Privacy Policy

We collect the following categories of personal data when you create an account, subscribe to our services, or interact with the Platform:

Account Information: Your email address (required), display name (optional), and a hashed password managed securely through Supabase Auth. We never store your password in plain text.

Subscription & Payment Data: Your subscription tier (Free or Pro), Stripe customer ID, the last four digits of your payment card, and card type (e.g. Visa, Mastercard). Full payment card numbers are never stored on our servers; all payment processing is handled by Stripe.

Usage Data: Login timestamps, pages visited within the Platform, IP address, device type, operating system, browser type and version, and referral source.

Cookies: We use essential cookies for session management and authentication, and non-essential cookies for analytics purposes (subject to your consent). See Section 8 for full details.

Under the General Data Protection Regulation (GDPR), we process your personal data on the following legal bases:

We use the personal data we collect for the following purposes:

• Provide access to the Platform: Authenticate your identity, manage your account, and deliver content and features associated with your subscription tier.
• Process payments: Facilitate subscription billing, process refunds where applicable, and maintain accurate financial records through our payment processor, Stripe.
• Send transactional emails: Deliver essential communications including payment receipts, subscription confirmations, password reset links, and account security notifications.
• Send marketing emails: With your explicit consent only, send newsletters, product updates, The Dispatch, Reading the Dunes, Weekly Rebalance Notes, and promotional content. You may unsubscribe at any time via the link in each email.
• Improve the Platform: Analyse usage patterns and aggregate analytics to enhance performance, develop new features, and optimise the user experience.
• Detect and prevent fraud: Monitor for suspicious activity, unauthorised access attempts, and abuse of the Platform to protect the security and integrity of our services and users.
• Comply with legal obligations: Respond to lawful requests from regulatory and law enforcement authorities, and fulfil our obligations under applicable data protection legislation.

We share personal data only with trusted third-party service providers who assist in operating the Platform. Each provider has executed a Data Processing Agreement (DPA) with DFA and is contractually bound to process your data only in accordance with our instructions:

• Stripe – Payment processing. Stripe is PCI DSS Level 1 certified, the highest level of payment security compliance. Stripe receives your payment card data directly; we never handle or store full card numbers.
• Supabase – Database hosting and authentication. Supabase is SOC 2 Type II certified and provides secure storage for account data and manages the authentication flow.
• Vercel – Application hosting and content delivery. Vercel hosts the Platform and processes requests including IP addresses for routing and performance optimisation.
• Resend – Email delivery. Resend processes email addresses and message content to deliver transactional and marketing emails on our behalf.
• Hetzner – Data pipeline server. Hetzner hosts our dedicated data processing infrastructure in the European Union for portfolio analytics and model computation.

We do not sell, rent, trade, or otherwise provide your personal data to third parties for their own marketing purposes. We will never sell your personal data.

We retain your personal data only for as long as necessary to fulfil the purposes described in this Policy, or as required by law. Our specific retention periods are as follows:

• Account data: Retained for the duration of your active subscription plus one (1) year after account closure or cancellation to allow for reactivation and to comply with legal retention requirements.
• Payment data: Full payment card data is retained and managed by Stripe in accordance with their retention policies. We retain your Stripe customer ID and the last four digits of your card for three (3) years for accounting and dispute resolution purposes.
• Marketing consent records: Retained until you unsubscribe from marketing communications. Records of consent and withdrawal are maintained for compliance purposes.
• Server logs: Retained for thirty (30) days in active logs. Backup copies of server logs are retained for ninety (90) days before being permanently deleted.
• Anonymised analytics: Aggregate, anonymised analytics data that cannot be used to identify individuals is retained indefinitely to support long-term platform improvements and reporting.

Depending on your jurisdiction, you may have the following rights with respect to your personal data under the GDPR, the UAE Personal Data Protection Law (PDPL), and other applicable data protection legislation:

• Right of access: You have the right to request a copy of the personal data we hold about you and information about how it is processed.
• Right to rectification: You have the right to request correction of any inaccurate or incomplete personal data we hold about you.
• Right to erasure: You have the right to request deletion of your personal data, subject to applicable legal retention requirements and legitimate business needs.
• Right to data portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance.
• Right to restrict processing: You have the right to request that we limit the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.
• Right to withdraw consent: Where processing is based on consent (such as marketing emails), you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.
• Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority in your jurisdiction if you believe our processing of your personal data violates applicable data protection law.

To exercise any of these rights, please contact us at info@desertfrontieradvisors.com. We will respond to all legitimate requests within thirty (30) days of receipt. We may request verification of your identity before processing your request. If we require additional time to fulfil your request, we will notify you of the extension and the reasons for the delay.

Your personal data may be transferred to, stored in, and processed in countries outside your country of residence, including:

• United States: Vercel (hosting and content delivery) and Stripe (payment processing) operate infrastructure in the United States.
• European Union: Hetzner (data pipeline server) operates data centres within the EU, providing enhanced data protection under GDPR.
• Global: Supabase (database and authentication) and Resend (email delivery) may process data across multiple regions as part of their globally distributed infrastructure.

Where personal data is transferred outside of the European Economic Area (EEA) or other jurisdictions with data transfer restrictions, we ensure appropriate safeguards are in place. These include Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our Data Processing Agreements with each service provider. Where applicable, we rely on adequacy decisions issued by relevant authorities recognising that the recipient country provides an adequate level of data protection.

The Platform uses cookies and similar technologies to enhance your experience and ensure the proper functioning of our services.

Essential cookies are required for the Platform to function correctly. These include session cookies for maintaining your authenticated state and authentication tokens that verify your identity across requests. Essential cookies cannot be disabled as they are strictly necessary for the operation of the Platform.

Non-essential cookies (including analytics cookies) are used to understand how users interact with the Platform and to measure engagement. These cookies are only set with your explicit consent, obtained through our cookie consent banner displayed on your first visit.

Your cookie preferences are stored in the dfa_cookie_consent cookie on your device. You may change your cookie preferences at any time through the cookie settings link available in the Platform footer. Changing your preferences will take effect immediately for future page loads.

We implement robust technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction:

• Encryption: All data is encrypted at rest and in transit using TLS 1.2 or higher. All communications between your browser and the Platform are secured via HTTPS.
• Row-Level Security: Our database enforces Row-Level Security (RLS) policies, ensuring that each user can only access their own data. No user can query, view, or modify another user's records.
• JWT-based authentication: Authentication is managed through JSON Web Tokens (JWTs) issued by Supabase Auth, providing stateless, cryptographically signed session verification.
• Firewall and intrusion prevention: Our servers are protected by firewall rules and intrusion prevention systems that monitor for and block malicious traffic.
• Regular security updates: All server software, dependencies, and infrastructure components are regularly updated and patched to address known vulnerabilities.

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within seventy-two (72) hours as required under GDPR. Affected users will be notified without undue delay. Under the UAE Personal Data Protection Law (PDPL), we will notify the UAE Data Office and affected individuals within thirty (30) days of becoming aware of the breach.

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or business operations. When we make material changes to this Policy, we will notify registered users by email at the address associated with their account prior to the changes taking effect.

Your continued use of the Platform after any changes to this Policy constitutes your acceptance of the updated terms. We encourage you to review this Policy periodically to stay informed about how we protect your data. Previous versions of this Policy are available upon request by contacting us at the email address below.