Privacy Policy — trefolio

1. Who We Are

trefolio ("we", "us", "our") is a portfolio tracking service built for European investors. We provide tools to track stock portfolios, view market data, and access AI-powered analysis.

For data protection inquiries, contact us at privacy@trefolio.com.

2. Data We Collect

Account Information

Email address — used for authentication, account recovery, and essential service communications.
Password — stored as a one-way bcrypt hash. We never store or have access to your plaintext password.

Portfolio Data

Stock holdings, transactions, and cash balances you enter or import.
User preferences (language, theme, display currency, selected benchmarks).

Automatically Collected Data

Session cookies — essential httpOnly cookies for authentication. No tracking or advertising cookies.
Basic analytics — anonymous, aggregated page-view data via Vercel Analytics to understand product usage. No personal identifiers are stored.

3. How We Use Your Data

We process your data exclusively to provide and improve the trefolio service:

Authenticate your account and maintain your session.
Display your portfolio, performance metrics, and market data.
Process AI analysis requests (portfolio data is sent to OpenAI for analysis; see Section 5).
Process subscription payments through Stripe (see Section 5).
Send essential service communications (e.g., password resets, critical security notices).

We do not sell, rent, or share your personal data with third parties for advertising or marketing purposes.

4. Legal Basis for Processing (GDPR)

We process your data under the following legal bases:

Contract performance — processing necessary to provide the trefolio service you signed up for (Art. 6(1)(b) GDPR).
Legitimate interest — anonymous analytics to improve the product, fraud prevention, and service security (Art. 6(1)(f) GDPR).
Legal obligation — where required by applicable law (Art. 6(1)(c) GDPR).

5. Third-Party Services

We use the following third-party services to operate trefolio. Each acts as a data processor under GDPR:

Service	Purpose	Data Shared
Vercel	Hosting & deployment	Request metadata, anonymous analytics
Turso (libSQL)	Database	All account and portfolio data (encrypted at rest)
Stripe	Payment processing	Email, subscription status, payment details
OpenAI	AI-powered analysis	Portfolio data included in analysis prompts
Yahoo Finance	Market data	Stock ticker symbols requested
Alpha Vantage	Market data (Pro)	Stock ticker symbols requested

6. Data Security

Passwords are hashed with bcrypt (one-way, non-reversible).
Sessions use secure, httpOnly JWT cookies with SameSite protection.
Sensitive API keys are encrypted with AES-256-GCM.
All connections use HTTPS/TLS encryption in transit.
Database is encrypted at rest (Turso/libSQL).
We follow the principle of least privilege for data access across all internal systems.

7. Data Retention

Account data — retained for as long as your account is active.
Portfolio data — retained for as long as your account is active. If your Pro subscription lapses, your data is preserved and accessible when you resubscribe.
After account deletion — all personal data is permanently deleted within 30 days. Backups containing your data are purged within 90 days.

8. Your Rights (GDPR)

As a user in the European Economic Area, you have the right to:

Access — request a copy of all personal data we hold about you.
Rectification — correct inaccurate personal data.
Erasure — request deletion of your account and all associated data.
Data portability — export your portfolio data in CSV or JSON format from your profile settings.
Restriction — request restricted processing of your data.
Object — object to processing based on legitimate interest.
Lodge a complaint — with your local data protection authority.

To exercise any of these rights, email privacy@trefolio.com. We will respond within 30 days.

9. Cookies

trefolio uses only essential cookies required for the service to function:

Session cookie — an httpOnly, secure cookie that maintains your authenticated session. Expires when you log out or after the session timeout period.

We do not use advertising, tracking, or third-party cookies. Because we only use strictly necessary cookies, no cookie consent banner is required under EU ePrivacy regulations.

10. International Transfers

Your data may be processed outside the EEA by our third-party service providers (Vercel, OpenAI, Stripe). Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

11. Children

trefolio is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify registered users of material changes via email. The "last updated" date at the top of this page indicates when the policy was last revised.