The Portfolio · Brief

Privacy Policy

Last updated: 8 May 2026

This page describes what The Portfolio Brief collects, why, and how you control it. We aim for plain language; if anything reads like legalese, please tell us so we can fix it.

Who we are

Portfolio Brief is operated by Anshul Singh, a UAE-resident founder trading as Global Tea Hub. We are a small team of one plus AI leverage, running a closed ≤10-user pilot.

Indian-jurisdiction grievance officer: Anshul Kumar Singh (Founder & Grievance Officer), grievance@globalteahub.com. We respond to grievances within 30 days.

What we collect

We collect only what we need to deliver your daily brief:

Authentication: your email address (via Supabase magic link or one-time code).
Portfolio: the stock symbols you tell us about during onboarding.
Preferences: your chosen language (English or Hinglish), brief delivery time, and channel toggles (email, Telegram).
Engagement: which briefs were sent, opened, and clicked, and how long and how far you read them on the web — used for delivery health, to gate the first-brief experience, and to improve the brief.
Telegram: your Telegram username and chat ID, only if you link Telegram for delivery.

Why we collect it

We process your data only to assemble and deliver your daily brief, ground synthesis in primary filings, and run the small set of features you can see in your account: holdings, settings, and (soon) ask-and-answer over your portfolio.

We do not sell, rent, or share your portfolio with anyone outside the sub-processors named below. We do not use your portfolio to make trading decisions, recommend buys or sells, or train models for other customers.

How long we keep it

We keep your account row while your account is active. When you delete your account from Settings, we soft-delete the row immediately and stop sending briefs within 24 hours. After that, your data is permanently purged within 7 days. The grace window protects against credential compromise and accidental clicks.

Two exceptions retained per DPDP-2023 §17: (a) operational audit logs, kept for security-incident response under §8(5) reasonable-security-safeguards; (b) public filings we ingested (BSE/NSE/news), kept because they are not personal data and serve every other user's brief.

Who we share data with

We use the following sub-processors. Each handles a narrow slice of your data with a contractual basis under DPDP-2023 §16 cross-border transfer:

Supabase (United States) — authentication: stores your email + session token. Standard contractual safeguards.
Resend (United States) — transactional email: receives your email and brief content for delivery.
Telegram (Telegram FZ-LLC, UAE) — bot delivery: receives your Telegram chat ID and brief content if you opt in.
OpenAI (United States) — embeddings only at MVP; no portfolio content sent.
Anthropic (United States) — synthesis + brief generation: receives the document text + your portfolio symbols at brief-generation time.
DigitalOcean (Bangalore, India) — hosting: where your account row, briefs, and event subscriptions are stored.

Lawful basis

We process your data on the basis of legitimate-use consent under DPDP-2023 §7. By signing up, you consent to processing for the specific purpose described above (delivering your daily brief). You can withdraw consent at any time from Settings or by emailing the grievance officer.

Cookies and local storage

We use one HttpOnly session cookie (managed by Supabase) for authentication. We use browser localStorage to remember small UI preferences such as your language toggle. We do not use third-party trackers, analytics cookies, or advertising cookies.

Your rights

Under DPDP-2023 §11, you have the right to:

Access and download a copy of your data — the Export My Data button in Settings produces a single JSON file.
Delete your account and all associated data — the Delete My Account button in Settings starts the deletion flow.
Withdraw consent for further email by clicking the Unsubscribe link in any brief.
Lodge a grievance with our grievance officer at grievance@globalteahub.com.
If your grievance is not resolved within 30 days, you may approach the Data Protection Board of India under DPDP-2023 §13(1).

If something goes wrong (breach notification)

If we discover a personal-data breach affecting your account, we will notify the Data Protection Board and you within 72 hours, per DPDP-2023 §8(6). We will tell you what happened, what data was affected, what we're doing about it, and what (if anything) you should do.

Updates to this policy

We will refresh the sub-processor list on every Privacy version bump. When we add a sub-processor, change retention, or change purpose, we will email you and post the new version on this page. The Last updated date at the top of this page tracks the current version.

Children

The Portfolio Brief is not for users under 18. By signing up, you confirm you are 18 or older and a resident of India for the duration of the pilot. We do not knowingly process data from minors.

Contact

Grievance Officer: Anshul Kumar Singh — grievance@globalteahub.com