Legal
Privacy Policy
Privacy Policy
Last updated: 23 June 2026
This Privacy Policy explains how Private Hedge Limited collects, uses, shares and protects personal data when you visit privatehedge.co, use the Private Hedge platform at app.privatehedge.co, or purchase a subscription or private consultation from us. It also sets out the rights you have over your personal data and how to exercise them.
We have written this policy to be read alongside our Terms of Service and our Cookies Policy.
What's live today. Private Hedge currently offers paid risk-and-performance consultations. Our portfolio-monitoring platform at app.privatehedge.co — with accounts and read-only brokerage connections — is launching in stages. The parts of this policy that describe the platform, brokerage connections and portfolio data apply as those features go live; where a section refers to something not yet available, it explains how we will handle your data when it is.
In short
- We do not sell your personal data. We never have, and we have no plans to.
- We do not share your portfolio data, holdings, valuations or net worth for advertising. That information is used only to provide the risk-monitoring service you have asked for.
- Our connection to your brokerage is read-only. We can see your positions and prices; we can never move, trade or withdraw your assets.
- We use your data to run and improve the service, take payment, support you, and meet our legal obligations — and for nothing else without telling you.
- You stay in control. You can access, export, correct or delete your data, and withdraw consent, at any time.
The rest of this document is the detail behind those statements.
1. Who we are and how to contact us
Private Hedge Limited ("Private Hedge", "we", "us", "our") is the data controller responsible for the personal data described in this policy.
| Legal entity | Private Hedge Limited |
| Registered in | England and Wales |
| Company number | 17034376 |
| Registered office | Flat 620 New Providence Wharf, 1 Fairmont Avenue, London E14 9PF, United Kingdom |
| ICO registration | ZC174437 |
| Privacy contact | dataprotection@privatehedge.co |
| General/support contact | hello@privatehedge.co |
We are not required by law to appoint a statutory Data Protection Officer, but we have a named individual responsible for data protection. You can reach them at our privacy contact address above for any question or request relating to your personal data.
A note for non-UK users. Private Hedge is established in the United Kingdom and serves customers in the United Kingdom, the European Union and the United States. This policy is written around the UK GDPR framework and then sets out the additional rights that apply if you are in the EU/EEA (Section 11) or in the United States (Section 12). Where the law of your country gives you stronger protections, those protections apply.
2. The personal data we collect
We collect personal data in three ways: information you give us, information we generate when you use the service, and information we receive from the third parties you choose to connect.
Information you give us
- Account and identity data — your name, email address, password (stored only as a secure cryptographic hash, never in readable form), and the country and reporting currency you select.
- Authentication data — if you sign in using Apple, Google or Microsoft single sign-on, we receive a basic identifier and your email address from that provider. We do not receive your social-account password.
- Billing and contact data — billing name, billing address, and the country we use to determine the correct tax treatment. Card details are entered directly with our payment processor; see "Payment data" below.
- Risk preferences — the risk limits, thresholds and settings you configure.
- Consultation and support data — anything you tell us when you book an On-Track Briefing or Risk & Performance Review, attend a consultation, or contact our support team, including scheduling information and the content of your messages.
- Portfolio information you submit for a consultation — where you book a consultation, we ask you to complete and securely upload a portfolio template describing the investments you hold (for example instrument names, ticker symbols or ISINs, quantities or nominal amounts, currencies, and any cash or other holdings you choose to include), together with the name and email you use to submit it. You provide this so that your risk manager can measure and analyse the risk and performance of your portfolio in your session. You decide what to include, and you do not need to connect any account to provide it.
- Marketing data — your email address and preferences if you join our waitlist or opt in to receive updates.
Information we receive when you connect a brokerage
If you choose to connect a brokerage or investment account, we receive — on a strictly read-only basis, through our connectivity provider SnapTrade — information about your holdings: the positions you hold, quantities, cash balances, and (where available) transaction history from the point of connection. We use this only to consolidate, measure and monitor the risk of your portfolio. We never receive permission to move, trade or withdraw your assets, and your brokerage login credentials are held by SnapTrade and our brokers' own systems, never by Private Hedge.
You can also enter positions manually instead of connecting a brokerage.
Information we generate
- Usage and device data — IP address, browser type and version, operating system, device identifiers, pages and screens viewed, actions taken, timestamps, and approximate location derived from your IP address (for currency, tax and regional display).
