Privacy Policy

1. WHAT INFORMATION DO WE COLLECT?

Personal information you disclose to us

In Short: We collect personal information that you provide to us.

We collect personal information that you voluntarily provide to us when you register on the Services, express an interest in obtaining information about us or our Services, when you participate in activities on the Services, or otherwise when you contact us.

Personal Information Provided by You. The personal information we collect depends on the context of your interactions with us and the Services, the choices you make, and the features you use. This may include your name, email address, username, and account authentication data, which we receive through our authentication provider when you create an account.

Provider API keys (bring-your-own-key). theoinvest is a bring-your-own-key product. When you connect an AI provider key (for example Theo, Anthropic, Google, or OpenAI), we store that key encrypted at rest using AES-256-GCM. Keys are decrypted only on our server at the moment a request you initiate is sent to the provider; only the last four characters are ever shown back to you, and your keys are never returned to your browser.

Content you create. We store the work you create in the Services, including your company profile and brief, conversation messages with Theo, any reference materials you upload (such as documents or spreadsheets), and the financial models and versions you generate. This content may contain personal or business information you choose to include.

Voice input. If you use the microphone feature, your audio is sent to our transcription provider (Theo) to convert your speech to text. This particular feature is funded by the platform rather than your own key.

All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes to such personal information.

Information automatically collected

In Short: Some information — such as your Internet Protocol (IP) address and/or browser and device characteristics — is collected automatically when you visit our Services.

We automatically collect certain information when you visit, use, or navigate the Services. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, information about how and when you use our Services, and other technical information. This information is primarily needed to maintain the security and operation of our Services, and for our internal analytics and reporting purposes.

We do not process sensitive personal information, and we do not collect personal information from third parties.

2. HOW DO WE PROCESS YOUR INFORMATION?

In Short: We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law.

We process your personal information for a variety of reasons, depending on how you interact with our Services, including:

• To facilitate account creation and authentication and otherwise manage user accounts.
• To deliver and facilitate delivery of services to you, including generating financial models and producing Excel, CSV, and PDF artifacts on your request.
• To send you transactional and administrative information related to your account and the Services.
• To respond to your inquiries and offer support.
• To protect our Services, including monitoring and preventing fraud, abuse, and security incidents.
• To identify usage trends and to evaluate and improve our Services.
• To comply with our legal obligations.

We do not use your content to train AI models, and we do not sell your personal information.

3. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR INFORMATION?

In Short: We only process your personal information when we believe it is necessary and we have a valid legal reason (i.e., legal basis) to do so under applicable law.

If you are located in the EU or UK, this section applies to you. The General Data Protection Regulation (GDPR) and UK GDPR require us to explain the valid legal bases we rely on to process your personal information. We may rely on the following: Consent (which you can withdraw at any time); Performance of a Contract, to provide you the Services you requested; Legal Obligations; and Legitimate Interests, such as keeping the Services secure and improving them.

If you are located in Canada, this section applies to you. We may process your information if you have given us specific permission (express consent) to use your personal information for a specific purpose, or in situations where your permission can be inferred (implied consent). You can withdraw your consent at any time.

4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?

In Short: We may share information in specific situations described in this section and/or with the following categories of third parties.

Vendors, Consultants, and Other Third-Party Service Providers. We may share your data with third-party vendors, service providers, and contractors who perform services for us or on our behalf and require access to such information to do that work. These include our authentication provider (Clerk) and our hosting and database provider (Northflank). We have contracts in place designed to help safeguard your personal information.

AI providers (bring-your-own-key). When you generate a model or use an AI feature, the inputs you provide (such as your brief, profile, conversation, and uploaded content) are sent to the AI provider whose key you supplied — Theo, Anthropic, Google, or OpenAI — solely to fulfill your request. Each provider processes that data under its own terms and privacy policy.

Business Transfers. We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.

Legal Obligations. We may disclose your information where we are legally required to do so in order to comply with applicable law, governmental requests, a judicial proceeding, court order, or legal process.

5. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?

In Short: We use only the cookies necessary to keep you signed in and keep the Services secure.

We and our authentication provider use strictly necessary cookies and similar technologies to operate the Services — for example, to maintain your session, keep your account secure, and remember your theme preference. We do not currently use advertising cookies or sell your information for cross-context behavioral advertising. Most web browsers are set to accept cookies by default; you can usually choose to remove or reject cookies, but doing so could affect certain features of the Services, including the ability to sign in.

6. DO WE OFFER ARTIFICIAL INTELLIGENCE-BASED PRODUCTS?

In Short: We offer products and features powered by artificial intelligence, machine learning, or similar technologies.

As part of our Services, we offer features powered by artificial intelligence (collectively, "AI Products"), including AI-assisted financial model generation, analysis, and document generation. We provide these AI Products through third-party AI service providers (Theo, Anthropic, Google, and OpenAI) using the key you connect. Your input and the resulting output are shared with and processed by the provider you select to enable your use of the AI Products. You must not use the AI Products in any way that violates the terms or policies of the applicable AI service provider, and you remain responsible for how you use any output.

