Privacy Policy
InvestTrack attaches great importance to the protection of your personal data. In this privacy policy we explain which personal data we collect, why we do so, and what rights you have. This policy has been drafted in accordance with the General Data Protection Regulation (GDPR) and the Dutch GDPR Implementation Act (Uitvoeringswet AVG / UAVG).
Last updated: 2 March 2026
1. Data Controller
The data controller for the processing of personal data via InvestTrack is:
- Name: InvestTrack
- Email: privacy@investtrack.app
For questions about this privacy policy or the processing of your personal data, please contact us at the email address above.
2. What Personal Data Do We Process?
We process the following categories of personal data, depending on your use of the application:
2.1 Account Data
- Email address (required for registration and authentication)
- Display name (optional)
- Password (stored in encrypted form, never in plain text)
- Account preferences (currency, timezone, date format, number notation, theme setting)
2.2 Financial Data
- Portfolio data: names, descriptions, and currency settings of your investment portfolios
- Investment positions: type (stocks, crypto, real estate, private equity, savings, ETP, pension, loan), name, symbol/ISIN, quantity, cost basis, current value, acquisition date, notes, and tags
- Transactions: buy, sell, dividend, split, transfer, deposit, withdrawal, and fee transactions including amounts, prices, and dates
- Income: dividends, interest, rent, distributions, and staking rewards with expected and received amounts
- Valuations: historical value development of your investments
- Private equity: company names, investment amounts, sectors, valuations, and performance data
- Interest rates: interest rates for savings accounts and loans
2.3 Banking and Broker Data
When you choose to link bank or broker accounts:
- Bank connections via Tink: OAuth tokens, account numbers, IBAN, account names, balances, transactions, and investment positions
- Broker connections (Interactive Brokers, DeGiro): API tokens and transaction data
OAuth tokens and API tokens are stored in encrypted form (encryption at rest). Passwords for broker accounts are never permanently stored.
2.4 Imported Data
- CSV and Excel files you upload to import portfolio data
- File name, file size, and import status
- Data rows that could not be processed (for error reporting)
2.5 User Feedback
- Feedback messages you submit via the in-app feedback feature
- The page URL where the feedback was submitted
2.6 Technical Data
- Session cookies for authentication
- Error reports via Sentry (when enabled): technical error messages with anonymised session data. All text, input fields, and media are masked. Sensitive data such as passwords are automatically removed.
3. Purposes and Legal Bases
We process your personal data solely for the following purposes, with the corresponding legal basis (Article 6 GDPR):
| Purpose | Legal Basis |
|---|---|
| Account creation and authentication | Performance of a contract (Art. 6(1)(b) GDPR) |
| Management and display of your investment portfolio | Performance of a contract (Art. 6(1)(b) GDPR) |
| Automatic price updates and value calculations | Performance of a contract (Art. 6(1)(b) GDPR) |
| Synchronisation with banks and brokers | Explicit consent (Art. 6(1)(a) GDPR) |
| AI portfolio analysis (optional) | Explicit consent (Art. 6(1)(a) GDPR) |
| Import of CSV/Excel files | Performance of a contract (Art. 6(1)(b) GDPR) |
| Error tracking and performance monitoring (Sentry) | Legitimate interest (Art. 6(1)(f) GDPR) |
| Processing of user feedback | Performance of a contract (Art. 6(1)(b) GDPR) |
| Audit log for financial data | Legitimate interest (Art. 6(1)(f) GDPR) |
4. Sharing Data with Third Parties
We only share your personal data with third parties insofar as this is necessary for the provision of the service. We never sell your data to third parties.
