Vercis
Sign inRequest access
Privacy

Privacy policy.

Last updated: 2026-06-02. This policy is in active draft; the firm is finalising it with external counsel prior to general institutional outreach. Material questions or correction requests may be sent to privacy@foliox.app.

Who we are

Vercis is the institutional research brand of FolioX, a Canadian sole-founder research entity (incorporation pending). FolioX is the data controller for the personal information described in this policy. Inquiries may be directed to the contact address above.

What we collect, and why

  • Account information— name, work email address, firm name, role, and (optionally) firm type and approximate AUM band. Collected via self-serve sign-up (Clerk auth) and the institutional inquiry form. Used to authenticate subscribers, evaluate institutional inquiries, and reach you about the research.
  • Portfolio data you upload— ticker, shares, asset class, and any free-text metadata you attach. Used to compute the diagnostics you see in the Equity / Fixed Income / Portfolio Analytics surfaces. Stored encrypted at rest. Not shared with any third party. Deleted when you delete the portfolio or close your account.
  • Usage telemetry— page visits, session timestamps, errors, and aggregate counters. Collected via Vercel and the Clerk auth provider. Used to operate and improve the service; not used for advertising profiling.
  • Email and notification preferences — the addresses you opt in to receive alerts at, and your subscription state. Sent only the alerts you have opted into.

We do not collect biometric data, government identifiers, health information, payment card numbers, or browsing history outside the portal.

How we use it

  • To provide the portal's research and diagnostic features.
  • To communicate with you about your subscription, the research, and material policy updates.
  • To detect and prevent abuse, fraud, and unauthorised access.
  • To comply with applicable Canadian and US legal and regulatory obligations.

We do not sell personal information. We do not share personal information with advertising platforms. We do not use personal information to train third-party AI models.

Service providers

We use a small set of operational vendors to run the service: Vercel (hosting), Clerk (authentication), Resend (transactional email), GitHub (signal-data storage and pipeline execution), Anthropic (the Claude model that generates monthly commentary; prompts and outputs do not include subscriber identifiers). Personal information is shared with these vendors only to the extent needed to operate the service and is governed by their respective privacy policies and our vendor agreements.

Your rights

Depending on where you reside, you may have the right to:

  • Access the personal information we hold about you.
  • Correct inaccurate or incomplete information.
  • Delete your account and the personal information associated with it.
  • Export your account data in a portable format.
  • Opt out of email communications other than service-critical messages.
  • Withdraw a previously given consent.

These rights are exercised by writing to privacy@foliox.app. We respond within 30 days under PIPEDA; sooner where shorter response windows apply (e.g. CCPA/CPRA).

Legal frameworks

FolioX is a Canadian entity; processing is governed by PIPEDA (the Personal Information Protection and Electronic Documents Act) and by Quebec Law 25 where applicable. For subscribers and form respondents resident in the United States, this policy additionally honours the access, correction, deletion, and opt-out rights afforded under the California CCPA/CPRA, the Virginia VCDPA, the Colorado CPA, the Connecticut CTDPA, the Utah UCPA, and analogous laws as they enter force. For subscribers in the European Union, we are working with counsel on a GDPR-compliant data-flow agreement; in the interim, EU residents may exercise equivalent access, rectification, and deletion rights via the contact address above.

Data location and retention

Operational data is hosted on Vercel infrastructure (United States and Canadian regions). Signal data is hosted on GitHub (United States). Authentication data is hosted by Clerk (United States). Personal information is retained for the duration of your subscription plus 12 months after closure for record-keeping, then deleted. Form submissions from /request-access that do not convert to a subscription are retained for 18 months and then deleted.

Security

Authentication runs over TLS 1.2+ via Clerk; portfolio data is encrypted at rest in the application database; signal pipeline secrets are stored in Vercel environment variables and rotated on schedule. The firm uses a least-privilege access model. In the event of a personal- information breach, affected individuals and applicable regulators will be notified per PIPEDA breach-notification timelines (real risk of significant harm) and per applicable state-law breach-notification statutes.

Changes

We will update this policy as the service evolves and as external counsel finalises the production version. Material changes will be notified via email to active subscribers at least 14 days before the change takes effect. The “Last updated” date at the top of this page reflects the most recent revision.