← Back

Privacy Policy

Last updated: May 6, 2026

1. What we collect

We collect the minimum data required to operate the service:

  • Email address (account identifier and security notifications)
  • Password hash (Argon2, never the plain password)
  • Encrypted wallet seed (encrypted in your browser, opaque blob to us)
  • Solana wallet public address
  • Encrypted TOTP secret if you enable 2FA
  • Active session metadata: IP address, parsed device name, last activity timestamp
  • Single-use tokens for email verification, password reset, and email change
  • Records of transactions you executed through My Invest
  • Custom investment profiles you save

We do not collect: your seed phrase in plain text, your private key, browsing history outside My Invest, or advertising cookies.

See section 8 below for the limited analytics we use to improve the product.

2. Why we collect it

Your data is used exclusively to:

  • Authenticate you and operate your account
  • Display your portfolio, transaction history, and saved profiles
  • Send transactional emails (verification, transaction confirmations, security alerts)
  • Prevent abuse (rate limiting, fraud detection)

3. How long we keep it

We keep your data for as long as your account exists. When you delete your account, we delete the associated personal data within 30 days, except for public on-chain transaction data (which My Invest cannot delete from the Solana blockchain) and any data we are legally required to retain.

4. Sub-processors

We rely on the following service providers:

  • Supabase — database hosting
  • Vercel — frontend hosting and edge network
  • Resend — transactional email delivery
  • Helius — Solana RPC and on-chain data
  • Jupiter — swap quoting and routing
  • Have I Been Pwned — password breach check (using k-anonymity, only the first 5 characters of a SHA-1 hash are sent)
  • Vercel Analytics — anonymous, cookie-less traffic metrics (page views, country, referrer)
  • Microsoft Clarity — heatmaps and anonymised session recordings, only loaded if you give consent. Inputs and sensitive content are masked by default.

We do not sell, share, or transfer your personal data to any third party for marketing, advertising, or profiling purposes.

5. Your rights

You have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your account and associated personal data
  • Object to or request restriction of certain processing
  • Receive a copy of your data in a portable format
  • Withdraw your assets at any time without our permission

To exercise these rights, contact us at contact@my-invest.app. You can also export your wallet seed phrase and your transaction history directly from My Invest.

6. Blockchain transparency

All transactions on the Solana blockchain are public by design. Your wallet address and the transactions you broadcast can be viewed by anyone on blockchain explorers. My Invest cannot alter or hide on-chain data.

7. Security

We implement industry-standard security measures including:

  • Argon2 password hashing
  • Client-side wallet encryption (AES-256-GCM with PBKDF2, 600,000 iterations)
  • Server-side envelope encryption of sensitive data at rest
  • HTTP-only session cookies and HSTS
  • Strict Content-Security-Policy headers in production
  • Optional TOTP-based two-factor authentication, including on transaction signing
  • Rate limiting on sensitive endpoints
  • Server-side validation of transaction destinations and authorized programs
  • Email alerts on new logins, password changes, and 2FA changes

No system is 100% secure. You are responsible for keeping your password and seed phrase safe.

8. Cookies and analytics

My Invest uses strictly necessary cookies for authentication and to remember your theme preference. We do not use advertising or tracking cookies.

We use two analytics tools to improve the product:

  • Anonymous traffic metrics (Vercel Analytics): cookie-less, aggregated page views and referrers. No personal identifiers, always on.
  • Behavioural analytics (Microsoft Clarity): heatmaps and session recordings that help us see where users get stuck. Inputs, passwords and seed phrases are never recorded. Only loaded if you click Accept on the consent banner.

You can change your choice anytime by opening the preferences from your account Settings, or from the link below.

9. Changes

We may update this Privacy Policy from time to time. Material changes will be notified via an in-app notice or by email at least 14 days before they take effect.

10. Contact

For privacy-related inquiries or to exercise your rights, please contact us at contact@my-invest.app.