← back
Legal · Arithmos

Privacy Policy

Last updated 18 May 2026

This policy explains what personal data Arithmos collects when you use the platform, why we collect it, and the rights you have over it. We try to keep the data we hold about you minimal.

1. Data controller

Arithmos is the controller of personal data processed through arithmos.xyz. The fastest way to reach us is via the contact form; for data-protection matters specifically you can also email privacy@arithmos.xyz. We do not currently appoint a Data Protection Officer (we are not required to under UK GDPR Art. 37); the contact above reaches the team responsible for privacy.

2. What we collect

  • Account data: name, email address, hashed password, profile bio, social link, avatar image (if you upload one), the timestamp at which you accepted these terms, and any settings you configure (including your cookie preferences and marketing opt-in).
  • Generated content: the prompts you submit, the indexes generated from them, your saves, comments, likes and reshares.
  • Billing data: a Stripe customer reference if you subscribe; we do not store full card numbers.
  • Product analytics: page views, button clicks and error events captured via PostHog. Analytics cookies are only set after you opt in via the consent banner. Analytics traffic is proxied through our own domain so it is not blocked by ad-blockers.
  • Server logs: request URL, timestamp, IP address and user-agent for security and debugging. Retained 30 days.
  • Live-chat: if you open the support widget, the text of your messages plus (only with your consent) the IP address and user-agent of the device you typed from. Conversations relay to an internal Slack channel for response handling.

3. Why we use it & legal basis

We rely on the following lawful bases under UK GDPR Art. 6:

  • Contract: providing and operating the service you subscribed to.
  • Legitimate interest: keeping the platform secure and preventing abuse; sending service notifications you can unsubscribe from; running first-party analytics on users who have opted in.
  • Legal obligation: processing payments and meeting our tax and accounting obligations (UK Companies Act, HMRC).
  • Consent: placing non-essential cookies, sending marketing email, processing live-chat IP/user-agent. You can withdraw consent at any time from /settings/privacy.

4. Who we share it with

We share data only with vendors required to operate the service, under data-processing agreements. Current sub-processors:

  • Vercel (hosting · USA, with EU data residency available)
  • Supabase / Neon (database · EU region)
  • Stripe (payments · USA / Ireland)
  • Resend (transactional email · USA)
  • PostHog (product analytics · EU region)
  • AI model providers (compute used by our portfolio-construction agent · USA)
  • Slack (operational chat relay · USA)
  • Yahoo Finance & Financial Modeling Prep (market data, no personal data shared)

We do not sell your personal data, ever. We do not share it with ad networks, data brokers, or any third party for the purpose of targeted advertising.

5. International data transfers

Several of the vendors listed above are based outside the UK and EEA, primarily in the United States. Where we transfer personal data to those vendors we rely on:

  • the UK Information Commissioner’s International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses (SCCs) with the UK Addendum;
  • the UK Extension to the EU-US Data Privacy Framework for transfers to certified US recipients; and
  • supplementary technical measures including encryption in transit and at rest.

A copy of the SCCs / IDTA covering a specific transfer is available on request via the contact form.

6. Retention

Account data is retained while your account is active and for up to 12 months after deletion to handle disputes and meet legal obligations. Server logs are retained for 30 days. Billing records are retained for seven years (UK Companies Act / HMRC). Marketing opt-in records are retained for as long as we hold the underlying email address so we can demonstrate consent.

7. Automated decision-making & AI

Arithmos uses our in-house portfolio-construction agent and other automated systems to translate your prompts into rule-based equity baskets and to generate supporting rationale. These outputs are research outputs only — they do not produce legal effects or significant decisions about you within the meaning of UK GDPR Art. 22 (no credit scoring, no eligibility decisions, no automated profiling of you as an individual). You can object to or restrict this processing using the rights below; doing so will prevent us from generating indices for you.

8. Your rights (UK / EEA)

Under UK GDPR you can request access to (Art. 15), correction of (Art. 16) or deletion of (Art. 17) your personal data; restrict (Art. 18) or object (Art. 21) to processing; withdraw consent (Art. 7); and request portability (Art. 20) of your account data.

Most rights are self-serve from /settings/privacy — including downloading a full machine-readable export of your data and deleting your account. For anything we can’t surface as a button, contact us via the contact form or privacy@arithmos.xyz. You can lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk) or the equivalent supervisory authority in your country.

9. California residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act and California Privacy Rights Act give you the right to know what personal information we collect, the right to delete it, the right to correct inaccurate information, and the right to opt out of any sale or sharing of personal information. Arithmos does not sell or share personal information for cross-context behavioural advertising. You can exercise CCPA rights using the same self-serve flow at /settings/privacy or by emailing privacy@arithmos.xyz; we will not discriminate against you for exercising them.

10. Cookies

We use a session cookie to keep you signed in (set by Better Auth — strictly necessary, cannot be disabled), a first-party consent cookie that remembers your preferences, and — only if you opt in — a small number of first-party PostHog cookies for product analytics. We do not use third-party advertising cookies. You can change your preferences at any time from the “cookies” link in the bottom-left corner of any page.

11. Children

Arithmos is not directed at children. You must be 18 or older to use the service. We do not knowingly collect personal data from anyone under 18; if you believe a child has provided us with personal data, please contact us and we will delete it. Under UK GDPR Art. 8 the minimum age for consent to information society services is 13, but Arithmos’ own minimum-age requirement is higher.

12. Changes

We may update this policy. Material changes will be notified by email or in-product banner before they take effect.

Arithmos is an investment research and data tool. It is not a regulated investment advisor, broker, or asset manager and does not place trades on your behalf.
/home·/markets·/feed·/leaderboard·/sharpe·/blog·/pricing·/about·/vacancies·/contact·/links·/terms
Investment research & data tool · not investment advice · not a regulated broker or advisor · past performance does not guarantee future results.