Privacy Policy

Last updated: 25 May 2026

Aurum (“we”, “us”, “our”) is a portfolio optimisation engine operated by NovaSect. This policy explains what data is collected when you use Aurum, by whom, and how it is used. Aurum does not sell data or run advertising.

Authentication

Access to Aurum is protected by a login gate. Upon successful authentication, a session cookie (aurum_sess) is issued. This cookie is:

• Cryptographically signed (HMAC-SHA256) and verified server-side on each request
• Flagged HttpOnly — inaccessible to JavaScript running in the browser
• Flagged Secure — transmitted over HTTPS only
• Flagged SameSite=Strict — not sent on cross-site requests
• Valid for 7 days, after which re-authentication is required

No personal data is stored within the cookie — it contains only a signed user identifier and issuance timestamp.

Browser Storage

Aurum uses browser-local storage to preserve your session state across page reloads. No personal data is stored:

• localStorage — stores your selected portfolio tickers (e.g. ["AAPL","MSFT"]). This data never leaves your browser.
• sessionStorage — caches fetched price data, market cap weights, and risk-free rate values to reduce redundant API calls within a session. Cleared when the tab is closed.

Analytics — Umami

Aurum uses Umami for privacy-friendly usage analytics. Umami:

• Does not use cookies
• Does not collect personal data or persistent identifiers
• Collects only aggregate metrics: page views, session counts, referrer, device type, and country (derived from IP, which is not stored)
• Is fully compliant with GDPR, PECR, and CCPA — no consent banner is required
• Data is stored in the EU (EU data region selected)

See Umami Privacy Policy.

Error Tracking — Sentry

Aurum uses Sentry to capture JavaScript errors and unhandled exceptions. When an error occurs, Sentry may collect:

• The error message and stack trace
• Browser type and version, operating system
• The URL where the error occurred

We do not intentionally send personal data to Sentry. Error reports are used solely to diagnose and fix technical issues. See Sentry Privacy Policy.

Market Data Sources

Portfolio data is sourced from Yahoo Finance and FRED (Federal Reserve Bank of St. Louis) via serverless proxy endpoints. Your queries are forwarded to these services with no personal identifiers beyond standard request headers (IP address, User-Agent). These requests are not logged or retained by us.

Third-Party Services

• Google Fonts — typography is loaded from fonts.googleapis.com. Google may log your IP address when serving font files. See Google Privacy Policy.
• Vercel — Aurum is hosted on Vercel, which may collect server access logs (IP address, request path, timestamp) for operational purposes. See Vercel Privacy Policy.

Your Rights (EEA / UK)

Aurum does not build user profiles or retain personal data beyond the session cookie described above. You may exercise your right to erasure at any time by logging out, which clears the session cookie. For data held by third-party services listed above, please contact those providers directly.

Changes to This Policy

We may update this policy as the platform evolves. The “Last updated” date at the top of this page will reflect any changes.

Contact

Questions about this policy can be directed to: novasect.space@proton.me