Plain language summary: Cedrus is a personal wealth tracking tool. We collect only what we need to operate the app. We do not sell your data. We do not share your financial data with advertisers. You can request deletion of your data at any time.
1. Overview & Who We Are
This Privacy Policy describes how Cedrus ("we," "us," or "our") collects, uses, and protects the personal data of users ("you") of the Cedrus mobile application and website (collectively, the "Service").
Cedrus is an all-in-one personal wealth tracking application designed for residents of the United Arab Emirates and the Gulf Cooperation Council (GCC) region. We help users track crypto assets, stocks, real estate, savings, and receive AI-powered financial insights.
This policy is governed by and compliant with:
- UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL)
- UAE Federal Law No. 2 of 2019 on the Use of Information and Communication Technology in Health Fields (where applicable)
- DIFC Data Protection Law No. 5 of 2020 (for users accessing the Service from the Dubai International Financial Centre)
- ADGM Data Protection Regulations 2021 (for users accessing the Service from Abu Dhabi Global Market)
- Applicable data protection laws in Saudi Arabia, Qatar, Kuwait, Bahrain, and Oman
By using Cedrus, you acknowledge that you have read and understood this Privacy Policy.
2. Data We Collect
2.1 Account & Identity Data
- Full name and email address (provided during registration)
- Password (stored in hashed/encrypted form. we never store plain-text passwords)
- Profile information you choose to provide (e.g., phone number)
- Referral codes used during signup
2.2 Financial Portfolio Data
- Cryptocurrency holdings (asset symbols and quantities you manually enter)
- Stock holdings (symbols, quantities, purchase prices you manually enter)
- Real estate property details (names, locations, values you manually enter)
- Savings and cash account balances you manually enter
- Budget and expense records you manually enter
Cedrus does not connect to your bank accounts, brokerage accounts, or any financial institution directly. All financial data is entered manually by you.
2.3 Technical & Usage Data
- Device type and operating system
- App usage patterns and feature interactions (anonymised)
- Error logs and crash reports
- IP address (collected by our infrastructure provider)
2.4 Communication Data
- Email address used for correspondence
- Messages you send to our support team
- Waitlist signup submissions from our website
2.5 Push Notification Data
- Device push notification token (generated by Apple APNs or Google FCM)
- This token is used solely to deliver price alerts and portfolio notifications you have enabled
- You can disable notifications at any time in your device Settings
3. How We Use Your Data
We use your data only for the following purposes:
- Service delivery: To create and manage your account, sync your portfolio data across devices, and provide the core features of the app
- AI Advisor: Your portfolio summary is sent to Anthropic's API to generate personalised insights within Cedar AI sessions. This data is processed in real-time per session. Anthropic does not store your data beyond the session and does not use it to train their models. See Section 4 for full details.
- Subscription management: To manage your free trial and paid subscription through Stripe
- Security: To detect fraud, abuse, or unauthorised access
- Communications: To send you service-related emails (account confirmations, password resets, subscription updates). We do not send marketing emails without your explicit consent
- Product improvement: Anonymised, aggregated usage data helps us improve the app
- Legal compliance: To comply with applicable UAE and GCC laws and regulations
We do not use your data for advertising, profiling, or selling to third parties under any circumstances.
4. AI Advisor & Data Processing
The Cedar AI feature is powered by Anthropic's Claude API. When you send a message to Cedar AI, the following data is included in the request sent to Anthropic:
- A summary of your portfolio (asset types, quantities, and values)
- Your conversation messages within the current session
The following data is never sent to Anthropic:
- Your name, email address, or any account identifiers
- Your PIN, biometric data, or authentication credentials
- Payment information
Important: Cedar AI is an informational tool only. Nothing it says constitutes financial, investment, tax, or legal advice. Always consult a licensed financial advisor before making investment decisions.
4.1 Anthropic Data Processing Agreement
Cedrus has a Data Processing Addendum (DPA) in place with Anthropic PBC, incorporated into Anthropic's Commercial Terms of Service. The full DPA is available at anthropic.com/legal/data-processing-addendum. Under this agreement, Anthropic is prohibited from using your data to train their models or for any purpose other than delivering the API response.
4.2 Chat History
Cedar AI conversation history exists only for the duration of your active session. It is not stored in our database, not linked to your account, and is permanently discarded when you close the AI chat or restart the app.
5. Cookies & Website Tracking
Our website (cedrus.finance) uses cookies and third-party tracking tools to understand how visitors use the site. We only activate tracking after you have given explicit consent via our cookie consent banner.
5.1 Tracking Tools We Use
- Google Analytics (GA4): Collects anonymised usage data such as pages visited, time on site, and device type. Used to improve our website content. Data is processed by Google LLC under their privacy policy.
- Meta Pixel (Facebook Pixel): Tracks website visits to measure the effectiveness of our advertising campaigns on Facebook and Instagram. Data is processed by Meta Platforms Inc. under their data policy.
5.2 Your Cookie Choices
When you first visit cedrus.finance, a consent banner is displayed. Tracking tools are not activated unless you click "Accept." If you click "Decline," no tracking cookies are set and no data is sent to Google or Meta.
You can change your preference at any time by clearing your browser's local storage for cedrus.finance, which will cause the consent banner to reappear on your next visit.
5.3 The Mobile App
The Cedrus iOS app does not use cookies. Analytics within the app are limited to anonymised crash reporting and feature usage data collected by Supabase.
