Privacy Policy

Last updated: May 2, 2026

This Privacy Policy describes how mack.ai (“the Platform”, “we”, “us”) collects, uses, and protects your information.

1. Information We Collect

Account Information

When you sign in via Google OAuth, we receive and store your email address, display name, and profile photo. We use Supabase for authentication. We do not store your Google password.

User-Generated Content

We store data you enter into the Platform, including but not limited to: portfolio positions, trades, investment theses, alpha cards, watchlist items, research notes, trading rules, vision goals, and any other content you create. This data is necessary to provide the service.

API Keys (BYOK)

If you choose to provide your own API keys, they are encrypted at rest using AES-256-GCM encryption before being stored in our database. Keys are decrypted server-side only when making API calls on your behalf. We do not log or share your decrypted API keys.

Usage and Analytics

We log AI model usage (model name, token counts, estimated cost, feature used) for cost tracking and optimization. These logs are associated with your user account. We do not use third-party analytics or tracking services.

2. How We Use Your Information

• To provide and operate the Platform
• To display your portfolio, theses, and research data back to you
• To generate AI-powered analysis using your data as context
• To sync market data for your tracked tickers
• To track API usage and costs

3. Data Sharing

We do not sell your data. Your data may be shared with the following third parties solely to provide the service:

• Supabase — database hosting and authentication
• Vercel — application hosting
• Google (Gemini) — AI model provider. Your portfolio context may be sent to Gemini as part of AI analysis prompts. Google's data usage policies apply.
• Finnhub, FMP, Alpha Vantage, FRED, Exa — market data providers. Only ticker symbols are sent, not your personal data.

4. AI-Generated Content

When you use AI features (daily brief, ticker memo, thesis review, supply chain discovery, etc.), your portfolio data, positions, theses, and notes may be sent to AI model providers as context. This is necessary for the AI to generate relevant, personalized analysis. We recommend not entering highly sensitive personal information (SSN, bank accounts, passwords) into the Platform.

5. Data Security

We implement reasonable security measures including:

• Encrypted database connections (TLS/SSL)
• AES-256-GCM encryption for stored API keys
• Row-level data isolation (multi-tenant userId filtering)
• Authentication via Supabase with Google OAuth
• Invite-only access control

However, no system is 100% secure. We cannot guarantee absolute security of your data.

6. Data Retention

Your data is retained as long as your account is active. If you wish to delete your account and all associated data, contact us at the email below. We will delete your data within 30 days of a verified request.

7. Your Rights

You have the right to:

• Access your data (it's visible in the Platform)
• Request deletion of your data
• Remove your BYOK API keys at any time via the Settings page
• Revoke Google OAuth access from your Google account settings

8. Cookies

We use essential cookies only for authentication session management (Supabase auth tokens). We do not use advertising, tracking, or analytics cookies.

9. Changes to This Policy

We may update this Privacy Policy at any time. Continued use of the Platform after changes constitutes acceptance.

10. Contact

For privacy-related questions or data deletion requests, contact us at aytugmaydin@gmail.com.