- Diagnostic data — error reports and performance logs used to keep the service stable and secure.
- Risk outputs we calculate — Expected Shortfall, Stressed Expected Shortfall, stress-test results, performance and risk-return measures and the associated status indicators. These are derived from the portfolio data you provide and from independent market data; they describe your portfolio, they are not advice, and they are explained further in our methodology.
Payment data
Payments are processed by our payment processor, Stripe. When you pay, your card or payment-method details are collected and processed directly by Stripe under its own terms and security standards. Private Hedge does not collect, see or store your full card number. We receive confirmation of whether a payment succeeded, together with limited transaction metadata (for example the last four digits of the card, the card brand, and the billing country) needed to manage your subscription, issue receipts and handle refunds.
3. How we use your data, and our lawful bases
Under UK and EU data-protection law we must have a lawful basis for each use of your personal data. The table below sets these out.
| Purpose | Data used | Lawful basis (UK/EU GDPR) |
|---|---|---|
| Create and administer your account; authenticate you | Account, identity, authentication data | Performance of our contract with you (Art. 6(1)(b)) |
| Provide the risk-monitoring service — consolidate your portfolio, calculate and display risk and performance measures, monitor limits and send alerts | Portfolio data, risk preferences, market data, risk outputs | Performance of our contract (Art. 6(1)(b)) |
| Deliver consultations you have purchased or that are included in your plan | Consultation, scheduling and contact data | Performance of our contract (Art. 6(1)(b)) |
| Measure and analyse the portfolio you submit for a consultation, and prepare for and discuss your session | Portfolio information you submit, market data | Performance of our contract (Art. 6(1)(b)) |
| Take payment, manage subscriptions and renewals, issue receipts, handle refunds | Billing data, payment metadata | Performance of our contract (Art. 6(1)(b)); legal obligation for tax and accounting records (Art. 6(1)(c)) |
| Provide customer support | Support data, account data | Performance of our contract (Art. 6(1)(b)); our legitimate interest in helping our customers (Art. 6(1)(f)) |
| Keep the service secure, prevent fraud and abuse, and diagnose problems | Usage, device and diagnostic data | Our legitimate interest in a secure and reliable service (Art. 6(1)(f)); legal obligation (Art. 6(1)(c)) |
| Understand how the service is used and improve it | Usage data, analytics data (only where you have consented to analytics cookies) | Consent (Art. 6(1)(a)) for analytics cookies; otherwise our legitimate interest in improving the service (Art. 6(1)(f)) |
| Send you service messages (security, billing, important changes) | Account and contact data | Performance of our contract (Art. 6(1)(b)); legal obligation (Art. 6(1)(c)) |
| Send marketing updates | Marketing data | Consent (Art. 6(1)(a)); you can withdraw it at any time |
| Comply with legal and regulatory obligations and respond to lawful requests | Any relevant data | Legal obligation (Art. 6(1)(c)); our legitimate interest in establishing or defending legal claims (Art. 6(1)(f)) |
Where we rely on legitimate interests, we have considered your rights and interests and concluded that our processing does not override them. You can ask us about this assessment, and you can object to processing based on legitimate interests (see Section 11).
We do not make decisions about you that have legal or similarly significant effects solely by automated means. Our risk measures are computed automatically, but they are descriptive analytics about your portfolio — they do not approve or decline you for anything and they are not investment advice.
4. Cookies and similar technologies
We use cookies and similar technologies on privatehedge.co and the platform. Strictly necessary cookies are always active; analytics and any marketing technologies — not used at launch and introduced in a later phase — are used only with your consent. Full detail of each cookie, its purpose and duration, and how to change your preferences, is in our Cookies Policy.
5. Who we share your data with
We do not sell your personal data and we do not share your portfolio data for advertising. We share personal data only with the categories of recipient below, and only as needed.
