraction: Extract total raw CSV/JSON dumps of your portfolio arrays instantly.
  • Total Nullification ("Right to Erasure"): Direct command line capability inside user settings to terminate the account matrix irreversibly.
  • Information Asymmetry Correction: To object to systemic processing vectors under designated constraints.

Direct data-compliance inquiries to: we@zeyvest.com. Official queries mandate validation and hold a 30-day turnaround SLA.

9. Corporate Data Controller & Age Directives

The underlying data management node regulating pipeline privacy is Zeyvest, anchored conceptually under the corporate governance laws of the Democratic Socialist Republic of Sri Lanka.

Age Restriction Limit: Trading applications necessitate financial clarity. You must be legally of the age of majority in your jurisdiction (principally 18+ years of age) to interface with the active Zeyvest client. We willfully eradicate accounts recognized to belong to minors immediately upon detection.

10. Implementation Revisions

Systematic alterations to the handling frameworks documented herein will be visibly stamped at the head of this repository. Profound infrastructure shifts encompassing user-data interaction logic will invoke an automated dispatch sent directly to registered client profiles. Continued persistence in the platform post-revision delineates full legal acceptance.

11. Official Contact Node

For legal inquiries, architecture clarifications, or executing authorized data-rights paradigms, communicate with the designated security channel at:
we@zeyvest.com