Compliance Overview

1. DATA PROTECTION AND PRIVACY

We handle personal information in line with applicable data protection laws, including the EU and UK General Data Protection Regulation (GDPR), the California Consumer Privacy Act as amended by the CPRA, and other US state privacy laws. Full details of what we collect and why are in our Privacy Policy at https://theoinvest.app/privacy.

We minimize what we collect, we do not sell personal information, and we do not use your content to train AI models.

2. SECURITY MEASURES

We apply technical and organizational measures designed to protect your data, including:

• Encryption in transit using TLS for all connections to the Services.
• Encryption at rest for your AI provider keys using AES-256-GCM with a key derived via HKDF-SHA256.
• Provider keys are decrypted only on the server at the moment of a request you initiate, and are never sent to your browser; only the last four characters are ever displayed back to you.
• Verified, encrypted connections to our managed database.
• Access controls and the principle of least privilege for systems that process your data.

No method of transmission or storage is completely secure, so while we work hard to protect your data, we cannot guarantee absolute security.

3. AUTHENTICATION AND ACCESS

Accounts and sign-in are handled by our authentication provider, Clerk. This supports secure session management and, where you choose, social login. You are responsible for keeping your account credentials secure.

4. HOSTING AND INFRASTRUCTURE

The Services are hosted on Northflank, including a managed PostgreSQL database, in the United States. If you access the Services from outside the United States, your data will be transferred to and processed in the United States.

5. BRING-YOUR-OWN-KEY AND NO BILLING

theoinvest is free and operates on a bring-your-own-key model. We do not process payments, and we hold no provider keys of our own for your generations — you connect your own AI provider key, and we use it only to perform the requests you initiate. One limited exception is voice transcription, which is funded by the platform.

6. SUBPROCESSORS AND AI PROVIDERS

We rely on a small set of trusted third parties to operate the Services. AI providers only receive your data when you connect that provider's key.

• Clerk — Authentication and user account management. https://clerk.com/legal/privacy
• Northflank — Application hosting and managed PostgreSQL database. https://northflank.com
• Theo (hitheo.ai) — AI model generation when you connect a Theo key, and platform-funded voice transcription. https://www.hitheo.ai
• Anthropic — AI model generation when you connect an Anthropic (Claude) key. https://www.anthropic.com/legal/privacy
• Google — AI model generation when you connect a Google (Gemini) key. https://policies.google.com/privacy
• OpenAI — AI model generation when you connect an OpenAI (GPT) key. https://openai.com/policies/privacy-policy

7. YOUR RIGHTS AND HOW TO EXERCISE THEM

Depending on where you live, you may have rights to access, correct, delete, or port your personal information, and to withdraw consent. You can manage much of your information directly in your account settings, or you can exercise your rights by emailing us at hello@theovex.com. We will respond in accordance with applicable law and will not discriminate against you for exercising your rights.

8. AGE REQUIREMENT

The Services are intended for users who are at least 18 years old. We do not knowingly collect personal information from children under 18.

9. SCOPE AND LIMITATIONS

The Services are a general-purpose financial modeling tool. They are not designed or certified for regulated data or regulated activities, and are not intended to comply with frameworks such as HIPAA, GLBA, or FISMA. You should not submit data that is subject to those frameworks.

Outputs are AI-generated estimates and do not constitute financial, investment, legal, tax, or accounting advice. You are responsible for reviewing and validating all output before relying on it.

10. INCIDENT RESPONSE

We maintain practices to detect, investigate, and respond to security incidents. In the event of a data breach that affects your personal information, we will notify affected users and the relevant authorities as required by applicable law. If you believe you have found a security vulnerability, please contact us at hello@theovex.com.

11. RELATED DOCUMENTS

For full details, please review our Privacy Policy (https://theoinvest.app/privacy), Terms & Conditions (https://theoinvest.app/terms), and End User License Agreement (https://theoinvest.app/eula). Questions? Email us at hello@theovex.com.