Assay
AboutPricingSign in →

Privacy Policy

Last updated: February 23, 2026

Your holdings are yours. Your positions, your cost basis, your analytical notes — the information that reveals how you think about markets — never leaves your account. The analytical research the system produces is different: anonymized, stripped of every trace of portfolio context, it becomes part of a shared research corpus that grows with every subscriber. The depth compounds. Your privacy doesn’t. This policy explains exactly what we collect, what we share, and what stays between you and your analysis.

What we do not collect

We want to be clear about what Assay does not do, because most of what erodes trust in software happens here:

  • No behavioral tracking scripts. No Google Analytics, no Mixpanel, no pixel trackers, no retargeting, no behavioral profiling of any kind.
  • No advertising. No ad networks, no data brokers, no audience segmentation.
  • No selling of your data to third parties for their marketing or any other purpose.
  • No brokerage credentials. We never ask for access to your financial accounts.
  • No browsing behavior tracking beyond standard server logs.

What we collect

Information you provide

What you provide depends on how you use the service:

  • Ticker symbols: Every analysis begins with the companies you choose to examine.
  • Portfolio data (Conviction subscribers): Share quantities, approximate cost basis, purchase dates, and optional notes. This enables portfolio-level analysis — how holdings interact, where concentration risk exists, which positions warrant deeper investigation.
  • Account credentials: Your email address and password. Passwords are hashed using bcrypt before storage — we cannot read or reverse them.

Thesis subscribers provide ticker symbols only. Conviction subscribers provide ticker symbols plus portfolio context. Both provide account credentials. No tier requires brokerage access, account linking, or any financial credentials beyond what you type into the analysis form.

Information generated by the service

  • Analysis results: The AI-generated research and synthesis outputs produced by your analysis sessions, stored so you can access them later.
  • Thesis tracking data: Analytical signals extracted from your analysis results (thesis status, confidence level, key risks) used to show how your analytical picture changes across sessions.
  • Session metadata: Timestamps, completion status, and stage counts for your analysis runs.

Information collected automatically

  • Server logs: IP addresses, request timestamps, and request paths. Standard for any web application. Used for security monitoring and debugging.
  • Authentication cookie: A single httpOnly JWT cookie that keeps you logged in. It is not accessible to JavaScript and cannot be used for tracking.

How we use your information

Your portfolio data serves one purpose: generating your analysis. It is sent to our AI provider (see Third-party services) as input for the analytical pipeline, and the results are stored so you can access them.

We do not use your portfolio holdings to train models or sell to third parties. We look at your data only if you ask us to help debug an issue with your analysis.

Beyond generating your analysis, data from the service is used to improve the experience for all subscribers. Anonymized deep dive research is contributed to the Research Library (see below). Scan lane findings inform editorial curation — the Tracking Ledger and curated findings are shaped by what the scans surface across all runs. Aggregate patterns across analyses may inform service improvements — understanding which analytical frameworks produce the most useful findings, which pipeline stages benefit from refinement, and where the analytical architecture can deepen. None of this involves exposing individual portfolio compositions, positions, or user identity.

Research Library

Deep dive outputs — the analytical research, competitive assessments, and synthesis produced by the system — are anonymized and contributed to the Research Library, a shared corpus searchable by all subscribers.

What is shared

Analytical conclusions, thesis assessments, competitive positioning analysis, bear case findings. The research itself.

What is never shared

Your identity, your portfolio composition, your position sizes, your cost basis, your purchase history, your notes, or any data that connects an analysis to your account. An analysis in the Research Library reads identically whether the company was a core holding or a first look — because the portfolio context is removed entirely.

This is a core design decision, not a side effect. Every analysis ever run adds depth to the corpus. A subscriber searching for research on a company benefits from every prior examination of that company, regardless of who initiated it. The depth compounds across the entire subscriber base.

Third-party services

The following services process your data. No others.

Anthropic (AI analysis)

Your analysis context is sent to Anthropic’s Claude API to produce the research. This is the core of what Assay does — without it, there is no analysis.

  • Anthropic retains API inputs and outputs for 7 days for trust and safety monitoring, then automatically deletes them.
  • API data is not used to train Anthropic’s models. Commercial API terms explicitly prohibit this.
  • Anthropic acts as a data processor; Assay is the data controller.
  • Anthropic’s privacy practices: anthropic.com/privacy

Railway (hosting)

Our application, database, and job queue run on Railway’s infrastructure. Your data is stored on Railway-managed PostgreSQL and Redis instances with encryption at rest.

Resend (email)

Password reset links, account invitations, and service notifications are delivered through Resend’s email infrastructure. Resend processes your email address for delivery purposes only. Resend’s privacy practices

Stripe (payments)

Subscription billing and payment processing are handled by Stripe. We do not store your credit card number, expiration date, or CVC — Stripe processes and stores these directly. We receive only a confirmation of payment status and the last four digits of your card for display purposes. Stripe’s privacy practices

Data retention

  • While your account is active: All analysis inputs, results, and session history are retained so you can access them.
  • If you delete your account: Your account data — portfolio inputs, session history, thesis tracking — is permanently deleted within 30 days. Anonymized analytical outputs previously contributed to the Research Library remain, as they contain no identifying information and cannot be traced to your account.
  • After cancellation: Read-only access to your analyses for 90 days. After that, your account and data are deleted per the policy above.
  • Job queue data: Temporary data in the processing queue (Redis) is ephemeral and cleared after your analysis completes.

Data security

  • All data transmitted over HTTPS (TLS encryption in transit).
  • Database encryption at rest via Railway’s infrastructure.
  • Passwords hashed with bcrypt — never stored in plain text, never reversible.
  • Authentication via httpOnly JWT cookies, inaccessible to client-side JavaScript.
  • No employee access to your data except for debugging at your request.

Your rights

You can:

  • Access your data: Your analysis inputs and results are available to you in the application at any time.
  • Delete your data: Delete your account and all associated data by contacting us. Deletion is permanent and completed within 30 days.
  • Export your data: Request a complete export of your analysis inputs and results.
  • Correct your data: Update the information you have provided at any time through the application.

If you are a California resident, you have additional rights under the CCPA including the right to know what personal information we collect, the right to request deletion, and the right to non-discrimination for exercising these rights. We do not sell personal information.

Children’s privacy

Assay is not directed at anyone under 18. We do not knowingly collect information from minors. If you believe a minor has provided data to us, contact us and we will delete it.

Changes to this policy

If we make material changes to how we handle your data, we will notify you through the application before the changes take effect. We will not reduce your rights under this policy without your explicit consent.

Contact

Questions about this policy or your data? dan@assay-labs.com