Legal

Data Policy

Last updated: May 2026 · Questions? data@tulaiq.app

This Data Policy describes how TulaIQ stores, retains, protects, and shares your data. It supplements our Privacy Policy with specific technical and operational detail.

1. Data Retention

Your data is retained according to the following schedule:

Active accounts — all portfolio data, account settings, and AI conversation history are retained for as long as your account is active.
Account deletion — upon receiving a verified account deletion request, all personal data is permanently deleted from our primary database within 30 days.
Backups — encrypted database backups may retain your data for up to 90 days after deletion from the primary database, after which they are purged from all backup systems.
PDF uploads — processed and deleted within 60 seconds of upload. No document is retained after processing.
AI conversations — conversation history is stored and visible in your dashboard. It is deleted when your account is deleted.

To request account deletion, use the account settings in your dashboard or email data@tulaiq.app.

2. Third-Party Services

TulaIQ integrates with the following services. Data flows to these services only as described — no personal data is shared with market data providers.

Service	Purpose	Data sent
Supabase	Database, authentication, row-level security	All portfolio and account data (hosted on your behalf)
Anthropic	AI portfolio assistant	Portfolio summaries and your chat messages (no raw documents or PII)
CoinGecko	Live cryptocurrency prices	None — server-to-server price fetch only
EODHD	LSE and JSE stock prices	None — server-to-server price fetch only
Finnhub	US stock prices (NYSE, NASDAQ)	None — server-to-server price fetch only
Open Exchange Rates	Live currency conversion rates (ZMW, GBP, ZAR)	None — server-to-server rate fetch only

3. Security Measures

TulaIQ applies the following technical and organisational security measures:

✓ Row-Level Security

RLS enforced on all database tables. Every query is scoped to the authenticated user's own data.

✓ Encryption at Rest

All data encrypted at rest via Supabase's managed PostgreSQL infrastructure using AES-256.

✓ Encryption in Transit

All data transmitted over TLS 1.2 or higher. No unencrypted connections are accepted.

✓ No Raw Documents

PDFs and statements are never stored. Only extracted numerical values are saved after processing.

✓ PII Discarded

Personally identifiable information extracted from documents is discarded before any data is written to the database.

✓ Server-Side API Proxy

All third-party API calls (Anthropic, market data) are made from our server. API keys are never exposed to browsers.

4. Breach Notification

In the event of a confirmed data security breach that affects your personal data, TulaIQ will:

Notify all affected users by email within 72 hours of confirming the breach.
Describe the nature of the breach, the categories of data affected, and the likely consequences.
Describe the measures we have taken or propose to take to address the breach and mitigate its effects.
Provide guidance on steps you can take to protect yourself.

Notifications will be sent to the email address associated with your account. We recommend keeping your account email up to date.

5. Data Transfers

Your data is stored on Supabase infrastructure hosted in the United States. If you are accessing TulaIQ from Zambia or another country, your data will be transferred to and processed in the US. By using TulaIQ, you consent to this transfer.

We ensure that any transfer is conducted with appropriate technical safeguards, including encrypted connections, in accordance with applicable data protection law.

6. Contact

For data-related queries, access requests, or deletion requests, contact our data team at data@tulaiq.app. We aim to respond within 14 business days.

TulaIQ · Lusaka, Zambia