Privacy Policy

Last updated: May 2026

Contents

Information We Collect
How We Use Your Information
What We Do Not Do
No Brokerage Connection
Data Storage & Security
Email Communications
Cookies & Analytics
Third-Party Services
How We Protect Your Identity — Tier Separation
Data Retention & Deletion
Your Rights
Children's Privacy
Changes to This Policy
Contact

1. Information We Collect

We collect the following when you use Income Factory:

Email address — used for authentication and to deliver your weekly analysis.
Portfolio data — the stock symbols, share counts, and cost basis you enter.
Account type and tax bracket — you assign each holding an account type (taxable, Traditional IRA, Roth IRA, 401(k), HSA, or other tax-deferred) and select a tax bracket, which we use to show after-tax estimates.
Transaction history — the trades you log through the application, including premiums, strikes, and expirations.
Strategy preferences — your selected risk level (Conservative, Moderate, or Aggressive).
Usage data — pages visited, features used, and interaction timestamps.
Feedback you submit — ratings, free-text comments, and survey answers (for example, pricing questions) you choose to provide in the product or from our emails.

2. How We Use Your Information

We use your information to:

Generate covered call analysis based on the holdings you enter.
Deliver your weekly analysis and position-status emails.
Display your portfolio and income tracking to you, the logged-in user.
Authenticate your account through magic-link email.
De-identified, aggregate research. We use de-identified, aggregated holdings and outcome data to validate and improve our analysis engine. No individual user is identified in this research. (See "How We Protect Your Identity — Tier Separation.")
Improve the product and develop new features.

3. What We Do Not Do

Income Factory is committed to your privacy. We do not:

Sell, rent, or share your personally identifiable information with third parties, except the service providers needed to operate the product (for example, email delivery, hosting, and market data).
Serve advertisements or use your data for ad targeting.
Access, connect to, or place trades in your brokerage account (see "No Brokerage Connection").
Use your portfolio data for any purpose other than generating your analysis and the de-identified aggregate research described above.

4. No Brokerage Connection

Income Factory does not connect to your brokerage account. We do not import your positions automatically, we cannot see your balances or trades, and we never place, modify, or cancel orders. You enter your holdings yourself, and you place any trades yourself, directly with your own broker. [COUNSEL — confirm this affirmative no-access statement is the framing you want; it replaces the prior "Brokerage Connection (When Available)" section, which described deprecated functionality. If brokerage import is ever added later, this section must change.]

5. Data Storage & Security

Your data is stored on secured, US-based servers (DigitalOcean). All connections are encrypted in transit using TLS/SSL. Authentication uses magic-link email, so no passwords are stored. API keys are held as server-side environment variables and are never exposed to your browser.

While we take reasonable measures to protect your information, no method of electronic storage is completely secure, and we cannot guarantee absolute security. [COUNSEL — we intentionally claim encryption in transit only and do NOT claim encryption at rest. If at-rest encryption is later verified on the server, this section can be strengthened.]

6. Email Communications

We may send you these types of email:

Authentication emails — magic-link login emails. These are required and cannot be turned off.
Weekly analysis and status emails — your Friday analysis and updates on open positions. You can manage these in Settings.
Educational series — optional onboarding and covered-call "crash course" emails that you opt into. Each includes an unsubscribe link.
Service updates — important changes to the platform or to these policies.

We honor unsubscribe requests promptly, and our non-transactional emails include an unsubscribe link and our mailing address, as required by law. [COUNSEL — CAN-SPAM: confirm the address + unsubscribe requirements are met across all commercial email, including the weekly-analysis and reminder emails.]

7. Cookies & Analytics

Income Factory uses essential session cookies to keep you logged in. We also use Google Analytics to understand how the product is used; Google Analytics sets its own cookies and collects usage data subject to Google's privacy terms. We do not use advertising cookies, and we do not sell your data to advertisers. [COUNSEL — confirm whether a cookie-consent notice or banner is required for our user base and the jurisdictions we operate in, given Google Analytics is in use.]

8. Third-Party Services

We rely on the following third-party services to operate Income Factory:

Brevo — email delivery (magic links, weekly analysis, and the educational series).
Polygon.io — stock market data (prices and ticker details). Your personal data is not shared with Polygon; only symbol lookups are made on your behalf.
ORATS — options market data (option chains and implied volatility). Your personal data is not shared with ORATS; only symbol lookups are made on your behalf.
Anthropic — AI text generation (for example, plain-English market notes and analysis explanations). Prompts may include portfolio symbols and analysis figures; they do not include your name or email address.
DigitalOcean — cloud hosting (US-based).
Google Analytics — usage analytics (see "Cookies & Analytics").

We do not guarantee the accuracy, completeness, or timeliness of any third-party data, and we are not responsible for errors or interruptions originating from these providers.

9. How We Protect Your Identity — Tier Separation

Income Factory separates personal identifiers from analytical data using a pseudonymous-token architecture. This is implemented at the database layer, not as a policy promise.

PII tier (identity). A single internal table holds the only mapping from your account to a randomly generated, server-side identifier (your "subject token"). The subject token is a UUID — it is not derived from your email, name, or any other personal information.
Corpus tier (analysis). All analytical records — the analyses we generate, your action log, and the holdings snapshots the engine uses — are keyed by the subject token rather than your identity. They do not carry your email, name, or other directly identifying data, though they do contain your portfolio contents (symbols, share counts, and similar analysis inputs).

While the mapping table exists, this data is pseudonymous — it could in principle be linked back to you. When you request account deletion, we purge that mapping. Once it is purged, the link between you and any retained analytical records is severed irreversibly, and what remains is de-identified. [COUNSEL — Q4: confirm this PII-tier/corpus-tier description and the pseudonymous-until-purged distinction are accurate and sufficient.]

10. Data Retention & Deletion

We retain your account data for as long as your account is active. Your analysis and transaction history are kept so we can show you historical performance tracking.

You may request deletion of your account at any time. Upon deletion, we purge the identity mapping described in "Tier Separation," which severs the link between you and any retained analytical records. Those records may be kept in de-identified form for methodology research, because they no longer identify you.

Retention horizon: [TBD — pending counsel and operator decision. Working assumption is a ~7-year, SEC books-and-records-style period; counsel to confirm or correct (brief Q4).] Deletion requests are honored on request while the automated mechanism and the policy duration are finalized.

11. Your Rights

Depending on where you live, you may have the right to:

Access the personal data we hold about you.
Request correction of inaccurate data.
Request deletion of your account and associated data.
Export your portfolio and analysis data.
Opt out of non-essential email communications.

To exercise any of these rights, contact us at the email below. [COUNSEL — confirm whether state-specific rights language (e.g., CCPA/CPRA for California residents) needs to be added.]

12. Children's Privacy

Income Factory is not intended for anyone under the age of 18. We do not knowingly collect personal information from children. If we learn that we have collected data from someone under 18, we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or with a prominent notice in the application. Your continued use of Income Factory after changes take effect means you accept the revised policy.

14. Contact

For privacy-related questions or requests, contact us at privacy@incomefactory.ai. [Operator note — this inbox must be live and monitored before beta opens.]