Privacy Policy

Effective Date: February 1, 2026

At Sreyo Twihu, the relationship between our platform and the individuals who use it starts with clarity about information stewardship. This document explains how details move through our systems, what purposes they serve, and where control remains in your hands.

We've organized this around the question most people ask first: what actually happens to the specifics you provide when working with our investment reporting tools? The answer depends on the nature of the interaction, so we'll walk through each scenario rather than presenting abstract categories.

Information We Derive From Your Activity

When you create an account, we record identifying elements: your chosen display name, the email address serving as your login credential, and a secured authentication token. Financial reporting requires context, so you may also provide details about portfolios, transaction histories, or asset allocations. These specifics enter our database because generating meaningful reports depends on accurate source material.

Registration Phase

During signup, we capture what you explicitly submit through form fields. The system timestamps this moment and assigns a unique identifier to your profile. Nothing beyond what appears on the registration screen enters our records at this stage.

Operational Interaction

As you navigate the platform, certain behavioral markers emerge automatically. Your browser transmits technical identifiers: IP address, device type, operating system version. We log which features you access, how long sessions last, and which reports you generate or download. These patterns inform our infrastructure decisions and help us spot unusual activity that might signal unauthorized access.

Communication Channels

Support requests, feedback submissions, or direct messages to our team become part of your profile history. We retain correspondence to maintain context during ongoing conversations and to improve response quality over time. If you reach us by phone, we note the date and general topic but do not record audio unless legally required and with your explicit consent.

One element we deliberately avoid: third-party tracking scripts that harvest browsing behavior across unrelated websites. Our visibility ends at the boundaries of sreyotwihu.com. For details about temporary browser storage and session management, consult our separate Cookie Policy — we keep those technical mechanisms separate from this discussion of information stewardship.

How We Work With What You've Shared

Every piece of information serves at least one operational necessity. We don't maintain profiles for abstract future purposes. Here's what drives our handling of your specifics:

Report Generation: Investment analytics only function when built on accurate data. Your portfolio positions, transaction logs, and market benchmarks feed into calculation engines that produce the visualizations and summaries you request. Without these inputs, the platform cannot fulfill its core purpose.

Account Administration: Authentication systems verify your identity each time you log in. Password reset mechanisms rely on the email address you provided during registration. Subscription status determines which features appear in your dashboard. These administrative functions require persistent access to profile elements.

Platform Improvement: Aggregated usage patterns — which features see heavy adoption, where users abandon workflows, which report types generate the most repeat requests — inform our development priorities. We analyze this in anonymized form, meaning we examine trends across the user base rather than scrutinizing individual behavior.

Security Monitoring: Unusual login attempts from unfamiliar locations trigger alerts. Rapid-fire API requests suggest automated abuse rather than human interaction. By comparing current activity against established baselines, we can identify and respond to potential threats before they compromise accounts.

Occasionally, legal obligations compel us to process information in ways not directly tied to service delivery. Tax authorities in Canada require certain financial reporting details. If a court order arrives with proper jurisdiction, we comply with its directives. These situations arise rarely, but we acknowledge them upfront rather than burying them in legalese.

What We Don't Do

  • Your financial specifics never feed marketing algorithms designed to serve targeted advertisements across external networks
  • We don't sell, rent, or barter user profiles to data brokers or analytics aggregators
  • Your email address won't appear on third-party mailing lists unless you explicitly opt into joint communications with identified partners
  • Portfolio details remain within our infrastructure and never get shared with investment product vendors seeking leads

External Entities That Receive Information

No modern web service operates in complete isolation. We depend on specialized providers for functions outside our core competency. Here's where your information flows beyond our direct control, and under what constraints:

Infrastructure Hosts

Our servers physically reside in data centers operated by a third-party hosting provider with facilities in Canada. This entity has technical access to underlying systems but operates under strict contractual prohibitions against examining or extracting customer data. They see encrypted volumes, not readable content.

Payment Processors

Subscription fees move through established financial networks. When you submit payment details, that information travels directly to our payment gateway partner. We receive confirmation of successful transactions and subscription status updates, but never see full credit card numbers or banking credentials. The processor handles compliance with financial industry security standards independently.

Email Delivery Services

Transactional messages — password resets, report completion notifications, billing confirmations — route through a dedicated email infrastructure provider. This partner receives message content and recipient addresses for delivery purposes only. They don't analyze message content for advertising purposes or maintain secondary databases of recipients.

