Privacy policy

1. Data controller

The data controller and website operator is Individual Entrepreneur Bakurov Pavel Andreevich (OGRNIP 321508100472902, INN 503623289407), doing business under the My Portfolio and Farious brands. Privacy requests, personal-data claims, and legally significant electronic notices may be sent to support@farious.tech. The person responsible for organizing the processing of personal data is the Individual Entrepreneur identified above; you can reach this person at support@farious.tech.

The Vendor's registered address for legally significant notices is 142105, Podolsk, Podolskikh Kursantov St. 2, apt. 34; the consumer support phone is +7 916 650-96-53; and consumer support business hours are Mon–Fri, 10:00–19:00 MSK. The Vendor was registered by the Interdistrict Inspectorate of the Federal Tax Service No. 23 for the Moscow Region. The Individual Entrepreneur is a personal-data operator. The notification of intent to process personal data has been submitted to Roskomnadzor (registry confirmation pending). We do not invent or publish unverified registration details in this policy.

2. What we collect

We collect only the data that is needed to operate the service. The categories are:

Account data: your email address, a salted hash of your password, your display name (if you set one), and the timestamp of account creation and last login.

Subscription and billing records: the plan you selected, payment status, invoice identifiers, and the start and end of each billing period. Card numbers and bank details are handled exclusively by our payment processor and never reach our servers.

Cloud strategy records: if you choose to upload a private strategy, strategy version, assignment metadata, or publication request to My Portfolio cloud features, we store the content you submit, the related account id, timestamps, moderation status, and publication-review history. Cloud strategy storage is optional for private storage convenience and publication review. Paid cloud automation, under which we run your trading node on our servers, is offered under the current Terms of Service; the data we process when you run a portfolio under cloud automation is described in the portfolio-statistics section below. Do not include broker credentials, broker tokens, passwords, or secrets in strategy content.

Security telemetry: the IP address and User-Agent header of requests to our website, the time of each request, and outcomes of authentication events. This data is used to detect abuse and to investigate security incidents.

Functional cookies: a first-party __Host-pm_user HttpOnly session cookie and a first-party __Host-pm_csrf antiforgery cookie. Both are strictly necessary for the website to work.

Optional analytics storage: if you accept analytics, the website loads Yandex Metrica to understand website and workspace page usage, CTA clicks, product funnel behavior, and marketing page session replay and click maps. Yandex Metrica may use cookies, localStorage, and sessionStorage browser identifiers on the My Portfolio domain and, unless Restricted mode is enabled in the Yandex counter, on Yandex Metrica domains. We do not send Yandex account identifiers, broker data, portfolio data, order IDs, payment amounts, credentials, form values, or raw error details. Workspace session replay, form analysis, advertising retargeting, advanced matching, and ecommerce collection are disabled.

Optional desktop or native-client telemetry: when enabled, the My Portfolio application may send diagnostic crash reports and aggregate uptime counters. Telemetry never includes broker credentials, broker tokens, order details, trade history, or portfolio composition. You can disable telemetry from the application's settings.

Support correspondence: messages you send to support@farious.tech, and the content of any tickets you open. We retain this material for as long as it is needed to resolve your request and to defend against later disputes.

Data we explicitly do not collect: broker passwords, broker API tokens, broker session cookies, the content of orders you place through the desktop or native-client application, your live positions, your account balance at the broker, or any value that would let us reconstruct your trading activity.

Public, special-category, and biometric data: My Portfolio is not intended to collect special categories of personal data, biometric personal data, criminal-record data, or personal data permitted for distribution. Please do not upload any of that data. The same applies to third-party personal data, identity documents, medical information, photographs used for identification, broker secrets, and similar materials: do not put them into strategy content, support messages, or publication requests. If a future feature publishes your name, profile, strategy attribution, or other personal data to an unlimited audience, we will request separate consent for personal data permitted for distribution and let you define permitted categories, restrictions, and conditions before publication.

3. Analytics cookies and storage

Analytics are optional. Rejecting analytics does not limit account, subscription, billing, workspace, or trading-related website functionality.

Analytics cookies and storage are set only after an affirmative analytics-consent action. Before consent, we do not load Yandex Metrica or set Yandex analytics identifiers. We record the consent choice, timestamp, policy version, and browser or session metadata needed to prove the choice.

You can accept, reject, or change analytics later from cookie settings.

Authenticated workspace analytics are optional pseudonymous usage analytics. They may include coarse section names and billing-intent goals, but never account identifiers, amounts, session replay, click maps, or form values.

My Portfolio consent preference: provider My Portfolio; purpose strictly necessary storage used only to remember whether you accepted or rejected analytics; duration until you change the choice or clear browser storage; consent status not required because it stores the consent choice.

_ym_uid: provider Yandex Metrica; purpose analytics browser identifier; duration 1 year; consent status set only after analytics consent.

