1. OUR INTRODUCTION

1.1. Introduction

This Privacy Policy explains how Orizon Analytics LLC (“Orizon,” “Orizon Analytics,” “we,” “us,” or “our”) collects, uses, stores, protects, and shares your personal information when you access or use our website, software platform, and related services (collectively, the “Platform”).

Our goal is to ensure transparency and give you confidence in how we handle your data while also helping you understand your rights and choices under applicable privacy laws.

1.2. About Orizon Analytics

Orizon Analytics LLC is a U.S.-based software company that provides portfolio analysis and investment data insights through a cloud-based SaaS platform. Our services are designed for individual users seeking to better understand and visualize their investment holdings using personalized data analytics tools.

Our principal place of business is 30 N Gould St #49846, Sheridan, WY 82801, USA.

1.3. Scope of This Policy

This Privacy Policy applies to all users of the Orizon Platform and to all personal information we collect, whether directly from you or through third-party integrations. It covers data provided during registration, when you use the Platform, when you interact with support channels, or when you connect financial accounts. It also applies to optional services and future features disclosed herein.

This policy does not apply to third-party websites, services, or platforms that we do not own or control, even if they are accessible through our Platform (e.g., third-party APIs like Stripe, or Featurebase). Please refer to those providers’ policies for their practices.

1.4. Third-Party Services

We use select third parties to operate portions of the Platform (e.g., payment processing, support/feedback tools, and, if enabled in the future, read-only brokerage aggregation). We share only the minimum data needed for those services under written agreements that require appropriate privacy and security protections.

1.5. Acceptance of This Policy

By accessing or using the Platform, you agree to this Privacy Policy. If you do not agree, please do not use the Platform. Your continued use of the Platform after we post updates means you accept the updated policy.

2. INFORMATION WE COLLECT

We collect information to provide and improve the Platform, personalize your experience, and meet legal and contractual obligations. The types of data we collect include information you provide directly and data collected automatically when interacting with our services.

2.1. Personal Information You Provide

When you register, subscribe, or interact with the Platform, you may provide:

• First Name and Last Name (Required for account identification and communication)
• Email Address (Used for login, support, account-related communications, and notifications)
• Profile Picture (Optional)
• Time Zone (Automatically set during account setup and can be adjusted later in your account settings to support accurate portfolio reporting)
• Billing Information (When you subscribe to a paid plan, your payment details are processed securely by our third-party payment processor, Stripe. We do not store your full payment information on our servers.)

2.2. Portfolio Data

To generate analytics, you may provide or import holdings data related to your investment holdings (e.g., tickers, quantities, cost basis, and related metrics), manually or via CSV/brokerage integrations (see §3).

2.3. Connected Brokerage Accounts (Optional)

You may connect your brokerage or financial accounts using a third-party aggregation service to sync read-only investment data for analysis. This is optional and not required for core analytics. Orizon will not receive or store your brokerage login credentials.

2.4. Information Collected Automatically

We collect technical and usage data through strictly necessary cookies, system logs, and (where used) analytics cookies to keep the Platform secure and reliable and to improve features.

What we collect. Device and browser details (device type, OS, browser name/version, screen resolution), IP address (used to infer city/region for security and abuse-prevention only), cookie/session identifiers, timestamps (logins, logouts, request times), pages and features used, basic performance metrics, and error/crash logs. We do not collect precise GPS location, keystroke logs, or the contents of your communications.

Cookie types and lifetimes.

• Strictly necessary cookies (required for the Platform to work): session/authentication and CSRF tokens (expire on logout or after 24 hours of inactivity); consent-preference cookie (6 months); language/time-zone preference (12 months). These do not track you across other sites.
• Analytics cookies (to help us improve the product): a pseudonymous analytics identifier (13 months) that records page views, feature usage, and performance/error events. We do not use advertising or cross-site tracking pixels.

Service providers. Contracted hosting, logging, and analytics providers process this information on our instructions under data-protection agreements. They may not use it for their own purposes or sell/share it. See Section 5 for details.

