Skip to main content

Privacy Policy

Last updated: May 26, 2026

1. Who We Are

trefolio ("we", "us", "our") is a portfolio tracking service built for European investors. We provide tools to track stock portfolios, view market data, and access AI-powered analysis.

For data protection inquiries, contact us at [email protected].

2. Data We Collect

Account Information

  • Email address — used for authentication, account recovery, and essential service communications.
  • Password — stored as a one-way bcrypt hash. We never store or have access to your plaintext password.
  • Third-party sign-in (Google, Apple) — if you sign in with Google, we receive and store your name, email address, and profile picture from your Google account. We do not receive or store your Google password. If you sign in with Apple, we receive and store your name and email address (which may be an Apple private relay address). We do not receive or store your Apple password.
  • Passkeys (WebAuthn) — if you register a passkey for passwordless sign-in, we store the cryptographic public key and credential metadata (credential ID, device type, sign-in counter) associated with your account. The private key and any biometric data remain on your device and are never transmitted to or stored by us. You can remove passkeys at any time from your profile.
  • Developer integrations (personal access token) if you use unified sign-in, you may create a personal access token on user.trefolio.com to connect external MCP clients to trefolio, Clara, or Will. The token is stored only on the identity service (hashed); trefolio receives it only when you configure a client and uses it solely to authenticate MCP requests against your account. You choose which scopes the token grants (for example portfolio read, tax reports, Clara savings, or Will notes write); each product enforces only the scopes relevant to that service.
  • Claude Connectors (OAuth) — if you add trefolio via Anthropic's Connectors Directory, Claude initiates OAuth 2.0 against user.trefolio.com (scopes openid, profile, email, mcp:ecosystem). We validate the access token and return only the portfolio or MOAT data you request via MCP tools; we do not sell your portfolio data to Anthropic.

Referral Data

  • Referral code — a unique 8-character code is generated for each user to enable referral link sharing. This code is not derived from personal information.
  • Referral relationships — when a new user signs up via a referral link, we store the connection between the referring user and the referred user to credit rewards. This data includes the referral status, timestamps, and any anti-abuse rejection reasons.

Portfolio Data

  • Stock holdings, transactions, and cash balances you enter or import.
  • Holding tags (optional) — if you add user-defined text labels to stock or ETF positions for your own organization, we store those labels with the position so diversification views can reflect them.
  • User preferences (language, theme, display currency, selected benchmarks, product usage interests, and referral source selected during onboarding).
  • Saved moat evaluation reports (optional labels) — if you save a competitive moat evaluation to your library, we store the evaluation content and scores. You may add optional text labels ("tags") to organize reports; these tags are chosen by you and stored with the saved report.
  • Saved investment strategies (Tools → Strategies) — if you create price alerts from the Strategies tool, we store your reference purchase price, target price, optional stop-loss level, ticker, exchange, and links to the associated threshold alerts so you can reopen your plan later. This data is for your convenience only and is not investment advice.
  • Broker connection credentials (optional) — if you connect your Interactive Brokers account via the Flex Web Service API, your access token and query ID are encrypted with AES-256-GCM and stored so you can re-sync your portfolio on demand. If you connect brokerage accounts via SnapTrade (Trefolio plan), we store your SnapTrade userId and encrypted userSecret; your brokerage credentials are handled by SnapTrade via OAuth, not by us. We only request read-only access to your brokerage data. You can disconnect at any time, which permanently deletes these credentials.
  • Widget access token (optional) — if you generate a widget token for home screen widget access, we store a one-way SHA-256 hash of the token. The plaintext token is shown once and never stored. You can revoke it at any time from your profile, which permanently deletes the hash.

Contact Form Data

  • Name, email, subject, message — when you submit the contact form, we collect these fields for customer support purposes. Submissions are sent to [email protected] via Resend and are subject to IP-based rate limiting (5 per hour).
  • Broker integration requests — if you request support for a missing broker, we store your account identifier, requested broker name, optional notes, and request timestamp so our team can evaluate demand and notify you about your request.