AI-generated output, including any financial projections, is an estimate produced from the inputs you provide. It is not financial, investment, legal, tax, or accounting advice, and may contain errors. You are responsible for reviewing and validating all output before relying on it.

7. HOW DO WE HANDLE YOUR SOCIAL LOGINS?

In Short: If you choose to register or log in to our Services using a social media account, we may have access to certain information about you.

Our authentication provider may offer you the ability to register and log in using a third-party social media account. Where you choose to do this, we will receive certain profile information about you from your social media provider, which typically includes your name and email address. We will use the information we receive only for the purposes described in this Privacy Policy. We recommend that you review the privacy policy of the social media provider to understand how they collect, use, and share your personal information.

8. HOW LONG DO WE KEEP YOUR INFORMATION?

In Short: We keep your information for as long as necessary to fulfill the purposes outlined in this Privacy Policy unless otherwise required by law.

We will only keep your personal information for as long as it is necessary for the purposes set out in this Privacy Policy, and for as long as you maintain an account with us, unless a longer retention period is required or permitted by law. When you delete your account, we deactivate or delete your account and associated content from our active databases, and your stored provider keys become unrecoverable. We may retain limited information where necessary to prevent fraud, resolve disputes, enforce our agreements, or comply with applicable legal requirements.

9. HOW DO WE KEEP YOUR INFORMATION SAFE?

In Short: We aim to protect your personal information through a system of organizational and technical security measures.

We have implemented appropriate and reasonable technical and organizational security measures designed to protect the personal information we process. These include encryption of your provider keys at rest using AES-256-GCM, encryption of data in transit using TLS, verification of our database connections, and access controls that ensure your provider keys are decrypted only on the server at the time of a request you initiate and are never sent to your browser. However, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that unauthorized third parties will never be able to defeat our security. You should only access the Services within a secure environment.

10. DO WE COLLECT INFORMATION FROM MINORS?

In Short: We do not knowingly collect data from or market to children under 18 years of age or the equivalent age as specified by law in your jurisdiction.

We do not knowingly collect, solicit data from, or market to children under 18 years of age, nor do we knowingly sell such personal information. By using the Services, you represent that you are at least 18 or that you are the parent or guardian of such a minor and consent to such minor's use of the Services. If we learn that personal information from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records. If you become aware of any data we may have collected from children under age 18, please contact us at hello@theovex.com.

11. WHAT ARE YOUR PRIVACY RIGHTS?

In Short: Depending on your state or country of residence, you may have rights that allow you greater access to and control over your personal information.

In some regions (like the EEA, UK, Switzerland, and Canada), you have certain rights under applicable data protection laws. These may include the right (i) to request access and obtain a copy of your personal information; (ii) to request rectification or erasure; (iii) to restrict the processing of your personal information; (iv) if applicable, to data portability; and (v) not to be subject to automated decision-making. You can make such a request by contacting us using the contact details provided below.

Withdrawing your consent: If we are relying on your consent to process your personal information, you have the right to withdraw your consent at any time by contacting us. However, this will not affect the lawfulness of the processing before its withdrawal.

Account Information: You can review or change the information in your account or terminate your account at any time by signing in to your account settings, or by contacting us at hello@theovex.com.

12. CONTROLS FOR DO-NOT-TRACK FEATURES

Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track ("DNT") feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage, no uniform technology standard for recognizing and implementing DNT signals has been finalized. Because we do not track our users over time and across third-party websites to provide targeted advertising, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online.

13. DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?

In Short: If you are a resident of certain US states, you may have the right to request access to and receive details about the personal information we maintain about you, correct inaccuracies, get a copy of, or delete your personal information.

If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you may have the rights described above. These rights may be limited in some circumstances by applicable law. We do not sell or share personal information for cross-context behavioral advertising, and we do not process sensitive personal information for such purposes.

To exercise any of these rights, contact us at hello@theovex.com. We will consider and act upon any request in accordance with applicable data protection laws, and we will not discriminate against you for exercising your rights.

14. DO WE MAKE UPDATES TO THIS NOTICE?

In Short: Yes, we will update this notice as necessary to stay compliant with relevant laws.

We may update this Privacy Policy from time to time. The updated version will be indicated by an updated "Last updated" date at the top of this Privacy Policy. If we make material changes, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this Privacy Policy frequently to be informed of how we are protecting your information.

15. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?

If you have questions or comments about this notice, you may email us at hello@theovex.com or contact us by post at: TheoveX Inc., 3399 NW 72nd Ave Ste 228, Miami, FL 33122, United States.

16. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

Based on the applicable laws of your country or state of residence, you may have the right to request access to the personal information we collect from you, details about how we have processed it, correct inaccuracies, or delete your personal information. You may also have the right to withdraw your consent to our processing of your personal information. To request to review, update, or delete your personal information, sign in to your account settings or contact us at hello@theovex.com.