Plain language summary: Cedrus is a personal wealth tracking tool. We collect only what we need to operate the app. We do not sell your data. We do not share your financial data with advertisers. You can request deletion of your data at any time.
1. Overview & Who We Are
This Privacy Policy describes how Cedrus ("we," "us," or "our") collects, uses, and protects the personal data of users ("you") of the Cedrus mobile application and website (collectively, the "Service").
Cedrus is an all-in-one personal wealth tracking application designed for residents of the United Arab Emirates and the Gulf Cooperation Council (GCC) region. We help users track crypto assets, stocks, real estate, savings, and receive AI-powered financial insights.
This policy is governed by and compliant with:
- UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL)
- UAE Federal Law No. 2 of 2019 on the Use of Information and Communication Technology in Health Fields (where applicable)
- DIFC Data Protection Law No. 5 of 2020 (for users accessing the Service from the Dubai International Financial Centre)
- ADGM Data Protection Regulations 2021 (for users accessing the Service from Abu Dhabi Global Market)
- Applicable data protection laws in Saudi Arabia, Qatar, Kuwait, Bahrain, and Oman
By using Cedrus, you acknowledge that you have read and understood this Privacy Policy.
2. Data We Collect
2.1 Account & Identity Data
- Full name and email address (provided during registration)
- Password (stored in hashed/encrypted form — we never store plain-text passwords)
- Profile information you choose to provide (e.g., phone number)
- Referral codes used during signup
2.2 Financial Portfolio Data
- Cryptocurrency holdings (asset symbols and quantities you manually enter)
- Stock holdings (symbols, quantities, purchase prices you manually enter)
- Real estate property details (names, locations, values you manually enter)
- Savings and cash account balances you manually enter
- Budget and expense records you manually enter
Cedrus does not connect to your bank accounts, brokerage accounts, or any financial institution directly. All financial data is entered manually by you.
2.3 Technical & Usage Data
- Device type and operating system
- App usage patterns and feature interactions (anonymised)
- Error logs and crash reports
- IP address (collected by our infrastructure provider)
2.4 Communication Data
- Email address used for correspondence
- Messages you send to our support team
- Waitlist signup submissions from our website
3. How We Use Your Data
We use your data only for the following purposes:
- Service delivery: To create and manage your account, sync your portfolio data across devices, and provide the core features of the app
- AI Advisor: Portfolio data is used to generate personalised AI financial insights. This data is processed in real-time and is not stored by our AI provider beyond the session
- Subscription management: To manage your free trial and paid subscription through Stripe
- Security: To detect fraud, abuse, or unauthorised access
- Communications: To send you service-related emails (account confirmations, password resets, subscription updates). We do not send marketing emails without your explicit consent
- Product improvement: Anonymised, aggregated usage data helps us improve the app
- Legal compliance: To comply with applicable UAE and GCC laws and regulations
We do not use your data for advertising, profiling, or selling to third parties under any circumstances.
4. Data Sharing & Third Parties
We share your data only with trusted service providers who are necessary for us to operate the Service. All third-party processors are bound by data processing agreements and are prohibited from using your data for their own purposes.
4.1 Our Service Providers
- Supabase Inc. — Database and authentication infrastructure. Your account data and portfolio data are stored on Supabase servers. Supabase is SOC 2 Type II certified.
- Stripe Inc. — Payment processing for subscriptions. Stripe is PCI DSS Level 1 certified. We do not store your card details.
- Anthropic PBC — AI language model powering the AI Advisor feature. Portfolio context sent to the AI is used only for generating your response and is not stored or used to train models.
- Vercel Inc. — Application hosting and content delivery.
- Binance Public API / Market Data Providers — Real-time price data. No personal data is shared with these providers.
4.2 Legal Disclosure
We may disclose your data if required by UAE law, court order, or government authority, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Cedrus, our users, or the public.
4.3 Business Transfers
In the event of a merger, acquisition, or sale of assets, your data may be transferred. You will be notified via email before any such transfer and given the option to delete your account.
We do not sell, rent, or trade your personal data to any third party for commercial purposes.
5. Data Storage & Security
Your data is stored on secure cloud infrastructure provided by Supabase. Data may be stored in data centres located in the United States or European Union. We are working toward offering data residency options for UAE-based storage.
We implement the following security measures:
- All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher (HTTPS)
- Passwords are hashed using bcrypt — we cannot recover your plain-text password
- App-level PIN protection with SHA-256 hashing, stored locally on your device only
- Optional biometric authentication (Face ID / Touch ID) — biometric data never leaves your device
- Row-Level Security (RLS) enforced at the database level — users can only access their own data
- Automatic session expiry and re-authentication requirements
Despite these measures, no system is 100% secure. We encourage you to use a strong password and enable PIN protection within the app.
6. Data Retention
We retain your personal data for as long as your account is active or as needed to provide you the Service.
- Active accounts: Data is retained for the duration of your subscription and account activity
- Deleted accounts: Upon account deletion request, we delete your personal data within 30 days, except where we are required to retain it by law
- Financial transaction records: Stripe retains payment records for up to 7 years for financial compliance purposes
- Anonymised analytics: May be retained indefinitely as they cannot be linked to you
To request deletion of your account and data, contact us at privacy@cedrus.finance.
7. Your Rights Under UAE PDPL
Under UAE Federal Decree-Law No. 45 of 2021, you have the following rights regarding your personal data:
- Right to Access: Request a copy of the personal data we hold about you
- Right to Rectification: Request correction of inaccurate or incomplete data
- Right to Erasure: Request deletion of your personal data ("right to be forgotten")
- Right to Restriction: Request that we limit how we use your data in certain circumstances
- Right to Data Portability: Request your data in a structured, machine-readable format
- Right to Object: Object to processing of your personal data for specific purposes
- Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
To exercise any of these rights, contact us at privacy@cedrus.finance. We will respond within 30 days as required by the UAE PDPL.
8. GCC Users
Cedrus is designed for users across the Gulf Cooperation Council, including Saudi Arabia, Kuwait, Qatar, Bahrain, and Oman. We are committed to respecting the data protection laws of all GCC member states.
- Saudi Arabia: We comply with the Saudi Personal Data Protection Law (PDPL) issued by Royal Decree No. M/19 of 1443H
- Qatar: We comply with Law No. 13 of 2016 on Personal Data Protection
- Bahrain: We comply with Personal Data Protection Law No. 30 of 2018
- Kuwait & Oman: We apply equivalent data protection standards in the absence of dedicated legislation
All currency values in the app are displayed in AED (UAE Dirham) or USD by default. No financial advice is provided — the app is a tracking and visualisation tool only.
9. Children's Privacy
Cedrus is not directed at children under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, contact us immediately at privacy@cedrus.finance and we will delete it promptly.
10. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will:
- Update the "Effective Date" at the top of this page
- Notify registered users via email for material changes
- Display an in-app notification for significant changes
Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.