#Regulatory posture
- Finaur provides education and analytics, not investment advice or portfolio management.
- No order routing, custody, or execution. Users remain responsible for their decisions.
- Country access may be limited where local rules require registration for advice or promotion.
#Allowed and prohibited language
| Category | Examples |
|---|---|
| Allowed educational framing | Model, framework, scenario, historical backtest, simulator, educational report, bias insight, Discipline Score. |
| Prohibited advice framing | Buy now, sell now, guaranteed results, risk free, financial advice, personalized recommendation. |
| Risk language | Past performance is not a reliable indicator of future results. Simulations differ from live outcomes. |
#Content approval workflow
- Two step review. Author prepares content, Compliance reviewer approves for publication.
- Advice linter blocks prohibited terms and fails the build until wording is fixed.
- Every publish action writes to an audit log with timestamp, author, reviewer, and content hash.
#Disclaimers and placement
- Global disclaimer on the legal Disclaimer page.
- Local disclaimers on Insights, Lab, and any page with strategy content or simulated results.
- Emails and PDFs include an educational use notice with a link to the full disclaimer.
#Transparency and archives
- Reports archive with publish dates and integrity hashes for verification.
- Scoreboard page shows outcomes versus public benchmarks where applicable.
- Methodology notes explain assumptions, data sources, and known limitations.
#GDPR data protection
- Data minimization and purpose limitation for account, billing, and educational analytics.
- Lawful bases listed in the Privacy Policy. Marketing runs only with consent.
- Processor DPAs in place. Standard Contractual Clauses where needed.
#Security and access control
- Role based access control and row level security for user data.
- Encryption in transit and at rest, signed URLs for object access.
- Audit trails for content changes and compliance approvals.
#Vendor management
| Processor | Purpose | Safeguards |
|---|---|---|
| Supabase | Auth and Postgres | EU region if configured, SCCs for transfers |
| Stripe | Payments | PCI controls, SCCs for transfers |
| PostHog | Product analytics | EU hosting where available or SCCs |
| Cloudflare | CDN and storage | Global edge, SCCs |
| Resend or SendGrid | Contractual DPAs, SCCs |
#Incident response
- Detection and classification with severity levels and ownership.
- Containment and remediation with timelines, postmortem when appropriate.
- Regulatory and user notifications when legally required.
#Vulnerability disclosure
If you believe you have found a security issue, contact us at hi@finaur.com. Provide steps to reproduce, affected areas, and your contact details. We appreciate responsible disclosure.
#Data retention and deletion
- Billing records kept as required for tax and accounting.
- Educational data such as journals and plans kept until the user deletes or requests erasure.
- Analytics data aggregated or anonymized after a limited period.
#User rights and DSAR
You can access, correct, delete, restrict, and export your personal data. To submit a data request, email hi@finaur.com from your account email with the subject Data Request. We may verify identity. We aim to respond within thirty days.
#Children
Finaur is not intended for children under sixteen. If such data is discovered we delete it without delay.