4.1 Processors (Sub-processors)
| Service Provider | Purpose | Data | Location |
|---|---|---|---|
| Supabase (AWS) | Database, authentication, and storage | All account and financial data | EU (Frankfurt) |
| Vercel | Hosting and serverless functions | Request data (IP address, user agent) | EU/US |
| Sentry (optional) | Error tracking | Anonymised error reports | US |
4.2 External Data Providers
To retrieve price information and market data, requests are sent to external services. Only symbols/tickers are transmitted — no personal data:
- Yahoo Finance — stock prices and dividend data
- Financial Modeling Prep (FMP) — stock prices (backup)
- Google Finance — stock prices (fallback)
- CoinGecko — cryptocurrency prices
- ExchangeRate-API — exchange rates
- CBS (Statistics Netherlands) — housing price indices
- PDOK Location Server — address to municipality/province (for real estate valuation)
4.3 Banks and Brokers (at Your Request)
When you set up a bank or broker connection, data is exchanged with the relevant institution:
- Tink (Visa): Open Banking API for bank data — processed in accordance with PSD2
- Interactive Brokers: Flex Web Service for transaction data
- DeGiro: API for transaction and portfolio data
4.4 AI Analysis (Optional)
When AI portfolio analysis is available, only anonymised portfolio metrics (no names, no personal data) are sent to the Anthropic Claude API. This only occurs at your explicit request.
5. Transfers Outside the EU/EEA
Some of our service providers are located outside the European Economic Area (EEA). In such cases, we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR:
- US-based services (Sentry, Anthropic, Vercel): EU-US Data Privacy Framework or Standard Contractual Clauses (SCC)
- EU-based services (Supabase EU): data remains within the EEA
6. Retention Periods
| Data Type | Retention Period |
|---|---|
| Account data | Until you delete your account |
| Portfolio and investment data | Until you delete your account |
| Bank and broker connections | Until you disconnect or delete your account |
| Transaction data | Until you delete your account |
| Audit log | Maximum 2 years after the mutation |
| AI recommendations (cache) | 24 hours |
| Error reports (Sentry) | 90 days (Sentry default) |
| Import errors | Until you delete your account |
7. Security
We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or misuse:
- Encryption at rest: all sensitive data, including OAuth tokens and API keys, are stored in encrypted form
- Encryption in transit: all communication takes place via HTTPS/TLS
- Row-Level Security (RLS): database policies that ensure users can only view and modify their own data
- Authentication: secured sessions via HTTP-only cookies with Secure and SameSite flags
- Audit log: all changes to financial data are recorded
- CSRF protection: OAuth flows are protected against Cross-Site Request Forgery
- Password policy: minimum 8 characters including an uppercase letter, lowercase letter, and digit
8. Your Rights
Under the GDPR you have the following rights:
- Right of access (Art. 15 GDPR): you may request which personal data we process about you
- Right to rectification (Art. 16 GDPR): you may have incorrect data corrected
- Right to erasure (Art. 17 GDPR): you may request the deletion of your data (“right to be forgotten”)
- Right to restriction (Art. 18 GDPR): you may request that processing be restricted
- Right to data portability (Art. 20 GDPR): you may receive your data in a structured, commonly used, and machine-readable format
- Right to object (Art. 21 GDPR): you may object to processing based on legitimate interest
- Right to withdraw consent (Art. 7(3) GDPR): where processing is based on consent, you may withdraw it at any time
You can exercise your rights by sending an email to privacy@investtrack.app. We will respond to your request within one month.
9. Cookies
InvestTrack uses only strictly necessary cookies for authentication and session management. We do not place tracking, marketing, or analytical cookies. Because these cookies are strictly necessary for the functioning of the service, no consent is required pursuant to Article 11.7a of the Dutch Telecommunications Act (Telecommunicatiewet).
10. Automated Decision-Making
InvestTrack does not use fully automated decision-making or profiling within the meaning of Article 22 GDPR. The optional AI portfolio analysis provides informational recommendations only and does not make decisions on your behalf.
11. Minors
InvestTrack is not intended for persons under the age of 16. We do not knowingly collect personal data from minors. If we discover that we have collected data from a minor, we will delete it immediately.
12. Complaints
If you have a complaint about the processing of your personal data, you can contact us at privacy@investtrack.app. You also always have the right to file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens):
- Website: www.autoriteitpersoonsgegevens.nl
- Phone: 088 - 1805 250
13. Changes
We reserve the right to amend this privacy policy. Material changes will be communicated via email or a notification in the application. The most recent version is always available on this page.