InvestTrack Privacy Policy
Version: March 2026
InvestTrack attaches great importance to the protection of your personal data. This policy explains which personal data we collect, why we do so, how long we retain it, which third parties are involved, and what rights you have. It has been drafted in accordance with the General Data Protection Regulation (GDPR) and the Dutch GDPR Implementation Act (Uitvoeringswet AVG / UAVG).
This policy forms part of, and should be read together with, the Terms of Use and the Cookie Policy. Questions? Contact us at privacy@investtrack.net.
1. Data Controller
The data controller for the processing of personal data via InvestTrack is:
Legal entity: InvestTrack (sole proprietorship)
Registered address: [Full street address, postal code], Hilversum, The Netherlands
Chamber of Commerce (KVK): [Insert 8-digit KVK number]
Privacy contact: privacy@investtrack.net
Billing enquiries: hello@investtrack.net
Supervisory authority: Autoriteit Persoonsgegevens — autoriteitpersoonsgegevens.nl
For questions about this policy or the processing of your personal data, please contact us at the privacy email address above. If you reside in another EU/EEA member state, the Autoriteit Persoonsgegevens is the lead supervisory authority. You retain the right to lodge a complaint with the supervisory authority of your country of habitual residence.
2. Personal Data We Process
We collect only the personal data that is necessary for the purposes described in this policy (dataminimisatie, Article 5(1)(c) GDPR).
2.1 Account Data
- Email address (required for registration and authentication)
- Display name (optional)
- Password (stored in encrypted form; never in plain text)
- Account preferences (currency, timezone, date format, number notation, theme setting)
2.2 Financial Data
- Portfolio data: names, descriptions, and currency settings of your investment portfolios
- Investment positions: type (stocks, crypto, real estate, private equity, savings, ETP, pension, loan), name, symbol/ISIN, quantity, cost basis, current value, acquisition date, notes, and tags
- Transactions: buy, sell, dividend, split, transfer, deposit, withdrawal, and fee transactions including amounts, prices, and dates
- Income: dividends, interest, rent, distributions, and staking rewards with expected and received amounts
- Valuations: historical value development of your investments
- Private equity: company names, investment amounts, sectors, valuations, and performance data
- Interest rates: interest rates for savings accounts and loans
2.3 Broker Data
When you choose to link broker accounts:
- Interactive Brokers: API tokens and transaction data
- DeGiro: API tokens and transaction data
API tokens are stored in encrypted form (encryption at rest). Passwords for broker accounts are never permanently stored.
2.4 Imported Data
- CSV, Excel, and PDF files you upload to import portfolio data
- File name, file size, and import status
- Data rows that could not be processed (for error reporting)
2.5 User Feedback
- Feedback messages submitted via the in-app feedback feature
- The page URL where the feedback was submitted
2.6 Billing Data
When you subscribe to a paid plan:
- Subscription status and billing interval (monthly/yearly)
- Payment information is processed by Stripe and is not stored by InvestTrack. Stripe stores your payment method details, billing address, and VAT identification number (if provided) in accordance with Stripe’s Privacy Policy.
- We store a Stripe customer identifier and subscription identifier to link your account to your Stripe billing record.
- Cancellation survey responses (reason and optional details) if you cancel your subscription.
2.7 Technical Data
- Session cookies for authentication — see the Cookie Policy for details
- Error reports via Sentry (when enabled): technical error messages with anonymised session data. All text, input fields, and media are masked. Sensitive data such as passwords are automatically removed.
Data we do not collect: We do not collect special categories of personal data (Article 9 GDPR), government ID numbers, precise geolocation data, or advertising identifiers. We do not sell your data to third parties.
