FireSheetFireSheet
← Back to FireSheet

Privacy Policy

Effective June 3, 2026

This Privacy Policy explains what personal data FireSheet ("we", "us") collects when you use the Service, how we use it, who we share it with, and the rights you have over it. We aim to collect the minimum we need to run the product, and to be specific about why.

1. What we collect

Account & identity

Email address, name, and profile image (if you provide one) via our authentication provider Clerk. We use these to identify you, send transactional email, and display your avatar in the app.

Brokerage & wallet credentials

API keys, API secrets, and public wallet addresses that you voluntarily connect. Secrets are encrypted at rest with AES-256-GCM using a key held by our infrastructure provider; they are never logged. FireSheet only ever uses read-only credentials — we cannot trade, transfer, or withdraw on your behalf.

Portfolio data

Balances, positions, transactions, allocations, and projections we sync from your connected accounts or that you enter manually. We store these so you can view your portfolio across sessions and so we can compute things like net worth, allocation, and your freedom date.

Billing data

If you subscribe, Stripe collects your payment method on our behalf. We store a Stripe customer ID, the plan you're on, and your subscription status (active, trialing, canceled, etc.). We never see or store full card numbers.

Usage & device data

Standard request logs (IP address, user agent, timestamps, referrer, response codes) that our hosting platform records to run the Service securely. We use these for debugging, abuse prevention, and capacity planning.

2. How we use it

  • To provide and improve the Service.
  • To sync your balances and prices on the schedule you choose, and to compute your projections.
  • To process subscriptions, send receipts, and handle refunds and disputes.
  • To communicate with you about account changes, security, and material product updates.
  • To detect, prevent, and respond to fraud, abuse, and security incidents.
  • To comply with our legal obligations.

We don't sell your personal data. We don't share it with advertisers, data brokers, or ad networks. We don't use your portfolio data to train machine learning models.

3. Sub-processors

We rely on a small set of trusted vendors to operate FireSheet. Each receives only the data needed for the task and is bound by contract to protect it.

  • Vercel — application hosting and request logs.
  • Supabase — PostgreSQL database and storage of your account, holdings, and encrypted credentials.
  • Clerk — authentication, sessions, and profile data.
  • Stripe — payment processing and subscription management.
  • Brokerage & wallet APIs (Interactive Brokers, Trading 212, Hyperliquid, Zerion) — fetching the balances you ask us to sync. We send only the credentials and addresses you provide.
  • Price & FX data providers (e.g. CoinGecko) — to value your holdings.

4. Where your data lives

Our primary database and storage live in the United States (Supabase, region us-east-1). Hosting and edge workers run on Vercel's global infrastructure. If you're outside the United States, your data may be transferred to and processed in the United States and other countries. We rely on standard contractual safeguards where applicable.

5. How long we keep it

  • Account data: while your account exists, plus up to 30 days after deletion in encrypted backups.
  • Brokerage credentials: until you remove them or delete your account.
  • Billing records: as long as required for tax and accounting law (typically 7 years).
  • Server logs: up to 90 days for operational logs, longer for security-incident logs.

6. Security

All traffic is encrypted in transit with TLS. Brokerage secrets are encrypted at rest with AES-256-GCM before being written to the database. Access to production systems is restricted and logged. No system is perfectly secure — please report security issues to hello@getfiresheet.com.

7. Your rights

Depending on where you live (e.g. EU/UK under GDPR, California under CCPA), you may have the right to:

  • access the personal data we hold about you;
  • correct inaccurate data;
  • delete your data — you can also delete your account from Settings, which removes your portfolio data and connected credentials;
  • export your data in a portable format;
  • object to or restrict certain processing (including the right to opt out of "sale" or "sharing" under CCPA — note we don't sell or share your data for cross- context behavioural advertising);
  • lodge a complaint with a data-protection authority.

To exercise a right, email hello@getfiresheet.com from the address on your account.

8. Children

FireSheet isn't intended for people under 18. We don't knowingly collect personal data from minors; if you believe we have, email hello@getfiresheet.comand we'll delete it.

9. Cookies

We use a small number of strictly-necessary cookies to keep you signed in and to remember preferences (e.g. theme, currency, the landing-page variant you saw). We don't use cookies for third-party advertising or cross-site tracking.

10. Changes to this policy

We'll update the "Effective" date above when we change this policy. For material changes we'll give you notice (email or in-app banner) before they take effect.

11. Contact

Privacy questions? Email hello@getfiresheet.com.