Privacy Policy

Last updated: April 2026

1. Overview

FinCom ("we," "us," or "our") operates a portfolio tracking and investment community platform at www.fincom.dev (the "Service"). This policy explains what information we collect, how we use it, who we share it with, and your rights regarding your data. By using FinCom, you agree to the practices described in this policy.

2. Information We Collect

Account Information

When you create an account, we collect your email address, username, and authentication information through Clerk, our identity provider. We do not store your passwords directly. If you enable multi-factor authentication, Clerk stores your MFA configuration.

Financial Data (via Plaid)

When you link a brokerage account through Plaid, we receive and store:

  • Portfolio value and total return percentage
  • Individual holdings (ticker, shares, market value, cost basis, return)
  • Investment transactions (buys, sells, dividends)
  • Account institution name and type
  • Daily portfolio and holding snapshots for historical tracking
  • Tax lot information (cost basis, acquisition date) for gain/loss calculations

We do not store your bank login credentials, full account numbers, or Social Security numbers. Financial credentials are handled exclusively by Plaid and are never transmitted to FinCom. Our access is read-only — we cannot move money, place trades, or modify your accounts in any way.

Manual Financial Data

You may optionally add manual portfolio holdings (ticker, shares, cost basis) for accounts you have not linked through Plaid. Manual holdings are stored only in your private dashboard and are never displayed publicly, included in leaderboards, or shared with other users.

User Content

We store posts, comments, reactions, bookmarks, follows, and other interactions you create on the platform. If you upload images to posts, those files are stored via Uploadthing.

Direct Messages

If you use the direct messaging feature, the content of your messages is stored in our database. Messages are visible only to the participants in the conversation. You can disable direct messages in your Settings.

Trade Alerts

When your linked brokerage data is synced, we may automatically detect when you have opened, closed, increased, or decreased a position. These trade alerts are generated from your Plaid data and may be visible on your profile if you have enabled trade alert visibility in Settings.

Usage Data

We may collect basic usage information such as pages visited, features used, and browser type to improve the Service. We do not use third-party analytics or advertising trackers.

3. How We Use Your Information

  • To provide and operate the Service, including displaying your verified portfolio data alongside your posts and profile
  • To calculate community rankings, leaderboards, and percentile statistics
  • To generate trade alerts from changes in your linked portfolio
  • To aggregate anonymous community statistics such as most-held stocks and sector exposure
  • To personalize your news feed based on your holdings and preferences
  • To send notifications about activity on your posts (comments, reactions, follows)
  • To improve the platform based on usage patterns
  • To enforce our Terms of Service and prevent abuse
  • To comply with legal obligations

We do not sell your personal data to third parties. We do not use your financial data for advertising purposes. We do not share your individual financial data with other users without your explicit consent via privacy settings.

4. What Is Visible to Other Users

You control what financial data other users can see through your privacy settings. By default:

  • Portfolio value: Private by default
  • Return percentage: Public by default (for verified badge)
  • Individual positions: Private by default
  • Trade alerts: Public by default (can be disabled in Settings)
  • Manual holdings: Always private (never shared publicly)
  • Verified badge: Always visible when accounts are linked

Your username and posts are always public. Direct messages are private to conversation participants. You can update your privacy settings at any time on the Settings page.

Aggregated, anonymous data (e.g., "50 community members hold AAPL") may be displayed publicly but is never traceable to individual users.

5. Third-Party Services

Plaid

We use Plaid to connect your brokerage accounts. When you connect an account, you are authorizing Plaid to retrieve your financial data and share it with FinCom. Plaid's collection and use of your data is governed by the Plaid End User Privacy Policy. Plaid does not share your financial credentials with us. You can review and manage your Plaid connections at my.plaid.com.

Clerk

We use Clerk for authentication and user management, including multi-factor authentication. Clerk is subject to its own Privacy Policy.

Uploadthing

Images uploaded to posts are stored via Uploadthing. Files are associated with your FinCom account and deleted when the post is removed.

Hosting & Database

The Service is hosted on Vercel. Your data is stored in a PostgreSQL database hosted by Neon. Both services use AWS infrastructure in the United States with encryption at rest and in transit.

6. Disconnecting Linked Accounts

You can disconnect a linked brokerage account at any time from the Settings page. When you disconnect:

  • The Plaid connection is removed via Plaid's API
  • Cached holdings, transactions, and snapshots for that account are deleted from our database
  • Trade alerts generated from that account are removed
  • Your verified badge is removed if no linked accounts remain

You can also manage or revoke Plaid connections directly at my.plaid.com.

7. Data Security

We implement reasonable technical and organizational measures to protect your data, including:

  • All data in transit is encrypted with TLS 1.2 or higher
  • All data at rest is encrypted with AES-256 (Neon database)
  • Plaid access tokens are stored server-side only, never exposed to browsers
  • API keys and secrets are stored as encrypted environment variables, never in source code
  • Multi-factor authentication is available for all user accounts
  • Administrative access to production systems requires 2FA

However, no system is completely secure, and we cannot guarantee absolute security of your information. If we discover a breach affecting your data, we will notify you within 72 hours.

8. Data Retention

We retain your account data for as long as your account is active. If you delete your account, we will delete your personal information within 30 days, including:

  • All posts, comments, reactions, bookmarks, and follows
  • All linked account data, Plaid tokens, cached holdings, and transactions
  • All portfolio and holding snapshots
  • All direct messages you sent
  • All trade alerts, manual holdings, and watchlist items

Aggregated, anonymized statistics (e.g., community-level holding counts) may be retained after account deletion as they are not personally identifiable.

9. Your Rights

Depending on your location, you may have the following rights:

  • Access: Request a copy of the data we hold about you
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your account and associated data
  • Portability: Request your data in a machine-readable format
  • Opt-out: Opt out of non-essential data processing
  • Restrict processing: Request that we limit how we use your data

To exercise any of these rights, contact us at jason.haft@gmail.com. We will respond to requests within 30 days.

10. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to know: You may request the categories and specific pieces of personal information we have collected about you.
  • Right to delete: You may request that we delete your personal information, subject to certain exceptions.
  • Right to opt-out of sale: We do not sell your personal information. No opt-out is necessary.
  • Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.

To submit a CCPA request, contact us at jason.haft@gmail.com.

11. Cookies & Tracking

We use cookies and similar technologies for authentication and session management. We do not use tracking cookies for advertising or retargeting. We do not use third-party analytics platforms that track users across websites.

Do Not Track: We honor Do Not Track (DNT) browser signals. When DNT is enabled, we do not engage in any cross-site tracking. Since we do not use third-party advertising trackers, our behavior is the same regardless of DNT settings.

You can control cookies through your browser settings, though disabling them may affect the functionality of the Service.

12. Data Location & International Transfers

FinCom's servers, database, and infrastructure are located in the United States. If you access the Service from outside the United States, your data will be transferred to and processed in the United States. By using the Service, you consent to this transfer.

13. Children's Privacy

FinCom is not directed at children under 18. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us with their information, please contact us and we will delete it promptly.

14. Changes to This Policy

We may update this Privacy Policy periodically. We will notify users of significant changes via email or an in-app notice at least 30 days before the changes take effect. The "Last updated" date at the top of this page will be revised accordingly. Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

15. Contact

For privacy-related questions, data access requests, or concerns, contact us at:

Jason Haft
FinCom
jason.haft@gmail.com

Terms of ServiceBack to Home