Privacy Policy

Dawo ("we", "us", or "our") is an AI-powered investment analysis platform. This Privacy Policy explains how we collect, use, store, and share information about you when you use Dawo.

For privacy questions, contact us at contact@dawo.ai.

Account information

When you create an account we collect your email address and, if you sign in through a third-party provider (Google or Apple), a profile identifier from that provider. We do not store your password — authentication is managed by Supabase.

Portfolio data

We store portfolio data you provide: position snapshots (ticker, quantity, average cost, market value), transaction lots (symbol, action, quantity, price, date), and any CSV files you upload. This data is scoped to your user account and never shared with other users.

Broker connection data

If you connect a brokerage account via Plaid or Schwab OAuth, we store encrypted OAuth access and refresh tokens, account identifiers, institution names, and synced positions and transactions. Tokens are encrypted at rest using AES-128-CBC (Fernet). We do not store your broker login credentials.

Usage and log data

We collect standard server logs including IP addresses, request paths, HTTP status codes, and timestamps. These are used for security monitoring, debugging, and abuse prevention. Logs are retained for 30 days.

We process your data under the following legal bases as defined by Article 6 of the GDPR:

• Contract performance (Art. 6(1)(b)) — Processing necessary to provide the Dawo service you signed up for, including portfolio analysis, AI chat, and strategy recommendations.
• Legitimate interest (Art. 6(1)(f)) — Security monitoring, fraud prevention, service improvement through anonymized usage analytics.
• Consent (Art. 6(1)(a)) — Marketing communications, optional data sharing, and any processing beyond core service delivery.

International data transfers

Your data may be transferred to and processed in the United States by our sub-processors (Supabase, Neon, OpenAI, Anthropic). These transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, or equivalent safeguards under UK GDPR.

• Provide the service — display your portfolio, compute performance metrics, and generate AI-powered analysis.
• Sync broker data — fetch positions and transactions from connected brokers on your behalf.
• Improve accuracy — use aggregate, anonymized usage patterns to improve screener models and AI prompts. We do not train AI models on your personal portfolio data.
• Security — detect and prevent unauthorized access or abuse.
• Communication — send transactional emails (password reset, email confirmation) via Supabase. We do not send marketing email without your explicit consent.

We rely on the following sub-processors to operate the service:

Each sub-processor is bound by their own privacy policy and data processing agreements. Note on AI providers: when you ask Dawo a question or run analysis on a holding, the question text and portfolio context (symbols, holdings, analysis history) are sent to Anthropic and/or OpenAI to generate a response. We do not transmit your email, auth tokens, or payment information to AI providers. Both providers contractually limit retention to abuse-monitoring windows (typically 30 days).

We do not sell, rent, or trade your personal information. We share data only as described in Section 4 (sub-processors), or when required by law (e.g., valid court order or regulatory request), or to protect the rights and safety of our users and the public.

• Account data: retained until you delete your account.
• Portfolio positions and lots: retained until you delete them or your account.
• Broker connections and tokens: deleted when you disconnect the broker or delete your account.
• Server logs: 30 days.
• Deleted accounts: residual data purged within 30 days of account deletion.

We apply industry-standard security measures including TLS in transit, encrypted storage for OAuth tokens, bcrypt-hashed credentials at the auth provider level, and strict user-scoped data access at the database layer. No internet transmission is 100% secure; we cannot guarantee absolute security.

Depending on your jurisdiction, you may have the right to:

• Access the personal data we hold about you
• Request correction of inaccurate data
• Request deletion of your data (right to erasure)
• Object to or restrict certain processing
• Data portability (receive your data in a machine-readable format)

To exercise any of these rights, email us at contact@dawo.ai. We will respond within 30 days.

Strictly necessary (always on): Dawo uses browser local storage to cache your authentication session token (managed by Supabase). We do not set third-party advertising cookies or tracking pixels.

Analytics (consent required in EU/UK): we use PostHog for product analytics (which pages you visit, which features you use) and Sentry for error monitoring. In the EU and UK, these only run after you grant consent via the cookie banner; elsewhere they default to on. You can change your choice anytime from the “Cookie preferences” link in the footer.

PostHog and Sentry are configured to scrub personally identifying fields (email, auth tokens, broker IDs) before transmission.

Dawo is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us data, contact us and we will delete it promptly.

We may update this Privacy Policy. When we do, we will update the effective date at the top and, for material changes, notify you by email or in-app notice. Continued use of Dawo after changes constitutes acceptance.

Questions or requests: contact@dawo.ai