Privacy Policy
Last updated: March 2026
1. Data Controller
The data controller for this service is [Company Name / Your Name], contactable at [contact email].
2. Data We Collect
Account Data
- Email address
- Password (stored as a bcrypt hash, never in plaintext)
- Display name (optional)
Portfolio Data
- Portfolio names, descriptions, and currency settings
- Holdings: ticker symbols, share quantities, entry prices, ISINs
- Price snapshots fetched from market data providers
- Uploaded CSV files (processed and discarded, not stored)
AI Conversation Data
- Messages you send to the AI analysis feature
- AI-generated responses
Usage Data
- Pages visited, features used (via PostHog analytics, if enabled)
- Error reports (via Sentry, if enabled)
- IP address, browser type, device information
Payment Data
Payment processing is handled entirely by Stripe. We do not store your credit card number. We store only your Stripe customer ID and subscription status.
3. Why We Collect Data
| Purpose | Legal Basis (GDPR) |
|---|---|
| Provide the service (account, portfolios, tracking) | Contract fulfillment (Art. 6(1)(b)) |
| Process payments | Contract fulfillment (Art. 6(1)(b)) |
| AI portfolio analysis | Contract fulfillment (Art. 6(1)(b)) |
| Error monitoring and service stability | Legitimate interest (Art. 6(1)(f)) |
| Usage analytics to improve the service | Consent (Art. 6(1)(a)) |
4. Third-Party Services
We share data with the following third-party services to provide the Service:
| Service | Purpose | Data Shared |
|---|---|---|
| Anthropic (Claude AI) | CSV parsing, portfolio analysis | Portfolio holdings data, conversation messages |
| Yahoo Finance | Market data, price quotes | Ticker symbols only |
| Stripe | Payment processing | Email, payment details |
| PostHog | Product analytics | Anonymized usage data |
| Sentry | Error monitoring | Error details, stack traces |
5. Data Storage and Security
Your data is stored on servers located in the European Union (Germany). We use encryption in transit (HTTPS/TLS) and passwords are hashed using bcrypt. We implement reasonable security measures to protect your data, but no system is 100% secure.
6. Data Retention
We retain your data for as long as your account is active. If you delete your account, we will delete your personal data within 30 days. Some data may be retained longer if required by law (e.g., payment records for tax purposes).
7. Your Rights (GDPR)
Under the General Data Protection Regulation, you have the right to:
- Access — Request a copy of your personal data
- Rectification — Request correction of inaccurate data
- Erasure — Request deletion of your data ("right to be forgotten")
- Portability — Request your data in a machine-readable format
- Objection — Object to processing based on legitimate interest
- Withdraw consent — Withdraw consent for analytics at any time
To exercise any of these rights, contact us at [contact email]. We will respond within 30 days.
8. Cookies
We use essential cookies for authentication and session management. Analytics cookies (PostHog) are only set with your consent. You can manage cookie preferences in your browser settings.
9. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on the Service.
10. Contact and Complaints
For questions or concerns about this Privacy Policy, contact us at [contact email].
You also have the right to lodge a complaint with a data protection supervisory authority in the EU member state where you reside or work.