lytixbaselytixbase
Pricing
Sign in

Legal

Privacy Policy

Last updated: 3 April 2026

1. Who we are

lytixbase (lytixbase.com.au) is operated by Ayush Agarwal (ABN 57 903 016 091, sole trader) based in Queensland, Australia. In this policy, "we", "us", and "our" refer to lytixbase and its operator.

For privacy inquiries, contact us at support@lytixbase.com.au.

2. What data we collect

We collect the following categories of personal and financial data:

Account information

  • Name and email address: from your Google or GitHub account during OAuth sign-in
  • Profile image: from your OAuth provider
  • OAuth tokens: encrypted at rest using AES-256-GCM; used solely for authentication

Financial data you provide

  • Portfolio accounts: broker/account names, types, currencies
  • Transactions: trade dates, symbols, quantities, prices, fees, and related details imported from broker CSV exports or entered manually
  • Ledger balances: computed cash balances per account and currency
  • Watchlists: symbols and assets you choose to watch
  • Budget data: income streams, committed costs, spending logs, savings goals, and envelope allocations

Settings and preferences

  • Display and base currency, tax settings, benchmarks, rebalancing targets, financial goals, notification preferences, privacy mode, default filters, and landing page preference

AI usage data

  • Conversations and messages: stored for your chat history; automatically deleted after 90 days
  • Token usage logs: input/output token counts, model used, cost units (for quota tracking)
  • BYOK API keys: if you provide your own Anthropic or OpenAI key, it is encrypted at rest

Data we do NOT collect

  • We do not collect passwords (authentication is via OAuth only)
  • We do not use analytics or tracking cookies
  • We do not collect device fingerprints or advertising identifiers
  • We do not run ads or share data with advertisers

3. How we use your data

Your data is used solely to provide and improve the lytixbase service:

  • Portfolio tracking: displaying your holdings, performance, and allocation
  • Tax calculations: computing FIFO cost basis and CGT estimates
  • AI features: providing context to AI models so they can answer questions about your portfolio (your data is sent to Anthropic or OpenAI only when you use AI features)
  • Market data: fetching prices for symbols in your portfolio and watchlists
  • Budget tools: tracking income, expenses, and savings
  • Account management: authentication, trial tracking, subscription billing

We do not sell, rent, or share your personal or financial data with third parties for marketing or advertising purposes. We never will.

4. Third-party services

lytixbase uses the following third-party services to operate. Each has access only to the minimum data required for their function:

ServicePurposeData shared
VercelHosting and serverless functionsAll request/response data passes through Vercel infrastructure
NeonPostgreSQL databaseAll stored data (encrypted at rest by Neon)
Google / GitHubOAuth authenticationAuthentication tokens only
Yahoo Finance (via yahoo-finance2)Market data and prices (community-maintained, not affiliated with Yahoo Inc.)Stock symbols (no personal data)
Anthropic / OpenAIAI features (when you use them)Your messages and portfolio context for the active conversation
StripePayment processing (PCI DSS Level 1 certified)Email address and payment details. lytixbase never sees or stores your credit card number; all payment data is handled entirely by Stripe under their own terms of service

5. Data security

We treat your financial data with the same seriousness as a bank treats account records. For full technical details, see our Security page.

  • Application-level encryption: all financial data (transactions, budget entries, income streams, tax settings, alert thresholds, and more) is encrypted with AES-256-GCM before it reaches the database. Even with direct database access, an attacker would see only ciphertext.
  • Row-Level Security: PostgreSQL RLS policies ensure each user can only access their own data at the database level
  • HTTPS only: all data in transit is encrypted via TLS with HSTS preloading
  • No plain-text secrets: OAuth tokens are encrypted at rest; MCP tokens are stored as SHA-256 hashes only; BYOK API keys are encrypted before storage
  • Security headers: Content Security Policy, X-Frame-Options, Permissions-Policy, and other headers are configured to prevent common web attacks
  • Rate limiting: all API endpoints are rate-limited to prevent abuse
  • JWT sessions: session tokens are signed and short-lived; no sensitive data is stored in cookies
  • Key rotation: encryption keys can be rotated without downtime or data loss

lytixbase is a solo-operated project. While we implement industry-standard security practices, no system is 100% secure. We are transparent about this and encourage you not to treat lytixbase as your sole record of financial data.

6. Data retention

  • Account data: retained for as long as your account is active
  • AI conversations: automatically deleted after 90 days
  • AI usage logs: retained for quota tracking and billing reconciliation
  • Market data cache: FX rates and security metadata cached locally; refreshed periodically

When you request account deletion, all your data (including account information, transactions, budgets, AI conversations, and settings) is permanently removed from our database. Deletion requests are processed within a few business days.

7. Cookies and tracking

lytixbase uses a single session cookie (a signed JWT) to keep you logged in. We do not use:

  • Analytics cookies (no Google Analytics, no Mixpanel, no Hotjar)
  • Advertising or tracking cookies
  • Third-party tracking scripts
  • Device fingerprinting

Because we only use a strictly necessary authentication cookie, no cookie consent banner is required under Australian privacy law.

8. Your rights

Under the Australian Privacy Principles (APPs), you have the right to:

  • Access: request a copy of the personal data we hold about you
  • Correction: request correction of inaccurate data
  • Deletion: request deletion of all your data at any time
  • Complaint: lodge a complaint with the Office of the Australian Information Commissioner (OAIC) if you believe we have handled your data improperly

To exercise any of these rights, email support@lytixbase.com.au.

9. Children

lytixbase is not intended for users under 18 years of age. We do not knowingly collect data from children. If you believe a minor has created an account, please contact us and we will delete it promptly.

10. International users

lytixbase is hosted on infrastructure that may be located outside Australia (Vercel and Neon use global infrastructure). By using the platform, you consent to the transfer and processing of your data in these jurisdictions. We ensure all third-party providers maintain appropriate data protection standards.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or an in-app notice. The "Last updated" date at the top of this page reflects the most recent revision.

12. Contact

For privacy questions, data access requests, or concerns:

Email: support@lytixbase.com.au

OAIC: If you are not satisfied with our response, you may lodge a complaint with the Office of the Australian Information Commissioner.