Privacy Policy

1. Introduction

This Privacy Policy explains how Sortino ("SortinoLab", "we", "us", or "our") collects, uses, discloses, stores, and protects your personal information when you use the Sortino website and related services (the "Service").

We are committed to handling your personal information in accordance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and other applicable privacy laws. By using the Service, you consent to the practices described in this Policy.

2. Information we collect

We aim to collect only the information we need to provide and secure the Service. The categories of personal information we collect are:

• Account information: the email address you use to sign in. We do not use or store passwords.
• Authentication and security data: one-time login codes (stored only as cryptographic hashes), session tokens (stored only as cryptographic hashes), and the IP address and browser user-agent associated with your sign-in, which we retain to operate and secure your session.
• Profile information: optional details you choose to add, such as your first name, last name, and display name.
• Preferences: settings such as your base currency (CAD or USD) and time zone.
• Account metadata: information such as your account status, whether your email is verified, your last sign-in time, and account creation and update timestamps.
• Waitlist information: if you sign up for our waitlist or updates, the email address you provide.

3. Information we do not collect

We do not collect passwords, payment card numbers, phone numbers, or physical addresses. We do not sell your personal information. Browsing of public securities filings is provided on a stateless basis and is not tied to your account or retained as a search history.

4. How we use your information

We use the personal information we collect to:

• Provide, operate, and maintain the Service and your account.
• Authenticate you and secure your account, including sending one-time login codes and detecting or preventing fraud, abuse, and security incidents.
• Remember your preferences and personalize aspects of your experience.
• Communicate with you about the Service, including service-related notices and, where you have signed up, product updates.
• Comply with our legal obligations and enforce our terms.

5. Cookies

We use a single, essential cookie to keep you signed in to your session. This cookie is set to be accessible only by our servers (HttpOnly), transmitted only over secure connections in production, and configured to limit cross-site use (SameSite). We do not use advertising cookies, third-party analytics, or tracking pixels, and product telemetry is disabled. Because the session cookie is strictly necessary to provide the Service, the Service may not function correctly without it.

6. Service providers and disclosure

We share personal information only as needed to operate the Service, and we require our service providers to protect it. We may disclose information to:

• Email delivery provider: to send you one-time login codes and service emails. Only the information necessary to deliver the email (such as your email address and login code) is shared.
• Waitlist and email provider: to manage waitlist and update subscriptions. Only your email address is shared.
• Data sources and infrastructure providers: such as the providers that host our servers and databases.

7. Public data sources

The Service makes publicly available financial information accessible, including securities filings sourced from the U.S. Securities and Exchange Commission (SEC) EDGAR system and related market data. We do not send your personal information to these public data sources in order to retrieve this information.

8. Where your information is stored

Your personal information is stored on servers located in the United States or Canada. Where information is stored or processed in the United States, it may be subject to the laws of that jurisdiction, including lawful access requests by courts, law enforcement, and government authorities. By using the Service, you acknowledge that your information may be transferred to and processed in these locations. We take steps intended to ensure your information receives a comparable level of protection wherever it is processed.

9. Data retention

We keep personal information only for as long as necessary for the purposes described in this Policy or as required by law. One-time login codes are short-lived and are automatically purged shortly after they expire. Session records expire and are automatically purged after their lifetime ends. We retain your account information for as long as your account is active, and for a reasonable period afterward as needed to comply with legal obligations, resolve disputes, and enforce our agreements.

You may request deletion of your account and associated personal information by contacting us at the address below, subject to any information we are required to retain by law.

10. How we protect your information

We use technical and organizational measures designed to protect your personal information. These include storing login codes and session tokens only as cryptographic hashes rather than in their original form, serving the Service over encrypted (HTTPS) connections, and restricting access to personal information. No method of transmission or storage is completely secure, however, and we cannot guarantee absolute security.

11. Your privacy rights

Subject to applicable law, you have the right to access the personal information we hold about you, to request that it be corrected or updated, to withdraw your consent to certain uses (which may limit your ability to use the Service), and to request deletion of your account. To exercise any of these rights, contact us at the address below; we may need to verify your identity before responding.

If you are in Canada and have an unresolved concern about how we handle your personal information, you may contact the Office of the Privacy Commissioner of Canada. Depending on where you live, you may also have rights under your provincial privacy regulator.

12. Children's privacy

The Service is not directed to children, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us so we can take appropriate steps to delete it.

13. Changes to this Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the effective date above and, where appropriate, provide additional notice. Your continued use of the Service after changes become effective constitutes your acceptance of the revised Policy.

14. Contact us

If you have questions about this Policy or how we handle your personal information, contact us at [email protected]. See also our Terms of Service.