_ym_d: provider Yandex Metrica; purpose first visit/date metadata; duration 1 year; consent status set only after analytics consent.

_ym_isad: provider Yandex Metrica; purpose ad-blocking or availability signal; duration 20 hours; consent status set only after analytics consent.

_ym_metrika_enabled: provider Yandex Metrica; purpose tag availability signal; duration 60 minutes; consent status set only after analytics consent.

Any Yandex localStorage or sessionStorage keys observed in staging are documented here before production enablement.

Analytics cookie names, providers, purposes, storage locations, and exact retention periods must be listed in this section before production use; any analytics item whose period or storage location is not known is not enabled in production.

4. Lawful basis for processing

For users to whom the General Data Protection Regulation applies, we rely on the following lawful bases under Article 6 GDPR: performance of a contract (Art. 6(1)(b)) for everything required to deliver your subscription, run the website, provide the desktop or native client, and operate optional cloud strategy features; legitimate interests (Art. 6(1)(f)) for security telemetry, fraud detection, abuse prevention, support, and enforcement of our terms, balanced against your rights and freedoms; legal obligation (Art. 6(1)(c)) for retention of billing records and responses to lawful authorities; and your consent (Art. 6(1)(a)) for optional analytics storage and any optional marketing channel, which you can withdraw at any time without affecting the lawfulness of past processing.

For users whose personal data is governed by Russian Federal Law No. 152-FZ "On Personal Data", we process personal data on the basis of contract performance for subscription and software delivery, on the basis of legal obligations, to protect lawful interests where permitted, and on the basis of consent where consent is required. Where we rely on consent under Federal Law No. 152-FZ, consent is requested separately from the Terms of Service, this Privacy Policy, and other confirmations; it must be specific, informed, conscious, unambiguous, and recorded in a form that allows us to prove receipt. Refusing or withdrawing optional consent, including analytics consent, does not affect strictly necessary account, subscription, billing, security, or software-delivery functions.

5. How we use your data

Account data is used to authenticate you and to associate your subscription with your sessions. Billing records are used to issue invoices, take payments through the payment processor, manage renewals and cancellations, and meet tax and accounting obligations. Cloud strategy records are used to store your private strategies, support versioning, support publication review when you request it, moderate unlawful or abusive content, and operate any hosted-node workflow that requires a cloud strategy copy. Security telemetry is used to rate-limit abusive traffic, block credential-stuffing attempts, and investigate security incidents. Support correspondence is used to answer your questions and resolve disputes.

We may use and retain limited account, billing, security, support, and cloud strategy records where needed to enforce these terms, investigate fraud or market-abuse reports, comply with lawful requests from courts, regulators, tax authorities, payment providers, brokers, or exchanges, or defend legal claims.

We do not sell personal data. We do not share personal data with advertisers. We do not profile users for marketing purposes.

6. Sub-processors and third parties

We use a small set of sub-processors to operate the service. They process data on our instructions, under written agreements with confidentiality and security obligations:

Payment processor: payments and recurring billing are handled on our behalf by the regulated payment service provider OOO NKO YuMoney (brand YooKassa), INN 7750005725, OGRN 1127711000031, Bank of Russia licence No. 3510-K, address 115035, Moscow, Sadovnicheskaya St. 82, bldg. 2. We receive payment status and invoice identifiers; the payment processor receives the data needed to take the payment.

Email delivery: an email delivery provider is used to send transactional messages such as verification codes, password resets, and billing receipts.

Hosting and infrastructure: we use cloud hosting and content delivery providers for the website and back-end services. They receive the network traffic needed to serve requests.

Analytics provider: Yandex Metrica is loaded only after analytics consent to measure website and workspace page usage, CTA clicks, product funnel behavior, and marketing page session replay and click maps under the restrictions described in Section 3.

Broker and third-party services: when the desktop or native client connects to your broker, that connection is governed by the broker's own terms and privacy documents. We do not receive broker credentials through that connection. If a feature later requires us to transmit data to a broker, exchange, identity provider, or compliance provider, we will disclose that feature-specific transfer before enabling it.

We will publish material changes to the list of sub-processors on this page before they take effect. The categorical list above is the current scope.

7. Data retention

We retain account data for as long as your subscription is active. After cancellation or expiry, we retain the account record for an additional 12 months to allow renewals, dispute resolution, and to meet tax and accounting obligations; after that period, the record is deleted or anonymized.

Security telemetry is retained for up to 12 months and then deleted. Support correspondence is retained for up to 3 years from last activity. Billing records are retained for as long as required by applicable law (typically 5 years for tax records). Backups follow the same retention schedule and are rotated out on their own cycle.

Optional desktop or native-client telemetry, when enabled, is retained in aggregated form only; individual reports are processed and aggregated within 30 days.

When a processing purpose is achieved, or when consent is withdrawn and no other legal basis requires retention, we stop processing and delete the relevant personal data, or ensure deletion by a processor, within 30 days unless a different period is required by law or by a contract with the data subject.