Support Platform

Customer service interactions occur within a ticketing system provided by an external vendor. When you submit a support request, that conversation gets stored in their infrastructure along with associated account metadata needed for context. Access remains restricted to our support team and the vendor's operational staff under confidentiality terms.

In each case, contractual agreements mandate that these partners act solely as service providers rather than independent data controllers. They can't repurpose your information for their own commercial ventures. If any of these relationships change, we'll notify active users before new arrangements take effect.

One scenario falls outside normal operational flow: if Sreyo Twihu undergoes acquisition, merger, or significant restructuring, user information would transfer as part of business assets. Any successor organization would inherit the obligations outlined in this document unless they secure your consent to alternative terms.

Security Posture and Persistent Risks

We implement protections appropriate to the sensitivity of financial information. That means multiple defensive layers rather than relying on a single mechanism. But perfect security doesn't exist — only calculated risk management.

Active Safeguards

  • All data transmissions between your browser and our servers occur over encrypted connections using current TLS protocols
  • Passwords undergo one-way hashing before storage, meaning even our database administrators can't retrieve your original passphrase
  • Database access requires multi-factor authentication and remains logged for audit purposes
  • Application code undergoes regular security reviews to identify potential vulnerabilities before they're exploited
  • We maintain offline backups in geographically separate locations to ensure recovery capability if primary systems fail

Despite these measures, no internet-connected system achieves absolute invulnerability. Sophisticated attackers occasionally breach even well-defended targets. Software contains undiscovered flaws. Human error introduces unexpected gaps. We acknowledge these realities rather than making absolute safety promises.

If a security incident compromises user information, we'll notify affected individuals within 72 hours of confirming the breach. That notification will specify what information was exposed, what immediate steps you should take, and what remediation measures we're implementing.

Your own security practices matter enormously. A strong, unique password provides far better protection than any server-side measure if your credentials get compromised through phishing or credential reuse. Enable two-factor authentication if you handle sensitive portfolios. Log out when using shared devices. These basic precautions prevent most unauthorized access incidents.

Your Control and Access Rights

Several mechanisms let you exercise agency over information associated with your account. Some operate through automated tools, while others require direct communication with our team.

Immediate Self-Service Options

  • Profile editors let you modify contact details, display names, and notification preferences at any time
  • You can download a complete archive of your portfolio data and generated reports through account settings
  • Subscription management tools allow you to pause service or downgrade to limited features without deleting your account entirely

Request-Based Actions

Certain changes require manual intervention because they carry significant consequences or involve complex dependencies:

Account Closure and Data Removal

Email your deletion request to support@sreyotwihu.com from the address associated with your account. We'll confirm your identity, then remove all personally identifiable information within 30 days. Financial transaction records required for tax compliance remain in archived form for seven years as Canadian law mandates, but get stripped of identifiers linking them to you specifically.

Information Access Requests

You can request a detailed accounting of what information we hold about you, how it was obtained, and where it's been disclosed. We'll provide this documentation in machine-readable format within 45 days of receiving a verified request.

Correction Requests

If you spot inaccuracies in stored information, notify us with corrected details and supporting context. We'll update records within 15 business days and confirm the changes took effect.

Processing Limitations

In certain circumstances, you can request that we stop using specific information for particular purposes while maintaining your account. For example, you might want to preserve historical reports but prevent future portfolio analysis. We'll evaluate these requests individually since they sometimes conflict with service functionality.

If you believe we've handled your information improperly or violated applicable privacy regulations, you have the right to file a complaint with the Office of the Privacy Commissioner of Canada. We'd prefer to resolve concerns directly before matters reach regulatory escalation, but that option remains available at any time.

Questions and Formal Inquiries

This policy gets reviewed annually and updated whenever operational changes affect information handling practices. The effective date at the top reflects the most recent revision. Material changes that expand data usage or reduce protections will trigger direct notification to active users.

For clarifications, concerns, or formal privacy requests, reach our team through any of these channels:

Email: support@sreyotwihu.com
Phone: +1 519 808 9614
Mail: 43 Spruce St S, Kingsville, ON N9Y 1T8, Canada

We aim to respond to all privacy inquiries within five business days. Complex requests requiring legal review or technical investigation may take longer, but we'll acknowledge receipt immediately and provide estimated resolution timelines.