Privacy Policy

Last updated: 2026-04-20

1. Introduction

Onvo ("we," "our," or "the service") is committed to protecting the privacy of its users. This Privacy Policy describes what data we collect, how we use it, with whom we share it, and what your rights are as a data subject.

This policy applies to all users of the service available at onvo.ar and its subdomains.

2. Data We Collect

2.1 Account Data

  • Email address: used for authentication, service communications, and account recovery.
  • Name or alias (optional): if the user provides it through their profile.
  • Authentication provider: if you use Google OAuth, we receive your email and name from Google.

2.2 Portfolio Data

  • Asset tickers: the symbols of stocks, ETFs, or other instruments you register.
  • Transactions: date, type (buy/sell), number of shares, and unit price of each operation.
  • Holdings: your open positions in your portfolio at any given time.

2.3 Usage and Behavioral Data

  • Service usage patterns: pages visited, features used, access frequency — used to improve the experience and detect issues.
  • Technical information: IP address (stored as a hash to preserve privacy), browser type, operating system, and time zone.

2.4 Payment Data

We do not store credit card numbers or sensitive payment information. This information is processed directly by our payment providers (Mercado Pago or Stripe). We only retain subscription status and transaction references.

2.5 Consent Data

  • We record the date and version of the Terms of Service and this Privacy Policy that you accepted, along with a hash of your IP at the time of consent, for legal audit purposes.

3. Purpose of Data Processing

The data collected is used exclusively for:

  • Service delivery: calculating portfolio metrics, displaying performance, generating charts and analyses.
  • Authentication and security: verifying your identity and protecting your account.
  • Billing: managing your subscription and coordinating charges with payment processors.
  • Service communications: notifying you about important changes, term updates, or account issues.
  • Product improvement: analyzing usage patterns in an anonymized manner to improve the experience.
  • Legal compliance: maintaining records required by applicable Argentine regulations.

We do not sell or transfer your personal data to third parties for commercial or advertising purposes.

4. Third Parties with Data Access

To operate the service, we share data with the following providers under confidentiality and data processing agreements:

| Provider | Purpose | Data Shared | |---|---|---| | Supabase | Database and authentication | Email, portfolio data, account settings | | Mercado Pago | Payment processing (ARS) | Email, subscription reference | | Stripe | Payment processing (USD) | Email, subscription reference | | Vercel | Hosting and infrastructure | Access logs, IP address | | Polygon.io | Real-time market data | Queried tickers (no identity data) |

We do not transfer data to third parties beyond those listed above without prior notice and, where applicable, explicit consent.

5. Data Retention

We retain your personal data while your account is active. If you delete your account, we delete or anonymize your data within 30 days, except where we are legally required to retain it for a longer period (e.g., accounting records).

Access logs and technical information are retained for a maximum of 90 days.

6. Security

We implement technical and organizational measures to protect your data, including:

  • Encryption in transit (HTTPS/TLS 1.2+)
  • Encryption at rest for sensitive data
  • Password authentication with hashing (bcrypt)
  • Role-based access control via Row Level Security (RLS) in Supabase
  • Storage of IPs as hashes (SHA-256) rather than raw values

No system is 100% secure. In the event of a security breach affecting your data, we will notify you within the legally required timeframe.

7. Your Data Rights

You have the following rights over your data:

  • Access: know what personal data of yours we have stored.
  • Rectification: correct inaccurate or incomplete data.
  • Erasure: request deletion of your data when it is no longer necessary.
  • Objection: object to the processing of your data for certain purposes.

To exercise any of these rights, write to us at hola@onvo.ar indicating your name, registered email, and the right you wish to exercise. We will respond within the legally established timeframes.

If you are an Argentine resident, the National Directorate of Personal Data Protection (DNPDP) is the competent state body to receive complaints and claims.

8. Cookies and Similar Technologies

Onvo uses strictly necessary cookies for:

  • Maintaining your authenticated session.
  • Remembering your language preference (NEXT_LOCALE).

We do not use advertising tracking cookies or share data with advertising networks. A cookie consent banner is not required for strictly functional cookies.

9. Minors

The service is not directed at individuals under 18 years of age. We do not intentionally collect data from minors. If you are aware that a minor has created an account, contact us to proceed with its deletion.

10. Changes to This Policy

We may update this Privacy Policy periodically. Changes will be communicated with at least 7 days' notice via platform notification or email. Continued use of the service constitutes acceptance of the updated policy.

For changes involving new processing purposes or transfers to new third parties, we will request explicit consent.

11. Contact

For privacy inquiries, rights exercise requests, or complaints:

Email: hola@onvo.ar

We respond within 5 business days of receiving your inquiry.