Back

Privacy Policy

Effective Date: February 24, 2026

The protection of your personal data is of particular concern to us. We treat the personal data you provide when using our website and services confidentially and in accordance with applicable data protection laws, including the EU General Data Protection Regulation ("GDPR"), the Spanish Ley Organica 3/2018 de Proteccion de Datos y Garantia de los Derechos Digitales ("LOPDGDD"), and the Ley 34/2002 de Servicios de la Sociedad de la Informacion y de Comercio Electronico ("LSSI-CE").

This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and what rights you have in relation to your data.

Personal data is any information relating to an identified or identifiable natural person (Article 4(1) GDPR).

Data Controller

[COMPANY_NAME], S.L.

[COMPANY_ADDRESS]

CIF: [CIF_NUMBER]

Email: hello@trackyourportfol.io

1. What Data We Collect

1.1 Account Data

When you register for an Account via our authentication provider (Supabase Auth), including sign-in through third-party OAuth providers (e.g., Google), we collect:

  • Email address (from your OAuth provider)
  • User alias (optional, provided by you)
  • Country of residence (provided by you)
  • Base currency preference (provided by you)

1.2 Financial Portfolio Data

When you use the Service, you may provide the following financial data:

  • Portfolio names
  • Transaction records: type (buy, sell, dividend, cash in, cash out), execution dates, quantities, prices, fees, currencies, and exchange rates
  • Asset holdings: stock symbols, ISINs, exchange information, and asset types
  • CSV import metadata: file names, row counts, and processing status (the CSV file content itself is processed in memory and is not permanently stored)

1.3 Billing Data

When you subscribe to the Pro plan, the following data is processed:

  • Stripe customer identifier
  • Subscription status and plan type
  • Trial period dates and billing cycle dates
  • Tax identification and billing address (collected by Stripe during checkout)

Important: Your credit card numbers and full payment details are processed and stored exclusively by Stripe. They never reach or are stored on our servers.

1.4 AI Usage Data

We track the number of AI-processed rows per billing cycle to manage usage quotas associated with your subscription.

1.5 Automatically Collected Data

  • Authentication session cookies: Strictly necessary cookies set by Supabase Auth to maintain your login session
  • IP address: Processed by our hosting infrastructure (Render.com, Supabase) as part of standard web server operations
  • Audit logs: Records of user actions (create, update, delete) on entities within the Service, maintained for security and data integrity purposes

1.6 Customer Support Data

If you contact us via email at hello@trackyourportfol.io, we will store and process your request, including all resulting personal data (e.g., name, email address, inquiry content), for the purpose of handling your support request.

2. How We Use Your Data

We process your personal data for the following purposes, each with a specific legal basis under Article 6(1) GDPR:

PurposeData UsedLegal Basis (GDPR)
Account creation and authenticationEmail, alias, country, currencyArt. 6(1)(b) — contract performance
Providing portfolio tracking servicePortfolio data, transactions, assetsArt. 6(1)(b) — contract performance
CSV import processing (including AI-assisted parsing)CSV file contents, transaction dataArt. 6(1)(b) — contract performance
AI-powered stock analysisStock symbols, public financial dataArt. 6(1)(b) — contract performance
Payment processing and subscription managementStripe customer ID, billing dataArt. 6(1)(b) — contract performance
Transactional emails (welcome, billing)Email addressArt. 6(1)(b) — contract performance
Customer supportEmail, inquiry contentArt. 6(1)(b) — contract performance
Security, fraud prevention, audit loggingUser actions, IP addressArt. 6(1)(f) — legitimate interest
Service improvement (anonymised and aggregated)Usage patterns (anonymised)Art. 6(1)(f) — legitimate interest
Legal compliance (tax, regulatory obligations)All necessary dataArt. 6(1)(c) — legal obligation

3. AI Data Processing

The Service uses artificial intelligence features powered by third-party AI models accessed through OpenRouter, a routing service that connects to models from providers such as OpenAI (GPT), Anthropic (Claude), Google (Gemini), and xAI (Grok).

