Privacy Policy

Last updated: 7 April 2026

1. Introduction

Maddison Inc. ("Company", "we", "us"), operating as Optimal Financial, is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the Optimal Financial platform ("Service").

2. Data We Collect

We collect the following categories of data:

• Account Information: Full name, email address, and password (stored as a bcrypt hash).
• Portfolio Data: Holdings, share quantities, cost basis, target weights, cash account balances, fixed asset values, and financial independence settings that you enter into the platform.
• Brokerage Credentials: Account identifiers and OAuth tokens for connected brokers, stored encrypted in AWS Secrets Manager.
• Documents: Files you upload to the document vault, stored encrypted in AWS S3.
• Usage Analytics: Pages visited, features used, session duration, IP address, browser type, and device information.
• Contact Information: Name, email, and message content submitted through our contact form.

3. How We Use Your Data

• To provide and maintain the Service, including portfolio tracking, governance scoring, and FI projections.
• To authenticate your identity and secure your account.
• To communicate with you about your account, including security alerts and service updates.
• To improve and develop the Service based on aggregated, anonymised usage patterns.
• To respond to your enquiries and support requests.

4. Data Storage and Security

All data is stored on Amazon Web Services (AWS) infrastructure in the US-East-1 (N. Virginia) region. We employ the following security measures:

• Encryption at rest (AES-256) for all databases and file storage.
• Encryption in transit (TLS 1.2+) for all data transmission.
• Passwords hashed with bcrypt (12 rounds).
• Secrets and API keys stored in AWS Secrets Manager.
• Web Application Firewall (WAF) and rate limiting on all endpoints.
• Regular security audits and infrastructure monitoring.

5. Data Sharing

We do not sell, rent, or trade your personal data to third parties. We may share data only in the following circumstances:

• Service Providers: AWS (infrastructure), Polygon.io (market data), and Anthropic (AI features) process data on our behalf under strict data processing agreements.
• Legal Requirements: When required by law, court order, or governmental authority.
• Business Transfer: In the event of a merger, acquisition, or sale of assets, with prior notice to affected users.

6. Data Retention

We retain your data for as long as your account is active. Upon account deletion, we remove your personal data within 30 days, except where retention is required by law. Aggregated, anonymised data may be retained indefinitely for analytics purposes.

7. Your Rights (GDPR-Aware)

Regardless of your location, we respect the following data rights:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate data.
• Erasure: Request deletion of your data ("right to be forgotten").
• Portability: Request your data in a machine-readable format.
• Restriction: Request that we limit processing of your data.
• Objection: Object to processing based on legitimate interests.

To exercise any of these rights, contact us at info@maddisoninc.ky. We will respond within 30 days.

8. Cookies

We use a single essential httpOnly session cookie (optfin_token) for authentication. We do not use tracking cookies, advertising cookies, or third-party analytics cookies.

9. Children's Privacy

The Service is not directed to individuals under 18 years of age. We do not knowingly collect data from children.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-platform notification at least 30 days prior to taking effect.

11. Contact

For privacy-related enquiries, contact our Data Protection Officer at:
Maddison Inc.
George Town, Grand Cayman
Cayman Islands
info@maddisoninc.ky