Notification Data

  • Telegram chat identifier — if you opt in to Telegram alert notifications (Pro plan), we store your Telegram chat id after you open our bot and tap Start with a one-time link. It is used for delivering price alert messages via the Telegram Bot API. Separately, when an administrator links the staff ProdOps recipient from trefolio admin, we store the linked Telegram DM chat id plus limited account metadata returned by Telegram (user id, username, and optional display name) to verify and route staff alerts. Staff-operated Telegram destinations may receive limited operational summaries about account events (for example a new signup, a paid membership, a feedback submission, or a broker request) so our team can respond quickly. The same linked staff bot may also answer narrow operational queries requested by our team (for example the latest signup, latest feedback entries, or the latest tracked product interaction) using only the minimum details needed plus a secure admin link.
  • Push notification subscription — if you opt in to browser push notifications (paid plan), we store your browser push subscription endpoint and encryption keys. These are used only to deliver price alert notifications and are deleted when you unsubscribe.

Social Data (optional)

  • Social profile data (optional) — If you enable social features, we collect and display: a public profile URL (slug), bio, headline, experience level, and your content posts. You control visibility (public or private) and can opt in to sharing aggregated portfolio value and holdings composition (allocation percentages only — exact share counts are never exposed). Connection relationships with other users are stored to enable network features and direct messaging.

Automatically Collected Data

  • Session cookies — essential httpOnly cookies for authentication.
  • Basic analytics — anonymous, aggregated page-view data via Vercel Analytics to understand product usage. No personal identifiers are stored.
  • Attribution parameters (UTM/referrer) — when you first visit trefolio, we may store first-touch attribution fields such as utm_source, utm_medium, utm_campaign, referrer, and landing path. These fields are used to measure signup and subscription conversion by acquisition source.

3. How We Use Your Data

We process your data exclusively to provide and improve the trefolio service:

  • Authenticate your account and maintain your session.
  • Display your portfolio, performance metrics, and market data.
  • Process AI analysis requests (portfolio data is sent to OpenAI for analysis; see Section 5).
  • Transcribe voice notes you send to Warren on Telegram (audio is forwarded to OpenAI for speech-to-text and discarded immediately after; only the transcript is retained). Warren's spoken replies are generated by OpenAI text-to-speech and sent back through Telegram (raw audio not stored).
  • Answer optional chart Q&A (your question and the chart snapshot — values, invested capital, time range, and trade markers — are sent to OpenAI; see Section 5).
  • Provide AI-powered support chat (your messages and optional portfolio summary are sent to OpenAI; see Section 5). Support chat conversations are stored for up to 90 days to enable admin review and improve support quality.
  • When you connect an MCP client to trefolio using a personal access token, we validate that token with our identity service over TLS, map it to your local account, and return portfolio or tool data you request via MCP tools according to the scopes you selected when minting the token (for example holdings, transactions, tax summaries, or MOAT evaluations). The MCP client you configure (such as Claude Desktop or Cursor) receives the JSON responses from those tool calls; we do not invoke OpenAI or Anthropic for MCP read tools unless you separately use an in-app AI feature or a tool that explicitly calls our AI backend (for example MOAT narrative).
  • Enable private chat rooms for direct communication between you and trefolio support, and between connected users. Messages (text, links, images, and voice) are stored in our database; voice audio files are stored in our Vercel Blob storage and are removed when the message expires. Non-persistent messages are automatically deleted 24 hours after being sent.
  • Process subscription payments through Stripe (see Section 5).
  • Send essential service communications (e.g., password resets, critical security notices).
  • Respond to customer support inquiries submitted via the contact form.
  • Evaluate and prioritize broker integration requests submitted by users.
  • Process and review refund requests submitted by paid subscribers.
  • Measure acquisition performance (signup and paid conversion rates by source).

We do not sell, rent, or share your personal data with third parties for advertising or marketing purposes. If you grant optional cookie consent, we may send pseudonymous conversion signals (for example signup and checkout completion events) to analytics/advertising platforms to measure campaign performance.

4. Legal Basis for Processing (GDPR)

We process your data under the following legal bases:

  • Contract performance — processing necessary to provide the trefolio service you signed up for (Art. 6(1)(b) GDPR).
  • Legitimate interest — anonymous analytics to improve the product, fraud prevention, and service security (Art. 6(1)(f) GDPR).
  • Legal obligation — where required by applicable law (Art. 6(1)(c) GDPR).