Retention. Security/server logs are retained for 90 days for operations and incident detection. If logs relate to a security incident or legal request, we keep the relevant copies for 5 years (or longer if required by law). Aggregated product-analytics data is retained for 12 months to understand usage trends.

Your Choices. You can manage cookies in your browser (view/delete/block or set site-specific preferences). Disabling strictly necessary cookies may prevent the Platform from functioning. In the EEA/UK, we obtain your consent before setting analytics cookies, and you can withdraw that consent at any time via the cookie banner or Cookie Settings page. We do not respond to browser “Do Not Track” signals, but we honor choices made in our cookie settings and any legally required opt-outs.

3. SENSITIVE FINANCIAL INFORMATION

Orizon may process sensitive financial data solely to deliver personalized investment analytics as described below.

3.1. Third-Party Data Aggregation

We may use a contracted aggregation provider to sync read-only investment data you authorize. We do not enable trading, transfers, or account control through this integration.

3.2. Read-Only Brokerage Sync

When connected, we receive only the data needed for analytics (e.g., positions, balances, transactions). Credentials are never shared with or stored by Orizon. Authentication/tokenization occurs with the provider over encrypted channels. This integration does not enable trading, transfers, or account control. Feature availability may change.

3.3. Stripe Payment Processing and Security

Stripe collects and processes your payment details as our PCI-compliant processor. Orizon does not store your full card number or CVV. We receive limited billing metadata (e.g., subscription plan, billing address, status) to manage your account.

4. HOW WE USE YOUR INFORMATION

We use the personal and financial data to run and improve the Platform. Depending on your location, our legal bases include contract, legitimate interests, consent (where required), and legal obligations. We do not use identifiable portfolio data to train public AI models.

4.1. To Provide and Maintain the Platform

We set up and manage accounts, authenticate logins, process your inputs, and enable APIs and features. We also send essential service messages (e.g., password resets, maintenance notices).

4.2. To Personalize Your Experience

We apply your preferences (e.g., time zone, settings, usage patterns) to tailor dashboards, saved views, and formats you choose. This may include customizing dashboard views, data formatting, and user settings to match your profile.

4.3. To Deliver Portfolio Insights and Analytics

Your entered or synced investment data generates performance metrics, risk views, and allocation analyses for your use. We do not share these with other users or third parties except as described in this Policy (e.g., vetted service providers or when you ask us to).

4.4. For Billing and Subscription Management

We manage plans, invoices, receipts, and billing notices. Stripe processes payment details (see Section 3.3). We retain limited billing metadata (plan, status, billing address) to facilitate plan management and customer service.

4.5. For Customer Support and Feedback

We use your contact details and relevant context to answer questions, resolve issues, and track feedback. We may use a support/feedback platform operated by a service provider to process this information on our instructions.

4.6. Compliance and Legal Obligations

We may use your information to meet legal and contractual duties, respond to lawful requests, enforce our Terms, investigate misuse, and protect users and the Platform. Where appropriate (e.g., Regulation S-P), we also use your information to investigate security events and notify affected individuals as required by law.

4.7. For Security, Fraud Prevention, and Abuse Detection

We use logs and other telemetry to prevent unauthorized access, detect and investigate suspicious activity, and protect accounts and systems.

4.8. Improve and Test the Platform (de-identified or aggregated use)

We analyze de-identified or aggregated data to evaluate performance, develop features, and improve reliability. If a new use of identifiable data requires consent, we will seek it in advance where the law requires.

4.9. Service and Transactional Communications

We send essential account and service communications (e.g., confirmations, policy updates, and security alerts). Where consent is required, we honor your preferences.

4.10 Automated Decisions

The Platform provides analytics and insights; users decide whether to act. We do not make automated decisions that produce legal or similarly significant effects without human involvement.

5. THIRD-PARTY SERVICES AND DATA SHARING

Orizon uses select third-party service providers to operate key parts of the Platform. We share only the minimum necessary information for them to perform services on our instructions, under written agreements that require appropriate privacy, security, and incident-notification commitments. Where personal data is transferred across borders, we use legally recognized safeguards (such as Standard Contractual Clauses) as applicable.

