Privacy Policy

In accordance with Quebec's Law 25 (art. 8), Polaris has designated a privacy officer responsible for the protection of personal information. You can reach them at:

Privacy Officer (Responsable de la protection des renseignements personnels)
Email: privacy@polarisapp.ca
For any request regarding your data, access, rectification, or deletion rights.

Polaris is intended for persons aged 18 or older. We do not knowingly collect any data concerning minors. If we learn that a minor has created an account, their data is immediately deleted.

When you use the Service, we collect:

• Account data: email address, hashed password (never stored in plain text), registration date, preferred language.
• Usage data: stocks added to your watchlists, investment notes, conviction levels, configured alerts, history of generated analyses.
• Technical data: IP address fingerprint (SHA-256 hashed, never stored in clear text) used to limit abuse, browser type, theme preference, session identifier. Rate limiting itself runs in memory, without storing your IP address.
• Billing data (for Pro/Elite subscribers): managed by Stripe under their own policy. We store no card number, only a Stripe customer ID.
• Error data (Sentry): in case of bug, we capture the error message, call stack, and relevant URL. No personal data is intentionally transmitted.

• Authenticate your account and personalize your experience.
• Generate personalized analyses (macro regime applied to your watchlist, thesis wake-up, alerts).
• Calculate your usage quota (free plan) without revealing details to other users.
• Improve the Service (aggregated and anonymized usage statistics).
• Notify you of alerts or substantial changes (by email if configured).

We do not send your notes or theses to third parties. Requests to the Claude model (Anthropic) contain only the data needed for stock analysis, without your personal identifiers.

In accordance with Law 25 (art. 12.1), we inform you that Polaris uses algorithms to generate:

• An opportunity score (0-100) based on public indicators (P/E, ROE, RSI, etc.);
• A synthetic verdict (Buy / Sell / Hold) calculated from the score;
• Automatic alerts (thesis wake-up) based on thresholds you configured.

These decisions produce no legal effect for you and are not used to evaluate personal aspects (credit, employment, etc.). You can always:

• Know which factors influence a score (clicking on each indicator displays its detail);
• Disable any automatic alert at any time;
• Obtain a detailed explanation by writing to privacy@polarisapp.ca.

Your data is processed by the following subprocessors:

• Supabase — PostgreSQL database, authentication, storage of watchlists, alerts, position notes, encrypted broker tokens (AES-256-GCM) and all user data. Hosting region: Central Canada (ca-central-1, Montreal) — all your client data is stored in Canada, in compliance with Quebec's Law 25.
• Questrade (Canada) — if you connect your Questrade account to import your portfolio. Read-only access: Polaris can read your positions and balances, never place orders or transfer funds. OAuth tokens encrypted with AES-256-GCM, revocable anytime from /portefeuille or directly in Questrade.
• SnapTrade (where applicable) — a multi-broker aggregation service (e.g. Wealthsimple, Interactive Brokers, Questrade), used only if you connect a supported brokerage account. Read-only access(positions and balances, never orders or transfers), tokens encrypted with AES-256-GCM, revocable anytime from /portefeuille.
• Vercel (USA, US-East region) — web application hosting and server function execution. Client data only in transit (TLS 1.3), no persistent storage.
• Stripe (USA, Ireland) — payment processing and billing.
• Anthropic (USA) — Claude AI models for analysis generation.
• Sentry (USA) — application error monitoring.
• Resend (USA) — transactional emails (alerts, confirmations).
• Twelve Data, Polygon.io, Finnhub, FMP (Financial Modeling Prep), CoinGecko, FRED, Bank of Canada, multpl.com — financial and market data sources (anonymous requests only — prices, indices, rates, etc.; no personal data about you is transmitted).

Several of our subprocessors that handle information about you (Anthropic, Vercel, Sentry, Stripe) are located in the United States. Our financial data providers (Twelve Data, Polygon.io, Finnhub, FMP, CoinGecko, FRED) are also US-based, but receive only anonymous requests (no personal data). In accordance with Law 25 (art. 17), we inform you that your data may be processed outside Quebec. We have evaluated that:

• These subprocessors offer adequate protection of personal information, aligned with Quebec and Canadian standards (PIPEDA);
• Data Processing Agreements (DPAs) are in place with each subprocessor limiting the use of your data solely to Service purposes;
• You can object to these transfers by deleting your account (AI features in particular are not available without transfer to Anthropic).

Under Quebec's Law 25 and GDPR, you have the right to:

• access your data;
• correct or complete it;
• request its deletion ("right to be forgotten");
• request portability in a readable format;
• object to processing or withdraw consent;
• file a complaint with the Quebec Access to Information Commission (CAI).

To exercise these rights, write to us at privacy@polarisapp.ca. We respond within 30 days. Deleting your account entails the immediate and irreversible deletion of all your notes, alerts, watchlists and history.

In accordance with Law 25 (art. 3.5), in case of a confidentiality incident presenting a serious risk of harm, we commit to:

• Notify the Quebec Access to Information Commission within 72 hours;
• Notify you directly by email as soon as possible, with a description of the incident, the data affected, and the measures taken;
• Maintain an internal incident register (Law 25 art. 3.8).

Your account data is kept as long as your account is active. You can delete your account at any time from your account settings.

Deleting your account immediately erases your personal data (notes, alerts, watchlists, portfolio), except for information subject to a legal retention obligation (e.g., billing data kept 7 years by our payment processor, per applicable accounting and legal requirements).

We use strictly necessary cookies:

• Supabase session cookie to keep you signed in.
• Theme preference cookie (light / dark / auto) — stored in localStorage, never sent to the server.
• Language preference (FR / EN) — determined by the URL path (/fr, /en) via next-intl.
• No advertising cookies, no external tracking (no Google Analytics, Facebook Pixel, etc.).

This policy may evolve. Substantial changes will be notified by email or through the application at least 30 days before they take effect. Your continued use of the Service after notification constitutes acceptance of the changes.