5. Third-Party Services

We use the following third-party services to operate trefolio. Each acts as a data processor under GDPR:

ServicePurposeData Shared
VercelHosting & deploymentRequest metadata, anonymous analytics
Turso (libSQL)DatabaseAll account and portfolio data (encrypted at rest)
trefolio Identity (user.trefolio.com)Unified login, billing, personal access tokens, and ecosystem-wide AI model routing configuration (no portfolio content)When you use OIDC sign-in, we store your IdP subject identifier and sync subscription state from the IdP. When you use MCP with a personal access token, trefolio sends that token to the IdP over TLS for validation (and the IdP may update last-used metadata); portfolio rows are read only from trefolio's database after successful validation.
StripePayment processingEmail, subscription status, payment details
OpenAIAI-powered analysis, chart Q&A, support chat, Warren voice (Telegram), Investor Briefing news digests, and FinPulse social summaries (beta)Portfolio data included in analysis prompts; chart assistant questions with chart snapshot (values, invested capital, range, trades); support chat messages and optional portfolio summary; voice notes sent to Warren on Telegram (transcribed by OpenAI Whisper, audio not retained); Warren spoken replies generated by OpenAI text-to-speech (audio not retained server-side). When you use the optional Investor Briefing beta at /aid, we may send your portfolio tickers, recent news context, and excerpts from public X posts to generate short bullet summaries (including FinPulse).
TavilyWeb search for Investor Briefing earnings-day news digests and FinPulse X post discovery (beta, optional)Stock ticker symbols, curated X handles, and search queries; no account email or name
Clara (clara.trefolio.com)Optional savings summary on Investor Briefing when you use the same trefolio accountServer-to-server request with your IdP subject identifier; returns aggregated savings bucket amounts only when you have a linked Clara account
Will (will.trefolio.com)Optional recent note tags on Investor Briefing when you use the same trefolio accountServer-to-server request with your IdP subject identifier; returns recent tag labels and a short excerpt from your notes when you have a linked Will account
Yahoo FinanceMarket dataStock ticker symbols requested
Alpha VantageMarket data (Trefolio)Stock ticker symbols requested
Financial Modeling Prep (FMP)Market data (Trefolio)Stock ticker symbols requested
CoinLoreCryptocurrency market dataNo user data sent — only public market data retrieved
FinnhubMarket news (fallback)Stock ticker symbols requested
Cloudflare TurnstileBot protectionIP address and browser signals (used to distinguish humans from bots during signup, login, and contact form submissions)
ResendTransactional emailEmail address (for verification, password resets, service notifications, and contact form submissions)
LinearIssue tracking for in-app feedbackFeedback subject, message, and type may be synced as issue content when our automated feedback pipeline creates a task (no portfolio or payment data)
Interactive Brokers (Flex Web Service)Portfolio import via API (Trefolio)User-provided Flex token and Query ID (encrypted at rest); IBKR returns portfolio data directly to our server
SnapTrade (Passiv Financial Inc.)Brokerage aggregation (Trefolio)Brokerage account data (positions, balances) via OAuth read-only; we store only SnapTrade userId and encrypted userSecret
Telegram (Telegram Bot API)Telegram alert notifications and staff operational alerts (Trefolio)Telegram chat id for outbound price alerts; messages contain stock ticker and price data only. For staff operational alerts, we also store the linked recipient's Telegram user id, username, optional display name, and DM chat id after an admin completes the Telegram Start link flow. Staff-operated operational channels may receive concise summaries of signup, membership, feedback, broker-request, or trial-activation events with an admin link and no full free-text feedback body. The same linked staff bot may answer narrow operational queries such as the latest signup, latest feedback entries, or the latest tracked product interaction using minimal account details only.
Telegram Messenger Inc.Optional Warren chat over Telegram (text and voice)If you choose to connect your Telegram account, we exchange your Telegram chat ID and the contents of messages you send to our bot with Telegram's servers; the same messages are then sent to OpenAI to generate Warren's reply. If you send a voice note, the audio is downloaded from Telegram, forwarded to OpenAI for speech-to-text transcription (Whisper), and discarded immediately after. Warren's spoken reply is generated by OpenAI text-to-speech and sent back through Telegram; we do not retain raw audio. You can disconnect at any time from your profile.
QuickChart (Chart.js renderer)Optional rendering of charts sent in Telegram repliesWhen you ask Warren on Telegram for a chart (e.g. /chart) we send aggregated, non-identifying values — chart title, asset-type labels (Stocks, Cash, ETFs…) and percentages — to QuickChart to render a PNG. No tickers, account ids, names, or email addresses are sent. Operators can self-host QuickChart or disable image charts entirely with environment flags.
Google Analytics / Google Ads tags (Google LLC)Consent-based analytics and conversion attributionPseudonymous cookie identifiers, page events, and conversion events (signup/checkout milestones) only after consent
Meta Pixel / Meta Conversions API (Meta Platforms, Inc.)Optional consent-based conversion attribution (when enabled)Pseudonymous conversion events and hashed identifiers (e.g., hashed email) for signup/checkout attribution, only after consent
Google AdSense (Google LLC)Display advertising (free plan only)Advertising cookies and browser signals for ad personalization (only with user consent); paid plan users are never shown ads