5.1. Stripe (Payments)

We use Stripe to process subscription payments securely and manage billing. When you subscribe, your payment details are transmitted directly to Stripe. Orizon does not store your full payment card number or CVV. We may receive limited billing metadata (e.g., plan, status, billing address, and transaction identifiers) to administer your account and provide support. See Stripe’s privacy policy at stripe.com/privacy.

5.2. Featurebase (Support & Feedback)

We use Featurebase to host help content and manage support/feedback workflows. We may share your name, email, and relevant context (e.g., ticket subject, product area) so we can personalize support, communicate with you, and track feedback over time. See Featurebase’s privacy policy  at featurebase.app/privacy-policy.

5.3. Brokerage Sync (Optional)

You may connect a brokerage/financial account through a contracted aggregation provider to sync read-only investment data for analysis. Authentication and tokenization occur with the provider; Orizon does not receive or store your brokerage credentials. This integration is optional, may change over time, and does not enable trading, transfers, or account control through the Platform.

5.4. No Sale or Sharing of Data for Advertising

We do not sell personal information and do not share it for cross-context behavioral advertising. We also do not deploy third-party advertising pixels on the Platform. If our practices change, we will update this Policy and provide any required opt-out mechanism in advance.

We may use a service provider to send transactional or, where permitted, marketing emails on our behalf; they act under our instructions and do not use your information for their own purposes.

5.5. Conditions for Legal Disclosure

We may disclose your personal information when  required by law or legal process; to respond to lawful requests from regulators or law enforcement; to enforce our Terms; or to protect the rights, safety, or property of Orizon, users, or the public. We limit disclosures to what is necessary and handle them in line with applicable law and our internal procedures.

5.6 Service Provider Oversight and Updates

All service providers act as our processors/service providers under data-protection agreements. We review their security practices periodically and require prompt notices of incidents affecting user data. If we add or replace a core provider, we will update this section and reflect any material changes in this Policy. 

6. COOKIES AND TRACKING TECHNOLOGIES

Orizon employs cookies and similar technologies (such as local storage and application logs) to keep the Platform secure and reliable and to understand how features are used. We aim to be clear about what we set and why.

6.1. Types of Cookies Used

Strictly necessary cookies. These enable core functions such as secure login, session management, fraud prevention, load balancing, and basic security. They do not track you across other websites and are required for the Platform to work.

Analytics cookies. These help us measure usage—pages visited, time on page, feature engagement, error/crash data—so we can improve performance and design. We analyze this information in aggregated or de-identified form where feasible. We do not use analytics data to build advertising profiles or to track you across unrelated sites.

6.2. No Advertising or Marketing Pixels

We do not use advertising cookies or third-party marketing pixels on the Platform. We do not sell personal information or share it for cross-context behavioral advertising.

6.3. Managing Your Cookie Preferences

Consent. In jurisdictions that require it (e.g., the EEA/UK), we obtain your consent before setting analytics cookies and honor your choice. You can withdraw consent at any time via the cookie banner or settings (where available).

Browser controls. You can manage cookies in your browser—view, delete, or block them, or set site-specific preferences. Disabling strictly necessary cookies may prevent the Platform from functioning.

We comply with applicable privacy regulations, including GDPR and CCPA, regarding the use of cookies and user consent.

7. HOW WE STORE AND PROTECT YOUR DATA

Orizon takes the privacy and security of your data seriously. We use industry-standard technologies and best practices to ensure that your personal and portfolio information is stored securely, accessed only by authorized parties, and protected against loss, misuse, or unauthorized disclosure.

7.1. Use of AWS Infrastructure (Cognito, S3, PostgreSQL)

Our Platform runs on Amazon Web Services (AWS) infrastructure. We use AWS Cognito for identity management (secure authentication and session control), Amazon S3 for storing user-uploaded content (e.g., optional profile images) in private buckets, and PostgreSQL for structured user and portfolio data. AWS provides robust security features and maintains widely recognized third-party certifications (e.g., SOC 2, ISO 27001). We configure and monitor these services to align with our security policies.

7.2. Encryption in Transit and at Rest

We protect data in transit with HTTPS (TLS) between your device and our services, and we encrypt data at rest (including databases and file storage) using AES-256 or an equivalent industry-standard method.