Our service providers (sub-processors). We use carefully selected providers to run the service. Each is bound by a written contract that requires them to protect your data, use it only on our instructions, and assist us with our obligations to you.
| Provider | What they do for us | Personal data involved | Location |
|---|---|---|---|
| Stripe | Payment processing and invoicing | Billing data, payment metadata | EU / US |
| Vercel | Website hosting and content delivery | Usage and device data | US / EU |
| Namecheap | Domain registration and DNS hosting | IP address, technical DNS query data | US |
| Resend | Waitlist, transactional and product emails (sent from send.privatehedge.co) | Email address, name | US / EU |
| Microsoft 365 (Microsoft) | Business email and calendar, document and secure file storage — including the portfolio template you send for a consultation | Consultation and contact information; any data we handle in the course of supporting you | EU / US |
| Calendly | Scheduling and payment collection for consultations (card details are processed by Stripe, not Calendly) | Name, email, scheduling data | US |
| ipapi | Approximate-location lookup, to set your display currency | IP address | US / EU |
Added when our portfolio-monitoring platform launches. The following sub-processors are introduced only when the platform (with accounts, portfolio connections and risk analytics) goes live. They are not used by the current website, and we will update this list — with each provider named — before they begin processing any personal data.
| Provider | What they do for us | Personal data involved | Location |
|---|---|---|---|
| Database host | Secure database hosting for the platform | Account, portfolio, risk and billing-reference data | EU |
| SnapTrade | Read-only brokerage connectivity | Portfolio holdings and balances; brokerage credentials are held by SnapTrade, not by us | US / UK / EU |
| Upstash | Caching and queuing | Limited technical/session data | EU |
| Sentry | Error monitoring and diagnostics | Diagnostic and limited usage data | US / EU |
Introduced when we enable analytics and consent management (a later phase). We do not use analytics or marketing cookies at launch, and no consent banner is shown. When we introduce them, we will use the providers below and update this list — with each provider named — before they begin processing any personal data; they will run only with your consent.
| Provider | What they do for us | Personal data involved | Location |
|---|---|---|---|
| Cookiebot (Usercentrics) | Cookie-consent management and consent logging | Consent records, IP address | EU |
| Google Analytics 4 | Website analytics (consent-based) | Usage data, analytics identifiers | US / EU |
| PostHog | Product analytics (consent-based) | Usage data, analytics identifiers | EU / US |
We also rely on independent market-data sources, principally EODHD, for prices, historical data and reference data used in our calculations. We send these providers instrument identifiers (such as ticker symbols) — not your identity or your holdings — so they do not receive your personal data.
We keep our list of sub-processors current and will notify you of material changes where required.
Other recipients.
- Professional advisers — our accountants, auditors, lawyers and insurers, where reasonably necessary and under a duty of confidentiality.
- Authorities and legal claims — where we are required to disclose data by law, regulation or court order, or where disclosure is necessary to establish, exercise or defend legal claims.
- Business transfers — if we are involved in a merger, acquisition, financing or sale of assets, your data may be transferred as part of that transaction; we will tell you and ensure your rights remain protected.
6. International transfers
Some of our providers are located outside the United Kingdom and the European Economic Area, including in the United States. Where we transfer personal data internationally, we put in place an appropriate safeguard so that your data continues to be protected to a UK/EU standard. Depending on the destination, this is one of:
- a UK "adequacy" or EU adequacy decision, where one applies to the destination;
- the UK International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses;
- the EU Standard Contractual Clauses; and, where relevant, the EU-US and UK extension of the Data Privacy Framework where a provider is certified.
You can ask us for more information about the safeguards that apply to a particular transfer using our privacy contact details.
7. How long we keep your data
We keep personal data only for as long as we need it for the purposes set out in this policy, and then delete or anonymise it.
- Active accounts. We keep your account and portfolio data for as long as your account is active.
- Closed accounts. When you close your account, it enters a read-only state for 30 days, during which you can export your data or reactivate. After 30 days, your account and associated personal data are permanently deleted, unless you have asked us to delete sooner or we are required to keep specific records for longer. You can request immediate deletion at any time.
- Portfolio information submitted for a consultation. We keep the portfolio template and the holdings details you submit only for as long as we need them to prepare, deliver and follow up your session, and in any event we securely delete them within 30 days of your session. You can ask us to delete them sooner at any time.
- Billing, tax and accounting records. We keep transaction and invoice records for as long as required by UK, EU and US tax and accounting law (generally six years in the UK).
- Consent records. We keep proof of your cookie and marketing consent for up to five years, so we can show that consent was properly obtained.
- Support and diagnostic data. We keep these for a shorter period, except where needed for security, to meet a legal obligation, or to handle a dispute.
