← 返回 Signodex
安全与隐私
A direct read of what we hold, what we do not, and how the trust boundary is drawn.
The Anthropic API key never leaves our servers
AI requests go through a Supabase Edge Function (
ai-proxy). The Anthropic key is set as an Edge Function secret and is never bundled into the iOS, Android or web clients. There is no client-side fallback that calls Anthropic directly.Credits are deducted server-side and atomically
Every paid AI action is gated by an atomic Postgres RPC that combines the cache check and the credit deduction inside a serialised transaction. Two parallel requests for the same question cannot both be charged. If the AI call fails before producing output, the deduction is refunded in the same transaction log.
What we store about your prompts
AI responses are cached for 15 minutes by a deterministic market-state key (asset symbol + time-bucket + condition hash). The cache is keyed to the question — not to the user. We do not store per-user prompt history except for the chat feature, which keeps the active conversation in your device's memory for context and is discarded when you close the chat.
Sessions and authentication
Web sessions use Supabase Auth (HTTP-only cookies, refresh-token rotation). Mobile uses Firebase Auth for the user-facing login UX (Apple, Google), bridged to a Supabase JWT server-side so every server feature can verify
auth.uid(). The bridge runs in an Edge Function — your Firebase ID token is verified against Google's public JWKS before any Supabase user is touched.Payments
All in-app purchases go through RevenueCat (Apple App Store, Google Play). RevenueCat posts webhook events to a Supabase Edge Function that verifies the incoming
Authorization header against a secret and deduplicates events by ID before any plan change is applied. We never see your card details; they belong to Apple, Google and RevenueCat.Data we collect
- Email address (required for account & plan).
- Plan tier and credit balance.
- Portfolio holdings you create — only stored when you sign in; guests have no remote state.
- Watchlists and price alerts you create.
- Anonymised analytics events (page views, feature usage) — no third-party advertising trackers.
See Privacy Policy for the full data list and deletion procedure.
Data residency and sub-processors
Our Supabase project is provisioned in the EU (eu-central-1, Frankfurt)region. Authentication, the credit ledger, paper-trading state and the AI-cache table all sit on Postgres infrastructure inside that region. We do not migrate this data outside the EU.
- Supabase (EU) — Postgres, Auth, Edge Functions, Storage. GDPR DPA on file. Region:
eu-central-1. - Anthropic — AI model provider for every signal. Calls leave the EU region edge function to Anthropic's API. Anthropic publishes a DPA at anthropic.com/legal/dpa.
- RevenueCat — subscription billing for iOS/Android. They never see prompt content. EU DPA available on request.
- Stripe (institutional) — web-side billing for the Teams plan (rolling out). Stripe processes the card in the user's home region.
- CoinGecko / Yahoo Finance / metals-api — public market data feeds. No personally identifying information is sent.
German wealth-management buyers can request a signed BaFin-compatible processor list via compliance@signodex.com.
What we do not do
- We do not run third-party advertising or behavioural retargeting trackers.
- We do not share or sell prompts, watchlists or portfolio data.
- We do not display testimonials, ratings or user counts we cannot verify.
Reporting a vulnerability
Email security@signodex.com with a clear reproduction. We acknowledge within 72 hours.