Privacy Policy
This policy explains what personal information Prism Advisor Workspace handles, why, and how we protect it — for the advisors who use Prism and for the clients whose data advisors manage in it.
1. Two roles: controller and processor
Prism handles personal information in two distinct capacities, and it matters which applies:
- As a processor — for the household and client information an advisory firm enters or links into Prism (financial profiles, accounts, balances, plan data, messages). The firm is the controller of that data; Prism processes it only on the firm's instructions. Client requests about this data are directed to the firm. See our Data Processing Agreement.
- As a controller — for the information we collect directly to run the service and our relationship with the firm (advisor account details, billing, support, security logs).
2. Information we collect
| Category | Examples | Our role |
|---|---|---|
| Account & identity | Name, email, firm name, role; authentication handled by our auth provider (passwords are hashed by the provider — we never see them); Google sign-in identifier if used. | Controller |
| Client & household data | Financial profiles, accounts, balances, milestones, tasks, meetings, messages — entered by advisors or their clients. | Processor |
| Linked account data | Where a client connects an account through Plaid, the balances and account details returned, with the user's consent at link time. | Processor |
| Billing | Subscription status and customer identifiers from our payment processor (Stripe). We do not store full card numbers. | Controller |
| Technical & usage | IP address, browser/device data, timestamps, and an append-only audit log of meaningful actions for security and compliance. | Both |
| Cookies & local storage | A session token (to keep you signed in), a theme preference, and a demo-mode flag. We do not use third-party advertising trackers. | Controller |
3. How we use information
- To provide, secure, and support the service and authenticate users.
- To maintain an audit trail and records consistent with the record-keeping principles described in our security overview.
- To process subscriptions and billing.
- To detect, prevent, and investigate security incidents and misuse.
- To comply with legal obligations.
Where we act as controller, our legal bases (where the GDPR or similar laws apply) are performance of a contract, our legitimate interest in operating a secure service, your consent (for example, connecting an account via Plaid), and compliance with legal obligations.
4. Service providers (subprocessors)
We share information only with the vendors needed to run Prism, under contracts that require them to protect it. We do not sell personal information.
- Supabase — managed database, authentication, file storage, and serverless functions.
- Cloudflare — static hosting, content delivery, and edge security.
- Stripe — subscription payments.
- Plaid — secure account linking and aggregation (only when a user chooses to connect an account).
- Google — optional "Sign in with Google" authentication.
A current, itemized list lives in the Data Processing Agreement.
5. Where data is processed
Prism's infrastructure is operated in the United States. If you access Prism from outside the U.S., your information will be processed in the U.S.; where required, transfers rely on appropriate safeguards such as Standard Contractual Clauses.
6. Retention
We retain controller data for as long as your account is active and as needed to provide the service, then for any period required by law. Client data processed for a firm is retained per the firm's instructions and applicable record-keeping rules; advisory records are designed to be preserved in line with SEC Rule 17a-3 / 17a-4 record-keeping principles. On verified deletion, data is removed from active systems and from backups on our backup-rotation cycle.
7. Security
We protect information with row-level data isolation, encryption in transit, optional multi-factor authentication, least-privilege access, and an append-only audit trail. Details are in our security overview. No system is perfectly secure, but security is a first-class part of how Prism is built.
8. Your rights
Depending on where you live, you may have rights to access, correct, delete, or port your personal information, or to object to or restrict certain processing. To exercise rights over controller data, email privacy@prismaw.com. For client/household data held on behalf of a firm, please contact that firm; we will assist them as their processor.
9. Children
Prism is a business tool for advisory firms and is not directed to children under 18. We do not knowingly collect data from children.
10. Changes
We will update this policy as the service evolves and revise the "last updated" date above. Material changes will be communicated to firm administrators.
11. Contact
Questions or requests: privacy@prismaw.com.