- Marketing suppression. If you unsubscribe, we keep a minimal record of your email on a suppression list so that we do not contact you again.
8. How we protect your data
We use technical and organisational measures appropriate to the sensitivity of the data we hold, including:
- encryption of data in transit (TLS 1.3) and at rest (AES-256);
- a read-only brokerage connection — we never hold permission to move your assets, and your brokerage credentials are held by SnapTrade and your broker, not by us;
- access controls on a need-to-know basis, with strong authentication for our team;
- monitoring, logging and alerting to detect and respond to security events; and
- contractual security obligations on every provider that handles your data.
No method of transmission or storage is completely secure, and we cannot guarantee absolute security. We will notify you and the relevant authority of a personal-data breach where the law requires it.
9. Your data-protection rights (UK and EU/EEA)
If you are in the United Kingdom or the EU/EEA, you have the following rights over your personal data:
- Access — obtain a copy of the personal data we hold about you.
- Rectification — have inaccurate or incomplete data corrected.
- Erasure — have your data deleted in certain circumstances.
- Restriction — ask us to limit how we use your data in certain circumstances.
- Portability — receive certain data in a structured, machine-readable format, or have it sent to another provider where technically feasible.
- Objection — object to processing based on our legitimate interests, and object at any time to processing for direct marketing.
- Withdraw consent — where we rely on consent, withdraw it at any time, without affecting processing already carried out.
- Lodge a complaint — with a data-protection authority (see Section 12).
You can exercise most of these directly in your account: under Settings → Data you can export your portfolio and alert history and delete your account, and under Settings → Privacy you can manage cookie and marketing preferences. For anything else, contact our privacy address. We will respond within one month, and we will not charge a fee unless your request is manifestly unfounded or excessive. We may need to verify your identity before acting.
10. Your privacy rights (United States)
This section applies if you are a resident of a US state with a comprehensive consumer-privacy law, including California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Nevada, Delaware, Iowa, New Hampshire, New Jersey, Nebraska, Tennessee, Minnesota, Maryland, Indiana, Kentucky, Rhode Island and Montana.
What we do and do not do. We do not sell your personal information, and we do not share it for cross-context behavioural advertising. We do not use or disclose sensitive personal information beyond what is necessary to provide the service you have requested.
The categories we collect are described in Section 2: identifiers (such as name and email), internet and device activity, commercial information (such as subscription and purchase history), geolocation (approximate, from IP), financial-account information you choose to connect, and inferences we generate as risk measures. We collect these from you directly, automatically as you use the service, and from the providers you connect.
Your rights, depending on your state, include the right to: know and access the personal information we hold; correct inaccurate information; delete your information; obtain a portable copy; opt out of any sale or sharing or targeted advertising (which we do not engage in); and not be discriminated against for exercising your rights. Where your state provides it, you also have rights in relation to profiling and to limit the use of sensitive personal information.
How to exercise them. Submit a request to our privacy contact. We will verify your identity and respond within the time your state law requires (for California, within 45 days, extendable once). An authorised agent or a parent acting for a minor may submit a request on your behalf. We honour browser-based Global Privacy Control (GPC) signals as a valid opt-out of sale/sharing.
11. Children
Private Hedge is intended for adults. The service is not directed to anyone under 18, and we do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, contact us and we will delete it.
12. Complaints and supervisory authorities
If you have a concern about how we handle your personal data, please contact us first using our privacy address — we would like the chance to put things right.
You also have the right to complain to a data-protection authority:
- United Kingdom — the Information Commissioner's Office (ICO),
ico.org.uk. - EU/EEA — the supervisory authority in your country of residence, place of work, or the place of the alleged infringement.
13. Third-party links and services
privatehedge.co and the platform may link to or integrate third-party websites and services (for example your broker, or external resources). We are not responsible for the privacy practices of those third parties, and we encourage you to read their privacy notices.
14. Changes to this policy
We may update this policy from time to time. When we do, we will change the "Last updated" date at the top, and where the change is material we will tell you by email or an in-product notice before it takes effect. Continuing to use the service after a change takes effect means you accept the updated policy.
15. Contact us
Questions about this policy or your personal data can be sent to:
Private Hedge Limited Flat 620 New Providence Wharf, 1 Fairmont Avenue, London E14 9PF, United Kingdom Privacy: dataprotection@privatehedge.co Support: hello@privatehedge.co