What this is
Devil's Advocate is an internal-style fund manager tool. This page describes what data the application collects, why, and how to remove it. If anything here is unclear, contact the operator listed below.
What we collect
- Account data— your name, email, and profile picture as returned by Valyu after you sign in with your Valyu account. We don't store any passwords; authentication is handled entirely by Valyu via OAuth.
- Memo content — every thesis, area of concern, attached document, and reviewer note you submit, plus the multi-agent stress-test outputs generated against them.
- Audit trail — every prompt and response sent to our LLM and research providers, stored for reproducibility.
- Operational logs — timestamped request paths and error traces, retained for debugging.
What we don't collect
- No analytics, telemetry, or cookies beyond an auth session token.
- No advertising identifiers, no fingerprinting.
- No data is sold or shared with third parties for marketing.
Third parties we use
- OpenAI — receives memo content for stress-test generation. Subject to OpenAI's privacy policy.
- Valyu— handles authentication (OAuth) and receives query strings for research retrieval. Memo body is included as research context. When you're signed in, research calls are billed against your Valyu account credits.
- Railway— hosting infrastructure. Your data sits on encrypted disks within Railway's infrastructure.
Data retention
Active memos and account data are retained until you request deletion. Operational logs are rotated automatically. Audit-trail entries are retained as long as the parent memo exists; deleting a memo cascades to all associated traces.
Your rights
You can request full export or full deletion of your account data at any time by contacting the operator. We aim to respond within 14 days. If you're an EU/UK resident you also have rights under GDPR/UK-GDPR to access, correct, and erase personal data.
Security
Traffic is served over HTTPS with HSTS. Sign-in goes through Valyu via OAuth 2.0 with PKCE — we never see your Valyu password. Session tokens are signed JWTs with a server-only secret. Rate limiting protects the OAuth token exchange endpoints from replay attacks.
Contact
Questions, requests, or breach reports: please reach out via the contact channel published with this deployment.