7.3. Secure Token-Based Authentication

We use token-based authentication, managed by AWS Cognito, to verify users and control access to the Platform’s APIs and features. Tokens are issued at login, expire after a set duration, and are invalidated immediately upon logout or session expiration. This limits access if a token is compromised.

7.4. Access Controls and User Isolation

We apply role-based access controls and the principle of least privilege so personnel receive only the access needed to perform their duties. User data is logically separated and accessible only through an authenticated session. Access to production systems is restricted to authorized staff, and activity is logged and monitored for anomalies and potential threats.

7.5. Data Retention and Deletion Policies

We retain your data while your account is active and as needed to provide services to, comply with legal obligations, enforce our Terms of Service, and resolve disputes. If you delete your account, we remove personal and portfolio data from production systems within a reasonable period (generally within 30 days), subject to backup and legal or regulatory retention requirements. You may also request the deletion of your data at any time by contacting our support team. Certain logs or records may be retained longer where required for security, compliance, or legal claims.

7.6 Incident Response and Breach Notification

We maintain a written incident response program with 24/7 intake and forensic triage. If we determine that sensitive customer information was accessed without authorization, we will notify affected individuals within 30 days of becoming aware, unless law enforcement requests a delay. We preserve relevant logs and records of the investigation and our response consistent with applicable law.

7.7 Service Provider Security and Oversight

When we use service providers, they act on our instructions under written agreements that require appropriate security, confidentiality, and prompt incident notification. We perform diligence appropriate to the risk, limit sharing to the minimum necessary, and require cooperation with any investigation and downstream notices if their systems are involved.

7.8 Records and Substantiation

We retain records necessary to substantiate material claims about the Platform, consistent with applicable recordkeeping rules.

8. YOUR DATA RIGHTS AND CHOICES

We believe you should control your personal information. Depending on your location and applicable law, you may have the rights described below. We honor valid requests in a timely, transparent manner.

8.1. Access, Correction, and Deletion

You can view and update most account details in Settings. You may also request that we: (a) access the personal information we hold about you, (b) correct inaccurate or incomplete information, or (c) delete your information, subject to legal or contractual retention requirements. To make a request, contact us using the details in Section 12 (Contact Information). We may ask for information to verify your identity and will respond within the timeframes required by law.

8.2. Right to Withdraw Consent

Where we rely on your consent (e.g., optional features like brokerage sync or feedback tools), you may withdraw that consent at any time in Settings or by contacting us. Withdrawal does not affect the lawfulness of processing before withdrawal, but it may limit or disable certain features.

8.3. Data Portability

Where applicable, you may request a copy of your data in a structured, commonly used, and machine-readable format (e.g., CSV or JSON). If technically feasible, you may also ask us to  transmit that data directly to another service. This right generally applies to information you provided that we process based on consent or to perform a contract.

8.4. Account Deletion Request

You may delete your account in your account settings at any time, or by contacting compliance@orizonanalytics.io. Deleting your account removes access to the Platform, and deletes associated personal and portfolio data from our production systems within a reasonable period (generally within 30 days), subject to backup retention schedules and legal or regulatory obligations (e.g., security logs or records we must keep to meet our obligations).

8.5. Opting Out of Optional Features

Certain features of the Platform, such as brokerage account integrations, submitting feedback through Featurebase, and participating in beta testing or surveys, are optional. If you do not wish to use them, simply do not enable or participate. Your core access to portfolio analytics is unaffected. Where a feature uses consent (e.g., analytics cookies in certain regions), you can change that choice at any time.

How to submit a rights request: Email compliance@orizonanalytics.io with your name, account email, and the right you wish to exercise. If permitted in your jurisdiction, you may use an authorized agent; we may require proof of authority and additional verification. If we decline a request, we will explain why and how to appeal where applicable.

9. INTERNATIONAL USERS & PRIVACY LAW COMPLIANCE

If you access the Platform from outside the United States, your information may be transferred to, stored, and processed in the U.S. and other countries where we or our service providers operate. We use recognized legal mechanisms for cross-border transfers and apply appropriate technical and organizational safeguards.

