Aleora — Privacy Policy
Last updated: 11 March 2026
Effective date: 11 March 2026
1. Who We Are
This Privacy Policy explains how we collect, use, and protect your personal data when you use the Aleora financial modelling application (“the App”, “Aleora”).
Joint controllers:
- Aleora SAS (in process of incorporation), 31 Rue Doudeauville, 75018 Paris, France
- Overfly GmbH, Pappelallee 78/79, 10437 Berlin, Germany — technical implementation and hosting partner
Data protection contact: alexandergann@gmail.com
We process your data in accordance with the EU General Data Protection Regulation (GDPR, Regulation 2016/679) and applicable French and German data protection law.
2. What Data We Collect
2.1 Data You Provide
| Data | When | Purpose |
|---|---|---|
| Email address | Sign-in / account creation | Authentication, account identification, service communications |
| Feedback text | When you submit in-app feedback | Product improvement |
2.2 Data Collected Automatically
| Data | Source | Purpose |
|---|---|---|
| Usage analytics (pages visited, features used, session duration) | PostHog | Product improvement, understanding usage patterns |
| Error and performance data (stack traces, browser info, screen size) | PostHog | Bug fixing, stability monitoring |
| Authentication tokens and session data | Supabase | Maintaining your logged-in session |
| IP address | Supabase, Vercel (server logs) | Security, abuse prevention, infrastructure operation |
2.3 Data You Create in the App
All content you create in the App — financial models, input assumptions, and presentation configurations — is stored exclusively in your browser's local storage on your own device. This data is never transmitted to or stored on our servers.
When you run a model, the model structure and inputs are sent to our calculation engine for processing. The engine returns the computed results in real time and does not retain any of this data after the response is delivered. Model run results are ephemeral and are not stored server-side.
3. Legal Basis for Processing
Under Article 6 of the GDPR, we process your data on the following bases:
| Processing activity | Legal basis |
|---|---|
| Authentication and session management | Contract (Art. 6(1)(b)) — necessary to provide the service you requested |
| Analytics and error tracking | Consent (Art. 6(1)(a)) — you consent when you accept these terms at sign-in |
| Feedback processing | Consent (Art. 6(1)(a)) — you voluntarily submit feedback |
| Security and abuse prevention | Legitimate interest (Art. 6(1)(f)) — protecting the service and its users |
4. How We Use Your Data
We use your data to:
- Provide and maintain the App
- Authenticate your identity and manage your session
- Understand how the App is used and improve it
- Fix bugs and monitor performance
- Respond to feedback you submit
- Protect the security and integrity of the App
We do not:
- Sell your personal data to third parties
- Use your data for advertising or ad targeting
- Use the content of your financial models for any purpose other than providing the service to you
- Make automated decisions about you based on your data
5. Third-Party Services and Data Sharing
We share data with the following third-party service providers (“processors”) who act on our behalf:
| Service | Provider | Location | Data shared | Purpose |
|---|---|---|---|---|
| Supabase | Supabase Inc. | USA (AWS infrastructure) | Email, session tokens, IP | Authentication, magic-link login |
| PostHog | PostHog Inc. | USA / EU (configurable) | Anonymous usage events, error data, browser info (no email, no model content) | Analytics, error tracking |
| Linear | Linear Orbit Inc. | USA | Feedback text, your email address | Issue tracking for submitted feedback |
| Vercel | Vercel Inc. | USA (edge network) | IP, request metadata | Hosting, deployment, API routing |
| Aleora Engine API | Hosted on Vercel | USA | Model data (for computation) | Financial model calculation |
PostHog receives only anonymous identifiers and does not receive your email address, name, or the content of your financial models. When you submit feedback through the App, your email address is included alongside your feedback text in Linear so that we can follow up if needed.
Where data is transferred outside the European Economic Area (EEA), we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- The EU-US Data Privacy Framework, where applicable
6. Cookies and Local Storage
The App uses:
| Technology | Purpose | Duration |
|---|---|---|
| Supabase session cookie | Maintaining your login session | Duration of your browser session |
| PostHog analytics cookie | Anonymous analytics identification | 12 months |
| Browser localStorage | Storing your models, input assumptions, and presentation configurations locally on your device | Persistent until you clear your browser data |
Analytics data is collected through a first-party endpoint proxied through our own domain. This means analytics requests are routed through Aleora's own infrastructure rather than directly to PostHog's servers. No cookies store personal information — they are used solely for the App to function correctly.
We do not use advertising cookies or third-party tracking cookies.
7. Data Retention
| Data | Retention period |
|---|---|
| Account data (email) | Until you request deletion or we close your account |
| Analytics data | 24 months |
| Feedback submissions | Indefinite (stored in Linear as product issues) |
| Server logs (Vercel) | Typically 30 days (Vercel's default) |
| Models and presentations (localStorage) | Under your control — stored only on your device and cleared when you clear your browser data |
8. Your Rights
Under the GDPR, you have the right to:
- Access your personal data (Art. 15)
- Rectify inaccurate data (Art. 16)
- Erase your data (“right to be forgotten”) (Art. 17)
- Restrict processing (Art. 18)
- Data portability — receive your data in a structured, machine-readable format (Art. 20)
- Object to processing based on legitimate interest (Art. 21)
- Withdraw consent at any time, without affecting the lawfulness of processing before withdrawal (Art. 7(3))
To exercise any of these rights, contact: alexandergann@gmail.com
We will respond within 30 days. If we need more time (up to 60 additional days for complex requests), we will inform you.
9. Data Security
We implement appropriate technical and organisational measures to protect your data, including:
- Encrypted connections (HTTPS/TLS) for all data in transit
- Authentication via Supabase with magic-link (passwordless) login
- Access controls limiting who can access production systems
- No storage of passwords (magic-link authentication only)
No system is perfectly secure. If we become aware of a data breach affecting your personal data, we will notify you and the relevant supervisory authority as required by GDPR Articles 33 and 34.
10. Children's Data
We do not knowingly collect data from children under 16. If you believe a child under 16 has provided us with personal data, contact us and we will delete it.
11. Supervisory Authority
You have the right to lodge a complaint with a data protection supervisory authority. The relevant authorities are:
- France: Commission Nationale de l'Informatique et des Libertés (CNIL), www.cnil.fr
- Germany: Berliner Beauftragte für Datenschutz und Informationsfreiheit (for Overfly GmbH), www.datenschutz-berlin.de
12. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice in the App. The “Last updated” date at the top of this page indicates when the policy was last revised.
13. Contact
For any privacy-related questions or to exercise your rights:
Alexander Gann
Aleora SAS (in process of incorporation)
31 Rue Doudeauville, 75018 Paris, France
alexandergann@gmail.com