6. Data Sharing & Third Parties
We share your data only with trusted service providers who are necessary for us to operate the Service. All third-party processors are bound by signed Data Processing Agreements (DPAs) and are prohibited from using your data for their own purposes.
6.1 Our Service Providers
- Supabase Inc. — Database and authentication infrastructure. Your account data and portfolio data are stored on Supabase servers. Supabase is SOC 2 Type II certified. DPA signed.
- Anthropic PBC — AI language model powering the Cedar AI feature. Portfolio context sent to the AI is used only for generating your response and is not stored or used to train models. DPA in place via Anthropic's Commercial Terms of Service.
- RevenueCat Inc. — Subscription and in-app purchase management. RevenueCat is PCI-DSS compliant. We do not store your card details.
- Vercel Inc. — Website hosting and content delivery.
- Apple Inc. — For users subscribing through the iOS App Store, Apple processes in-app purchase payments. Apple's use of your data is governed by the Apple Privacy Policy.
- Google LLC — Google Analytics (GA4) for website analytics, activated only after cookie consent.
- Meta Platforms Inc. — Meta Pixel for advertising measurement on our website, activated only after cookie consent.
- Market Data Providers — Public APIs for real-time crypto and stock prices. No personal data is shared with these providers.
6.2 Legal Disclosure
We may disclose your data if required by UAE law, court order, or government authority, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Cedrus, our users, or the public.
6.3 Business Transfers
In the event of a merger, acquisition, or sale of assets, your data may be transferred. You will be notified via email before any such transfer and given the option to delete your account.
We do not sell, rent, or trade your personal data to any third party for commercial purposes.
7. Data Storage & Security
Your data is stored on secure cloud infrastructure provided by Supabase. Data may be stored in data centres located in the United States or European Union. We are working toward offering data residency options for UAE-based storage.
We implement the following security measures:
- All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher (HTTPS)
- Passwords are hashed using bcrypt. we cannot recover your plain-text password
- App-level PIN protection with SHA-256 hashing, stored locally on your device only
- Optional biometric authentication (Face ID / Touch ID). biometric data never leaves your device
- Row-Level Security (RLS) enforced at the database level. users can only access their own data
- Automatic session expiry and re-authentication requirements
Despite these measures, no system is 100% secure. We encourage you to use a strong password and enable PIN protection within the app.
8. Data Retention
We retain your personal data for as long as your account is active or as needed to provide you the Service.
- Active accounts: Data is retained for the duration of your subscription and account activity
- Deleted accounts: Upon account deletion request, we delete your personal data within 30 days, except where we are required to retain it by law
- Financial transaction records: Stripe retains payment records for up to 7 years for financial compliance purposes
- Anonymised analytics: May be retained indefinitely as they cannot be linked to you
To request deletion of your account and data, contact us at privacy@cedrus.finance.
9. Your Rights Under UAE PDPL & GDPR
Under UAE Federal Decree-Law No. 45 of 2021 (UAE PDPL) and the EU General Data Protection Regulation (GDPR, where applicable), you have the following rights regarding your personal data:
- Right to Access: Request a copy of the personal data we hold about you
- Right to Rectification: Request correction of inaccurate or incomplete data
- Right to Erasure: Request deletion of your personal data ("right to be forgotten")
- Right to Restriction: Request that we limit how we use your data in certain circumstances
- Right to Data Portability: Request your data in a structured, machine-readable format
- Right to Object: Object to processing of your personal data for specific purposes
- Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
To exercise any of these rights, contact us at privacy@cedrus.finance. We will respond within 30 days as required by the UAE PDPL.
10. GCC Users
Cedrus is designed for users across the Gulf Cooperation Council, including Saudi Arabia, Kuwait, Qatar, Bahrain, and Oman. We are committed to respecting the data protection laws of all GCC member states.
- Saudi Arabia: We comply with the Saudi Personal Data Protection Law (PDPL) issued by Royal Decree No. M/19 of 1443H
- Qatar: We comply with Law No. 13 of 2016 on Personal Data Protection
- Bahrain: We comply with Personal Data Protection Law No. 30 of 2018
- Kuwait & Oman: We apply equivalent data protection standards in the absence of dedicated legislation
All currency values in the app are displayed in AED (UAE Dirham) or USD by default. No financial advice is provided. the app is a tracking and visualisation tool only.
11. Children's Privacy
Cedrus is not directed at children under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, contact us immediately at privacy@cedrus.finance and we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will:
- Update the "Effective Date" at the top of this page
- Notify registered users via email for material changes
- Display an in-app notification for significant changes
Your continued use of the Service after changes are posted constitutes your acceptance of the updated policy.
13. Account Deletion & Data Export
You can permanently delete your Cedrus account and all associated data directly within the app:
- Open the app → go to Settings → scroll to the bottom → tap Delete Account
- Confirm the deletion when prompted
- All your personal data and portfolio data will be permanently deleted within 30 days
Alternatively, you can request account deletion by emailing privacy@cedrus.finance.
Note: If you subscribed through the iOS App Store, you must also cancel your subscription separately via iPhone Settings → Apple ID → Subscriptions. Deleting the app or your account does not automatically cancel an active App Store subscription.
13.1 Download Your Data
You can export all your personal data at any time without deleting your account. This includes your account information, full portfolio, real estate, savings, goals, and liabilities:
- Open the app → go to Settings → tap Download My Data
- A CSV file will be generated and shared to your device
This satisfies your right to data portability under UAE PDPL and GDPR.