9.1. GDPR Compliance (EU/EEA/UK Users)

For users located in the European Union (EU) or European Economic Area (EEA), or United Kingdom (UK). Orizon Analytics LLC acts as the data controller for personal data we collect through the Platform.

Your rights. You may access, correct, erase, restrict or object to processing, withdraw consent where processing is based on consent, and exercise data portability. You also have the right to lodge a complaint with your local supervisory authority. To exercise rights, contact compliance@orizonanalytics.io (See Section 8 for request/verification details).

Legal bases. We process personal data on one or more of these bases: contractual necessity (to provide and maintain the Platform), legitimate interests (for security, service improvement, and fraud prevention, balanced against your interests), consent (for optional features or cookies where required), and legal obligations (for compliance and recordkeeping). For GDPR-related requests, contact compliance@orizonanalytics.io (See also Section 8 for how to submit a rights request).

9.2. CCPA and CPRA Compliance (California Residents)

If the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), applies to us in relation to your information, California residents have rights to know/access, delete, and correct certain personal information, to opt out of “sale” or “sharing” for cross-context behavioral advertising, and to be free from discrimination for exercising these rights.

We do not sell personal information and do not share it for cross-context behavioral advertising, and we do not use sensitive personal information for purposes that require a “limit” right. To exercise California rights, email compliance@orizonanalytics.io; we will verify your request and respond within the timeframes required by law (typically 45 days, extendable where permitted). Note that personal information we handle under the Gramm-Leach-Bliley Act (GLBA) may be exempt from CPRA, while other categories (e.g., website analytics) may still be covered.

We do not offer price or service differences, loyalty programs, or other financial incentives in exchange for personal information.

9.3. Other U.S. State Laws

Where other state privacy laws apply (e.g., Colorado, Connecticut, Virginia, Utah), you may have similar rights. Submit requests to compliance@orizonanalytics.io and we will honor them as required by applicable law, including any available appeal process.

9.4. International Data Transfers and Safeguards

When we transfer personal data across borders, we use appropriate safeguards consistent with applicable law, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission for EEA transfers, together with the UK Addendum/IDTA for UK transfers and the Swiss equivalents where applicable;
• Data-processing agreements with service providers that process data on our behalf, requiring confidentiality, security, and incident notification obligations; and
• Technical and organizational measures such as encryption in transit and at rest, access controls, and data-minimization practices.

Where a different lawful transfer mechanism is available (for example, an adequacy decision) and applicable to a specific flow, we may rely on that mechanism. If we rely on consent for a particular transfer, we will request it expressly and you may withdraw consent at any time (this will not affect prior transfers completed in reliance on consent).

We review our transfer approach periodically and will update this Policy if our practices or applicable laws change.

10. CHILDREN’S PRIVACY

The Platform is intended for users 18 years of age or older and is not directed to children under 13. We do not knowingly collect personal information from children under 13. Do not use the Platform or submit information to us if you are under 18.

If we learn that we have collected personal information from a child under 13 without verified parental consent, we will delete it and take reasonable steps to prevent further collection from that user, consistent with COPPA and other applicable laws.

Parents or legal guardians who believe a child under 13 has provided information to us should contact compliance@orizonanalytics.io. We will investigate promptly and delete any such information as required.

11. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or other operational reasons. When we make changes, we will revise the “Last Updated” date at the top of the policy.

If the changes are material, we will provide additional notice by emailing the address associated with your account and posting a prominent notice on the Platform’s webpage. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Where the law requires consent for a change, we will seek it.

Your continued use of the Platform after any changes to this Privacy Policy have been posted constitutes your acceptance of those changes. If you do not agree to the revised policy, you may stop using the Platform and request deletion of your account and data at any time.

12. CONTACT INFORMATION

If you have any questions, concerns, or requests related to this Privacy Policy or the way we handle your data, please feel free to contact us using the information below:

Orizon Analytics LLC

30 N Gould St #49846

Sheridan, WY 82801, USA

Email: compliance@orizonanalytics.io

We monitor this mailbox and will respond within applicable legal timeframes.