Privacy Policy

We collect the following types of information:

• —Account Credentials — Your email address when you create an account. Your password is transmitted securely and processed exclusively by Supabase Auth; it is hashed before storage and is never accessible to Investly.
• —Portfolio Data — Transaction records, holdings, and cash balances you enter into the platform.

• —To provide and maintain the portfolio tracking service.
• —To authenticate your identity and secure your account.
• —To deliver real-time market data and price alerts.

Under the General Data Protection Regulation (GDPR), we process your personal data based on the following legal grounds:

• —Consent: You explicitly consent to our Terms of Service and Privacy Policy when creating your account.
• —Contractual Necessity: Processing your portfolio data is necessary to provide you with the service you signed up for.
• —Legitimate Interest: We may process data for operational security, fraud prevention, and service improvement, balanced against your privacy rights.

Your data is stored securely using Supabase, which provides:

• —Row-Level Security (RLS) — Database policies ensure users can only access their own data.
• —Encryption at rest — All data is encrypted on disk using AES-256.
• —Encryption in transit — All connections use TLS/SSL.
• —HTTP-only cookies — Session tokens are stored in secure, HTTP-only cookies inaccessible to client-side JavaScript.

We use the following third-party services:

• —Supabase — Authentication and database hosting. Supabase processes your credentials under its own Privacy Policy.
• —Colombo Stock Exchange (CSE) — Market data feed for real-time stock prices. No personal data is shared with the CSE.
• —Vercel — Application hosting. Vercel may collect server access logs (IP addresses, request paths) for operational purposes under its own Privacy Policy. These logs are not accessed or used by Investly.

We use the following cookies:

• —Session cookies — Essential for authentication (managed by Supabase Auth).
• —cse_demo_guest — A temporary cookie set when you use the demo mode. It contains no personal information and expires after 24 hours.

We do not use advertising, tracking, or analytics cookies.

We retain your portfolio data for as long as your account is active. If you delete your account, all associated data (transactions, holdings, alerts, and preferences) is permanently and immediately deleted. You may request a data export before deleting your account by contacting us at hello@dinilr.com.

Depending on your location, including if you are a resident of the European Economic Area (EEA), you have specific rights regarding your personal data under the General Data Protection Regulation (GDPR):

• —Right of Access & Portability: You can access a copy of your personal data and export your portfolio data at any time.
• —Right to Rectification: You can request correction of inaccurate or incomplete information.
• —Right to Erasure (“Right to be Forgotten”): You can delete your account directly from your Settings page. We will permanently and immediately delete all associated data, including your authentication records.
• —Right to Restrict or Object to Processing: You may object to our processing of your personal data under certain conditions.

We will respond to all data subject requests within 30 days of receipt. To exercise any of the above rights, contact us at hello@dinilr.com.

The data controller responsible for your personal data is Dinil Ruvindu, operating as an individual under the laws of Sri Lanka. For any data protection inquiries, you may contact us at hello@dinilr.com.

We may update this Privacy Policy from time to time. When we do, we will update the “Last updated” date at the top of this page. For significant changes, we will notify you by email at the address associated with your account. Continued use of the service after changes are posted constitutes your acceptance of the updated policy.

If you have questions about this Privacy Policy, please contact us at hello@dinilr.com.