Principles

Gravenos handles data on the principle of collecting the minimum necessary to deliver the service, retaining it for the minimum period consistent with that delivery, and protecting it with the controls that a reasonable professional would expect.

We do not sell data. We do not share data with marketing partners. We do not use behavioural advertising. These are not promotional claims; they are architectural commitments, evident from the absence in our codebase of any integration that would render them otherwise.

What Data We Hold

On the corporate website (gravenos.com), we collect email addresses from newsletter subscribers and the content of contact-form submissions. On the Drusus platform (drusus.ai), we hold the data required to operate a subscription product: account identity (email and password hash), portfolio contents the user has chosen to record, watchlists, alert configurations, and analytical history.

Payment data is processed by Stripe. Gravenos does not store card numbers, CVCs, or full bank account details on its servers. The integration is designed so that this data never transits our systems at all.

Infrastructure

Our database and authentication layer is operated by Supabase, in the eu-north-1 region. The Drusus platform and the gravenos.com website are deployed on Vercel. Email is dispatched through Resend. Domains are registered through Cloudflare. Payments are processed by Stripe.

Each of these providers operates to a recognised security standard. None of them is unique to Gravenos; we have selected them because they are the established and credible choices in their respective categories. The trade-off involved in this choice is that our security posture is, in part, a function of theirs. We disclose incidents at any of these providers that have any plausible bearing on our users (see the news section).

Authentication

Accounts on the Drusus platform are authenticated via email and password. Passwords are stored as salted hashes; we do not, and cannot, retrieve a user's plain-text password. Single-sign-on through major providers is available. Multi-factor authentication will be introduced ahead of the public launch.

Regulatory Position

Gravenos is registered in the United Kingdom. The Drusus platform produces analytical commentary, scenario models, and risk computations; it does not produce investment advice within the meaning of the FCA regulatory perimeter. We will, in due course, engage with the FCA Innovation Hub to seek formal confirmation of this perimeter position. Until that engagement is complete, the position stated here is our best professional assessment, supported by counsel's review of our Financial Disclaimer.

Data protection compliance is conducted under the UK GDPR and the Data Protection Act 2018. Registration with the Information Commissioner's Office is in progress.

Incident Disclosure

In the event of a security incident affecting Gravenos systems, or affecting any third-party provider in a way that has plausible bearing on Gravenos users, we will publish a notice in the News section of this website as promptly as the facts permit, and we will update that notice as the investigation proceeds.

We do not subscribe to the practice of issuing initial notices so vaguely worded that they convey nothing. Where the facts are uncertain, we say so; where data may or may not have been affected, we say which; where the scope is unknown, we say what is known and what is not. The corollary is that our notices may be longer than the industry norm. We believe this is the correct trade-off.

Reporting Vulnerabilities

If you believe you have identified a security vulnerability in any Gravenos system, we ask that you write to legal@gravenos.com with the details. We will acknowledge your report and, where appropriate, publicly credit the discovery once the issue is resolved.