DummyfiSign in

Legal

Privacy Policy

Effective

This policy explains what data Dummyfi collects when you visit the website or sign in to the app, how we use it, who we share it with, and what choices you have. Written in plain English. If anything is unclear, email us at privacy@dummyfi.app.

Who we are

Dummyfi (“we”, “us”) is an independent educational tool for long-term investors. We are not a broker, not a financial advisor, and not affiliated with any company you can research on the platform.

What we collect

When you visit the public website (not signed in)

On the marketing landing, the Learn hub, the glossary, and these legal pages, we collect:

  • Your cookie consent choice, stored only in your browser's localStorage. It never leaves your device.
  • Standard server-side request information that any web server receives (IP address, user agent, timestamp). We do not use this for tracking or profiling.

We do not run third-party analytics, advertising pixels, or social-media trackers on the public pages.

When you sign in

Sign-in happens through Google. We receive from Google:

  • A stable identifier (the Google sub claim)
  • Your email address
  • Your display name
  • Your Google profile picture URL

We never see or store your Google password. We do not request additional Google permissions beyond basic profile information.

While you use the signed-in app

We store, tied to your Google identifier:

  • The tickers you add to your watchlist
  • The portfolio holdings you manually enter (ticker, share count, optional average cost, optional notes)
  • Your in-app notification read state (which alerts you have seen)
  • A daily counter of how many LLM-backed actions you have taken, used to enforce per-user fair-use limits
  • Your last sign-in timestamp

We do not collect bank account information, brokerage account credentials, transaction history, social-security numbers, or any other sensitive financial identifiers. We never see your real portfolio at any broker — only what you choose to type into Dummyfi.

How we use it

  • To run the app.Your watchlist, portfolio, and notification state would be useless without persistence. We use them only to render your account's view of the app.
  • To verify you on each request.Every call to our backend is authenticated using a Google-issued ID token. We verify that token against Google's public keys before serving any per-user data.
  • To prevent abuse. The daily LLM counter and per-ticker refresh lock keep one user from running up large API bills for everyone.

We do not sell your data. We do not share your data with advertisers. We do not build a profile of you for marketing purposes.

Third parties we rely on

Building a research tool requires market data, AI services, and hosting. We send the minimum necessary to each provider:

  • Google (sign-in). Provides authentication. They see that you signed into Dummyfi. They do not see what you do once inside.
  • Anthropic (Claude). Powers the AI-generated business descriptions, research summaries, and chat. We send the relevant ticker context (e.g. company filings excerpts, news headlines, score numbers) — never your name, email, watchlist, or portfolio.
  • Voyage AI. Generates embeddings for SEC-filing search. Receives only the public text of those filings.
  • Yahoo Finance (via the open-source yfinance library). Source of prices, fundamentals, news, analyst data, and earnings calendars. Public ticker symbols only.
  • FRED (US Federal Reserve). Public macroeconomic data. No user data is sent.
  • SEC EDGAR (US government). Public regulatory filings (10-K, 10-Q, Form 4). No user data is sent.
  • logo.dev / DuckDuckGo / Google favicon. Used to show company logos. They receive a public domain name (e.g. apple.com).
  • Railway. Hosts the application. They handle standard infrastructure logs.

How long we keep your data

  • Account data (your user row, watchlist, portfolio, notifications) is kept for as long as your account exists.
  • Analytical caches (cached scores, AI-generated narratives, research outputs) are scoped per ticker and per UTC day or month, and rolled over on schedule.
  • Server request logs are kept by our hosting provider for a short window for operational reasons.
  • If you ask us to delete your account, we delete all of the above tied to your Google identifier.

Your rights

Depending on where you live, you may have legal rights over your personal data. Wherever you live, you can ask us by email to:

  • Tell you what we have stored about you
  • Correct anything that is wrong
  • Delete your account and all associated data
  • Export your watchlist and portfolio as a file

Email privacy@dummyfi.app with your request. We will respond within 30 days.

For users in the European Economic Area, UK, or California: you also have the right to lodge a complaint with your local data protection authority if you believe we have mishandled your data.

Security

Authentication is handled by Google's OAuth flow. Your Google ID token is stored only in a secure, HTTP-only cookie set by the server — it never reaches JavaScript running in your browser, which protects it from cross-site scripting attacks. All traffic is HTTPS in production. No system is perfectly secure; we do our best with the moving parts.

Children

Dummyfi is not directed at children under 13 (or under 16 in the EEA and UK) and we do not knowingly collect data from them. If you believe we have, email privacy@dummyfi.app and we will delete it.

Changes to this policy

We may update this policy as the app evolves. When we do, we will update the effective date at the top. Material changes that affect existing users will be communicated through the app.

How to reach us

For any privacy question or request, email privacy@dummyfi.app.

Plain-English summary, not a substitute for legal advice. Educational information only — not investment advice.