We hold your portfolio data, your investment decisions, and the reasoning behind them. That's sensitive. Here's exactly what we do with it — and what we don't.
Provenance is a subscription product. Flat fee. No commissions, no advisor relationships, no advertising. The subscription is the business model — there is no second revenue stream, and no data to sell.
Your email address and a hashed password. If you sign up via Google or another OAuth provider, we may also receive a display name — we use it to personalise the product and store nothing else from that exchange. No address, no phone number. During onboarding you can choose a name to go by; that's optional and entirely yours.
The tickers, quantities, cost basis figures, and account labels you enter. We store these to power the product. Account labels are user-defined — most people use something like "RBC TFSA" or "Fidelity IRA," and that's fine. We don't parse them, analyse them, or use them for anything except displaying your own accounts back to you. Our schema has no field for account numbers; we don't ask for them and can't store them. On CSV imports, any column you don't map to a recognised field is discarded before it reaches our database.
The full transcript of your investment committee conversations and the decision records you save. This is the core of the product — the reasoning that accumulates over time. It's stored in your account and visible only to you.
Standard server logs: timestamps, page requests, error reports. We use these to keep the product working. No third-party analytics trackers. No advertising pixels. Over time, we may also derive aggregate, de-identified insights from patterns across the platform — for example, what themes the community is researching or how investors structure their decisions. This analysis never touches individual data and nothing attributable to you is ever shared.
We use the Anthropic API to power IC sessions. When your portfolio context is sent to Anthropic for processing, it generates a response and is discarded. Anthropic does not use API calls to train its models — this is explicitly different from consumer AI products like Claude.ai. Your investment decisions are never used to train any AI model, by us or by our providers.
Your data lives in a managed database with row-level security enforced at the database layer — not just the application layer. Your data is structurally inaccessible to other users. All connections are encrypted in transit. Backups are automated and encrypted. We are an early-stage company. We've implemented the controls that matter most, and we'll tell you directly if anything changes.
Only the services required to run the product — our database and authentication provider, our hosting provider, Anthropic for AI processing, and our payment processor for billing. We don't share data for advertising. We don't sell data. Full stop.
You can request a copy of all data we hold about you, or ask us to delete your account and everything associated with it, at any time. Email [email protected]. We respond within 30 days. Deletion is permanent.
We extend the same privacy rights to all users regardless of where they're located. As we grow into new markets we'll update this policy to reflect any additional obligations — and notify you before they take effect.
If we make a material change to how we handle your data, we'll email you before it takes effect. The date above reflects the most recent revision.