Privacy Policy

Pivot Lab is an invite-only stock research tool. We collect the minimum data needed to authenticate you and run the app: your email, a salted-and-hashed password, and the journal entries you choose to record. We do not sell your data, run ad networks, fingerprint you, or share your activity with marketing partners.

• Account data — your email and a one-way password hash (bcrypt-style; we cannot recover your plaintext password). Optional display name.
• Journal entries and watchlists — everything you type into the trade journal, position sizer, or notes fields. Stored on our SQLite database alongside the user id you own.
• Session cookies — an HttpOnly, Secure, SameSite cookie issued by better-auth so we can keep you signed in across requests.
• Operational logs — request timestamps, paths, and error stacks for debugging. We do not log request bodies.

• Authenticate you and render the app.
• Persist your journal entries, watchlists, and preferences so they're available the next time you sign in.
• Detect and respond to abuse (rate limiting, audit trails on privileged actions).

We do not use your data to train models, build ad profiles, or share it with any third party for marketing.

The app pulls public market data and optionally calls an AI summarizer. Each call is limited to the data needed for that feature:

• Yahoo Finance, SEC EDGAR, Finviz — ticker price + fundamental data fetches. We send the ticker symbol; they have no idea who you are.
• Anthropic Claude — opt-in AI critique. We send the ticker symbol and the journal-entry context you explicitly select; we never send your account credentials or other users' data.

• Journal entries, watchlists, and account data are kept until you delete them (or your account).
• Daily screener snapshots are kept for 90 days, then pruned.
• Operational logs are kept for 30 days for debugging, then rotated out.

You can:

• Access and edit your profile from /settings.
• Request account deletion or a data export by emailing privacy@pivotlab.app. Self-serve delete and export tooling are in progress; until they ship we'll honor the request manually within seven days.

TLS in transit, HttpOnly Secure cookies, hashed passwords, and least-privilege database access. The full security posture is documented in the project's SECURITY.md.

If the policy changes substantively we'll update the effective date above and surface a notice the next time you sign in.

Questions, takedown requests, or data-rights requests: privacy@pivotlab.app.