3.1 CSV Import Parsing

When you upload a CSV file for import, the file content (column headers and row data) may be sent to OpenRouter for AI-assisted parsing and transformation. Only the CSV row content and column headers are transmitted. No user identity information (email, name, or billing data) is included in these requests.

3.2 Stock Analysis

For AI-powered stock analysis, stock symbols and publicly available financial data (such as historical pricing) are sent to OpenRouter. No personal data is included in these requests.

3.3 AI Provider Terms

All AI model access is routed exclusively through OpenRouter. OpenRouter and its underlying model providers have their own data processing policies. Under their respective API terms, data submitted via API is generally not used for model training. We do not send user email addresses, names, or billing information to any AI provider.

4. Third-Party Data Processors

We use the following third-party service providers (processors) to operate the Service. Each processes data on our behalf under a data processing agreement in accordance with Article 28 GDPR:

ProcessorPurposeData SharedLocation
SupabaseAuthentication and database hostingAccount data, portfolio data, all user contentEU / US
Render.comWeb application hostingIP address, request data (server logs)US / EU
StripePayment processingEmail, billing data, payment method detailsUS (EU safeguards)
OpenRouterAI model routing (CSV parsing, stock analysis)CSV content (anonymised), stock symbols, financial dataUS
TwelveDataMarket data (prices, dividends, profiles)Stock symbol queries onlyUS
FinnhubAnalyst ratings and recommendationsStock symbol queries onlyUS
ResendTransactional email deliveryEmail address, email contentUS

Except in the cases described in this Privacy Policy, your personal data will not be disclosed to additional third parties or processors. If we are legally entitled or required to do so (e.g., due to applicable law or a court order), we may disclose your personal data.

5. International Data Transfers

Some of our third-party processors are based outside the European Economic Area (EEA), primarily in the United States. When your personal data is transferred to countries outside the EEA, we ensure that appropriate safeguards are in place in accordance with GDPR Chapter V (Articles 44–49).

These safeguards may include:

  • EU Standard Contractual Clauses (SCCs) in accordance with Commission Implementing Decision (EU) 2021/914
  • EU-US Data Privacy Framework adequacy decisions, where applicable
  • Processor certifications and compliance programmes (e.g., SOC 2)

We are happy to provide proof of suitable safeguards at any time upon request. Please contact us at hello@trackyourportfol.io.

6. Data Retention

We store your personal data only for as long as it is necessary to fulfil the purpose for which it was collected, or as required by law:

  • Account and portfolio data: Retained while your Account is active. Deleted within 30 days of Account deletion.
  • CSV files: Processed in memory during import and not permanently stored. Import metadata (file name, row counts, status) is retained as part of your Account data.
  • Billing data: Retained for a minimum of 6 years as required by Spanish tax law (Codigo de Comercio, Article 30).
  • Audit logs: Retained for up to 2 years for security and integrity purposes, then deleted.
  • Customer support correspondence: Retained until the purpose for storage no longer applies (e.g., after your request has been fully resolved), unless longer retention is required by law.
  • Anonymised and aggregated data: May be retained indefinitely, as it no longer constitutes personal data.

7. Cookies and Similar Technologies

The Service uses only strictly necessary cookies that are essential for the operation of the website:

  • Supabase authentication session cookies: Required to maintain your login session and authenticate requests. These cookies are set when you log in and are removed when you log out or when the session expires.

We do not use:

  • Analytics cookies (e.g., Google Analytics, Mixpanel)
  • Advertising or remarketing cookies
  • Third-party tracking pixels
  • Social media cookies

Since we use only strictly necessary cookies, consent is not required under LSSI-CE Article 22.2 (which exempts cookies that are technically necessary for the provision of the service). No cookie consent banner is displayed.