3. Purposes and Legal Bases
We process your personal data solely for the following purposes, with the corresponding legal basis under Article 6 GDPR:
| Purpose | Legal Basis |
|---|---|
| Account creation and authentication | Performance of a contract (Art. 6(1)(b)) |
| Management and display of your investment portfolio | Performance of a contract (Art. 6(1)(b)) |
| Automatic price updates and value calculations | Performance of a contract (Art. 6(1)(b)) |
| Synchronisation with brokers | Explicit consent (Art. 6(1)(a)) |
| AI portfolio analysis (optional) | Explicit consent (Art. 6(1)(a)) |
| Import of CSV/Excel/PDF files | Performance of a contract (Art. 6(1)(b)) |
| Error tracking and performance monitoring (Sentry) | Legitimate interest (Art. 6(1)(f)) |
| Processing of user feedback | Performance of a contract (Art. 6(1)(b)) |
| Subscription billing and payment processing | Performance of a contract (Art. 6(1)(b)) |
| Transactional emails (receipts, billing notifications) | Performance of a contract (Art. 6(1)(b)) |
| Audit log for financial data | Legitimate interest (Art. 6(1)(f)) |
| Security, fraud prevention, and abuse detection | Legitimate interest (Art. 6(1)(f)) |
| Legal compliance and dispute resolution | Legal obligation (Art. 6(1)(c)) |
Where we rely on legitimate interest as our legal basis, our interest does not override your fundamental rights. You may object to such processing at any time (see Section 7). Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
4. Sharing Data with Third Parties
We only share your personal data with third parties insofar as necessary for the provision of the service. We never sell your data to third parties. All processors are bound by a Data Processing Agreement (DPA) in accordance with Article 28 GDPR.
4.1 Processors (Sub-processors)
| Service Provider | Purpose | Data | Location |
|---|---|---|---|
| Supabase (AWS) | Database, authentication, and storage | All account and financial data | EU (Frankfurt) |
| Vercel | Hosting and serverless functions | Request data (IP address, user agent) | EU (primary) / US |
| Stripe Payments Europe, Ltd (Ireland) | Payment processing and subscription billing | Email address, payment method, billing address, VAT ID (if provided) | EU (Ireland) / US |
| Resend | Transactional email delivery | Email address | US |
| Sentry (optional) | Error tracking | Anonymised error reports | EU (Frankfurt) |
4.2 External Data Providers
To retrieve price information and market data, requests are sent to external services. Only symbols and tickers are transmitted — no personal data:
- Yahoo Finance — stock prices and dividend data
- Financial Modeling Prep (FMP) — stock prices (backup)
- Google Finance — stock prices (fallback)
- CoinGecko — cryptocurrency prices
- ExchangeRate-API — exchange rates
- CBS (Statistics Netherlands) — housing price indices
- PDOK Location Server — address to municipality/province (for real estate valuation)
4.3 Brokers (at Your Request)
When you set up a broker connection, data is exchanged with the relevant institution:
- Interactive Brokers: Flex Web Service for transaction data
- DeGiro: API for transaction and portfolio data
4.4 AI Analysis (Optional)
When AI portfolio analysis is used, only anonymised portfolio metrics (no names, no personal data) are sent to the Anthropic Claude API. This only occurs at your explicit request and with your consent.
4.5 Disclosure by Law
We may disclose personal data if required to do so by applicable law, court order, or governmental authority, or to protect the rights, property, or safety of InvestTrack, our users, or others. We will inform you of any such disclosure to the extent permitted by law.
5. Transfers Outside the EU/EEA
Some of our service providers are located outside the European Economic Area (EEA), or are US-headquartered entities subject to US jurisdiction. In such cases, we ensure that appropriate safeguards are in place in accordance with Chapter V GDPR:
- Supabase (AWS EU — Frankfurt): data stored within the EEA; no transfer safeguards required
- Stripe Payments Europe, Ltd: Irish entity; contracts and primary data processing within the EEA under Irish law
- Sentry (EU — Frankfurt): data stored within the EEA; no transfer safeguards required
- Vercel:functions configured to run in EU region; CDN/DDoS infrastructure may involve US data centres. Transfer mechanism: EU–US Data Privacy Framework (DPF) and Standard Contractual Clauses (SCC)
- Resend:emails dispatched from EU region (Ireland); account metadata stored in US. Transfer mechanism: EU–US Data Privacy Framework (DPF) and Standard Contractual Clauses (SCC)
- Anthropic (Claude API): US-based. Transfer mechanism: Standard Contractual Clauses (SCC). Only anonymised portfolio metrics are transmitted; no personal data
You may request a copy of the applicable transfer safeguards by contacting us at privacy@investtrack.net.
