Version 1.2 — Effective 27 April 2026
TOVE is provided by J-Hoo Ab. For data protection inquiries contact: [e-post skyddad]. The data controller's address is included in the footer of every transactional email.
We collect: email address and password (via Supabase Auth); investor preferences (markets, risk level, time horizon); AI-generated briefs and scenarios linked to your account; subscription and payment data (via Stripe — we never store card numbers); optional: your own AI API keys (stored encrypted with AES-256).
We process your data on the basis of contract performance (to provide the service you signed up for) and your explicit consent given at registration. You may withdraw consent at any time by deleting your account.
We use your data to: deliver personalized daily briefs; process subscription payments; send transactional emails (brief delivery, account confirmations); improve the service. We do not sell your data to third parties.
We use the following sub-processors: Supabase (database hosting, EU region); Stripe (payment processing); OpenAI / Google Gemini / Groq (AI generation — queries may be sent to these services); Resend (transactional email); Vercel (hosting and infrastructure). Each processor is bound by a data processing agreement.
We retain your data for as long as your account is active. Upon account deletion, personal data is erased within 30 days except where retention is required by law (e.g. invoicing records for 7 years under Swedish bookkeeping law). Specific retention windows: chat conversations are automatically deleted 18 months after the last message (GDPR Art. 5(1)(e)); audit logs 90 days; cron logs 30 days; shared analyses 180 days.
Under GDPR you have the right to: access a copy of your data; correct inaccurate data; delete your data (right to erasure); restrict or object to processing; data portability. To exercise these rights, email [e-post skyddad].
We use only essential cookies: an authentication session cookie (Supabase) and a language preference cookie (NEXT_LOCALE). We do not use tracking or advertising cookies.
We use industry-standard security measures including TLS encryption in transit, encrypted storage for sensitive credentials, and row-level security policies on all database tables.
We will notify you of material changes to this policy at least 14 days in advance via email or in-app notice. Changelog: v1.2 (2026-04-27): GDPR footer with data controller (J-Hoo Ab), address, and link to this Privacy Policy now included in all transactional emails; AI-generated disclosure (EU AI Act Art. 50) clearly displayed on every AI-produced surface (briefs, deep analyses, crypto analyses, email products); 18-month auto-deletion of inactive chat conversations enabled. v1.1 (2026-04-24): added news data and AI analysis section (§12).
Data protection inquiries: [e-post skyddad].
TOVE fetches metadata daily from a selection of public RSS feeds (including SVT Ekonomi, Dagens Industri, CNBC, BBC, MarketWatch, Reuters, SCMP, CoinDesk) and official sources (ECB, Federal Reserve, Riksbank, Finansinspektionen, SEC EDGAR). No personal data is associated with this collection — we fetch only publicly published headlines, short descriptions and links. For official, public-domain documents (e.g. central bank press releases, SEC filings) we fetch full text since they are intended for free dissemination. This data is used as input for TOVE's AI analysis; we do not store original articles from copyrighted sources in our database. Metadata about which headlines were used for your personal brief may be retained for up to 48 hours in an internal audit cache for grounding/quality control, then automatically deleted. Source name and link are kept with your brief so you can always click through to the original.