8. Your Data Protection Rights

Under the GDPR (Articles 15–22) and the LOPDGDD, you have the following rights regarding your personal data:

Right of Access (Art. 15)
You have the right to request a copy of the personal data we hold about you, including information about the purposes of processing, the categories of data, and the recipients.
Right to Rectification (Art. 16)
You have the right to request correction of inaccurate or incomplete personal data.
Right to Erasure / "Right to be Forgotten" (Art. 17)
You have the right to request the deletion of your personal data, subject to legal retention obligations.
Right to Restriction of Processing (Art. 18)
You have the right to request that we restrict the processing of your personal data under certain circumstances.
Right to Data Portability (Art. 20)
You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller.
Right to Object (Art. 21)
You have the right to object to the processing of your personal data where we rely on legitimate interest as the legal basis, including for direct marketing purposes.
Right Regarding Automated Decision-Making (Art. 22)
You have the right not to be subject to a decision based solely on automated processing that produces legal effects concerning you or similarly significantly affects you. See Section 12 below for details on how this applies to our AI features.

How to Exercise Your Rights

To exercise any of these rights, please contact us at hello@trackyourportfol.io. We will respond to your request within 30 days. This period may be extended by two additional months for complex requests, in which case we will inform you of the extension and the reasons for it.

Right to Lodge a Complaint

If you believe that your data protection rights have been violated, you have the right to lodge a complaint with the competent supervisory authority. In Spain, this is the Agencia Espanola de Proteccion de Datos (AEPD): www.aepd.es, C/ Jorge Juan 6, 28001 Madrid, Spain.

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, or destruction. These measures include:

  • Encryption of sensitive data at rest using industry-standard cryptographic methods
  • Row Level Security (RLS) policies on all database tables, ensuring Users can only access their own data
  • Authentication via Supabase Auth with OAuth 2.0 protocols
  • HTTPS/TLS encryption for all data transmitted between your browser and our servers
  • PCI-DSS compliant payment processing through Stripe (payment data never stored on our servers)
  • Access controls and service-role separation for backend operations

10. Children's Privacy

The Service is not intended for anyone under the age of 18. We do not knowingly collect personal data from minors.

If we become aware that we have collected personal data from a person under 18, we will take steps to delete that data promptly. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at hello@trackyourportfol.io.

11. Data Breach Notification

In the event of a personal data breach, we will notify the competent supervisory authority (the AEPD) without undue delay and in any event within 72 hours of becoming aware of the breach, in accordance with Article 33 GDPR.

If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay, in accordance with Article 34 GDPR, providing information about the nature of the breach and the measures taken or proposed.

12. Automated Decision-Making and Profiling

The AI-powered features of the Service (stock analysis, CSV parsing) generate automated outputs based on the data provided. However, these outputs are for informational and educational purposes only.

You are not subject to decisions based solely on automated processing that produce legal effects concerning you or similarly significantly affect you (Article 22 GDPR). The AI features do not make decisions about your account status, subscription, pricing, or access to the Service.

You can always override, disregard, or choose not to use any AI-generated content.

13. No Sale of Personal Data

We do not sell, trade, or rent your personal data to third parties. We do not share your personal data with third parties for their direct marketing purposes. Your data is shared only with the third-party processors listed in Section 4 above, solely for the purposes described in this Privacy Policy.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, applicable law, or for other operational, legal, or regulatory reasons.

Material changes will be communicated to you at least thirty (30) days in advance via email or by a prominent notice on the Service. The "Effective Date" at the top of this policy will be updated accordingly.

Your continued use of the Service after the effective date of the revised Privacy Policy constitutes your acceptance of the changes. We encourage you to review this page periodically.

15. Contact and Supervisory Authority

If you have any questions, concerns, or requests related to this Privacy Policy or the processing of your personal data, please contact us:

Data Controller: [COMPANY_NAME], S.L.

Address: [COMPANY_ADDRESS]

CIF: [CIF_NUMBER]

Email: hello@trackyourportfol.io

Supervisory Authority

Agencia Espanola de Proteccion de Datos (AEPD)

Website: www.aepd.es

Address: C/ Jorge Juan 6, 28001 Madrid, Spain

Phone: +34 91 266 35 17