6. Retention Periods
We retain personal data only as long as necessary for the purpose for which it was collected (opslagbeperking, Article 5(1)(e) GDPR):
| Data Type | Retention Period |
|---|---|
| Account data | Until you delete your account |
| Portfolio and investment data | Until you delete your account |
| Broker connections | Until you disconnect or delete your account |
| Transaction data | Until you delete your account |
| Subscription and billing data | Until you delete your account; payment records retained by Stripe per their policy; financial records retained 7 years per Dutch tax law (Article 52 AWR) |
| Cancellation survey responses | Until you delete your account |
| Audit log | Maximum 2 years after the mutation |
| AI recommendations (cache) | 24 hours |
| Error reports (Sentry) | 90 days |
| Import errors | Until you delete your account |
| Server and access logs (Vercel) | 30 days (rolling) |
When you delete your account, we will delete or anonymise all your personal data within 30 days, except where retention is required by a legal obligation (such as tax records) or a legitimate interest (such as ongoing fraud detection).
7. Your Rights
Under the GDPR and the Dutch UAVG, you have the following rights:
Right of access (Art. 15 GDPR): request a copy of all personal data we hold about you and information on how it is used.
Right to rectification (Art. 16 GDPR): request correction of inaccurate or incomplete personal data.
Right to erasure (Art. 17 GDPR):request deletion of your personal data (“right to be forgotten”), subject to legal retention obligations.
Right to restriction of processing (Art. 18 GDPR): request that we restrict processing of your data (e.g. while you contest its accuracy).
Right to data portability (Art. 20 GDPR): receive your personal data in a structured, machine-readable format, or have it transferred directly to another controller.
Right to object (Art. 21 GDPR): object to processing based on legitimate interests at any time.
Right to withdraw consent (Art. 7(3) GDPR): where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, send an email to privacy@investtrack.net. We will respond within one month of receipt (Article 12(3) GDPR), extendable by two further months where necessary. We may ask you to verify your identity before processing your request.
8. Security
We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or misuse (Article 32 GDPR):
- Encryption at rest: all sensitive data, including API keys, are stored in encrypted form
- Encryption in transit: all communication takes place via HTTPS/TLS
- Row-Level Security (RLS): database policies ensuring users can only view and modify their own data
- Authentication: secured sessions via HTTP-only cookies with Secure and SameSite flags
- Audit log: all changes to financial data are recorded
- Password policy: minimum 8 characters including an uppercase letter, lowercase letter, and digit
In the event of a personal data breach likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with Article 34 GDPR. We will report qualifying breaches to the Autoriteit Persoonsgegevens within 72 hours as required by Article 33 GDPR.
9. Automated Decision-Making
InvestTrack does not use fully automated decision-making or profiling within the meaning of Article 22 GDPR. The optional AI portfolio analysis provides informational recommendations only and does not make decisions on your behalf. For further details, see the AI-Powered Features section of the Terms of Use.
10. Minors
The Platform is intended for users who are 18 years of age or older, as set out in the Terms of Use. We do not knowingly collect or process personal data from persons under the age of 18. If we discover that we have collected data from a person under 18, we will suspend the account and delete all associated personal data within 30 days. If you believe a minor has registered on the Platform, please notify us at privacy@investtrack.net.
11. Changes to This Policy
We reserve the right to amend this policy. Material changes will be communicated via email to the address associated with your account and by a notification in the application at least 30 days before the changes take effect. The most recent version is always available at www.investtrack.net/privacy. The version date at the top of this document indicates when the current version entered into force.
12. Complaints
If you have a complaint about the processing of your personal data, please contact us at privacy@investtrack.net. You also always have the right to file a complaint with the Dutch Data Protection Authority:
- Autoriteit Persoonsgegevens — www.autoriteitpersoonsgegevens.nl
- Phone: 088 – 1805 250