8. International data transfers

Russian data localization: when we collect personal data of citizens of the Russian Federation, including through the Internet, recording, systematization, accumulation, storage, clarification, and extraction of that data are performed using databases located in the Russian Federation. We do not perform those primary operations using databases located outside the Russian Federation except in cases expressly permitted by Federal Law No. 152-FZ. Any later cross-border transfer, if required, is performed only after Russian-localized collection and only under the cross-border-transfer procedure described in this section.

Cross-border transfers: if a feature or processor requires transfer of personal data from Russia to another country, we first identify the destination country, recipient, purposes, data categories, subject categories, and safeguards. Before starting such activity, where required by Federal Law No. 152-FZ, we notify Roskomnadzor separately of the intended cross-border transfer and obtain from the foreign recipient information about its confidentiality and security measures and conditions for terminating processing. For countries that are not recognized as providing adequate protection, we do not start the transfer until the statutory waiting period has expired and no prohibition or restriction has been issued. If Roskomnadzor prohibits or restricts a transfer, we stop the transfer and ensure destruction of previously transferred personal data by the foreign recipient where required by law.

For transfers from the European Economic Area, we use the European Commission's Standard Contractual Clauses or another mechanism recognized under applicable law.

9. Security

We protect your data with TLS-encrypted transport, salted password hashing using a current industry-standard algorithm, key-rings managed under platform data-protection APIs, and strict access controls on production systems. Where the product encrypts any broker-related material for transport, we use a split-key architecture so that neither side alone can decrypt it.

No system is perfectly secure, and we describe our protections as a reasonable effort, not a guarantee. If you believe your account has been compromised, write to support@farious.tech and we will work with you to contain the incident.

If we discover unlawful or accidental transfer, disclosure, provision, or access to personal data that violates data-subject rights, we notify Roskomnadzor within 24 hours with the known circumstances, likely causes, likely harm, mitigation steps, and incident contact, and within 72 hours with the results of the internal investigation and information about responsible persons where available. Where the affected systems are connected to the Internet, we also notify the State System for Detecting, Preventing, and Eliminating the Consequences of Computer Attacks (GosSOPKA) as required by law.

10. Your rights

Subject to applicable law, you have the right to access the personal data we hold about you, to ask us to correct inaccurate data, to ask us to delete data we no longer need, to restrict or object to certain processing, to receive a copy of data you provided in a portable format, and to withdraw any consent you previously gave. To exercise any of these rights, write to support@farious.tech from the email address associated with your account.

Russian-law request procedure: for requests governed by Federal Law No. 152-FZ, we provide access information or a reasoned refusal within 10 working days after receiving the request. We may extend this period once by up to 5 working days by sending a reasoned notice. A request should identify the data subject or representative, confirm the relationship with My Portfolio or another fact of processing, and include a signature; an electronic request may be signed with an electronic signature under Russian law. If you provide evidence that personal data is incomplete, inaccurate, outdated, unlawfully obtained, or no longer needed for the stated purpose, we correct or delete it within 7 working days and notify you of the action taken.

If you believe we have processed your data unlawfully, you may complain to a competent supervisory authority. In the Russian Federation this is the Federal Service for Supervision of Communications, Information Technology and Mass Media (Roskomnadzor). In the European Economic Area this is the data protection authority of your country of residence. We would prefer that you raise the issue with us first so we can address it.

11. Portfolio statistics for cloud-automated portfolios

If you run a portfolio under cloud automation, the platform collects data derived from that portfolio's state so that we can show statistics and charts back to you. This derived data covers portfolio net asset value (NAV), cash balance, per-instrument holdings, fees, and cash flows, pulled from the trading node operating your cloud-automated portfolio. We collect this data only to provide your own portfolio statistics and performance charts; we do not use it to build marketing profiles, and we do not sell or share it with advertisers.

This statistics data is owner-scoped: it is accessible only to you, the owner of the portfolio, and is never made available to other users. We protect it with the same transport encryption, access controls, and production-system safeguards described in the Security section.

Where we store it: portfolio statistics are kept in a dedicated statistics store separate from your account and billing records. Retention is purpose-based: short-interval (intraday) samples are retained for approximately 90 days to support recent detailed charts, while daily series are retained indefinitely so that your long-term portfolio history remains available to you.

Your rights over statistics data: the access, correction, and erasure rights described in the "Your rights" section apply to your portfolio statistics. A per-user erasure path exists for the dedicated statistics store, so you can request deletion of your statistics history. To exercise these rights, write to support@farious.tech from the email address associated with your account.

12. Children

My Portfolio is not intended for users under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has created an account, write to support@farious.tech and we will remove the account.

13. Changes to this policy

We may update this policy from time to time. Material changes will be announced on this page and, where the change affects active subscribers, by email. The effective date at the top of this document indicates when the current version took effect.