6. Data Security

  • Passwords are hashed with bcrypt (one-way, non-reversible).
  • Sessions use secure, httpOnly JWT cookies with SameSite protection.
  • Sensitive API keys and broker connection tokens are encrypted with AES-256-GCM.
  • Widget access tokens are stored as one-way SHA-256 hashes (non-reversible).
  • Passkey credentials store only the public key; the private key and biometric data never leave your device.
  • All connections use HTTPS/TLS encryption in transit.
  • Database is encrypted at rest (Turso/libSQL).
  • We follow the principle of least privilege for data access across all internal systems.

7. Data Retention

  • Account data — retained for as long as your account is active.
  • Portfolio data — retained for as long as your account is active. If your paid subscription lapses, your data is preserved and accessible when you resubscribe.
  • Analytics events — anonymous, aggregated usage events are automatically purged after 90 days.
  • Contact form submissions — retained until the inquiry is resolved, then purged within 90 days.
  • Broker integration requests — retained for product planning and support follow-up, then periodically reviewed and deleted when no longer needed.
  • Support chat conversations — retained for up to 90 days for quality review, then automatically purged.
  • Private chat messages — messages in private chat rooms (text, links, images, and voice) are automatically deleted 24 hours after being sent unless marked persistent. Message metadata and text are stored in our database; voice audio is stored in Vercel Blob object storage (same infrastructure provider as the rest of the service) and deleted when the message record is purged.
  • After account deletion — all personal data is permanently deleted within 30 days. Backups containing your data are purged within 90 days.

7a. Public Portfolio Sharing

Trefolio subscribers may choose to generate a shareable link that allows anyone with the link to view a read-only snapshot of their portfolio holdings. This feature is opt-in and disabled by default.

  • What is shared: Ticker symbols, stock names, exchange, and optionally share counts (configurable by you). Financial values (prices, total values) are never exposed via shared links.
  • Access control: Shared portfolio pages are accessible by anyone with the link but are not indexed by search engines (noindex). You can revoke access at any time from your profile settings.
  • Visitor data: We log anonymized access events (no IP address, no personal data) to measure feature usage.
  • Your responsibility: You are responsible for deciding what holdings to include in your shared portfolio. We recommend reviewing the excluded tickers option before sharing.
  • User-generated social content: Posts, profiles, and connection data you create through social features are visible according to your visibility settings. Public posts and profiles are accessible to anyone, including search engines. Network-only posts are visible to your connections. You can delete your posts and profile data at any time.

8. Your Rights (GDPR)

As a user in the European Economic Area, you have the right to:

  • Access — request a copy of all personal data we hold about you.
  • Rectification — correct inaccurate personal data.
  • Erasure — request deletion of your account and all associated data.
  • Data portability — export your portfolio data in CSV or JSON format from your profile settings.
  • Restriction — request restricted processing of your data.
  • Object — object to processing based on legitimate interest.
  • Lodge a complaint — with your local data protection authority.

To exercise any of these rights, email [email protected]. We will respond within 30 days.

9. Cookies

Essential Cookies (always active)

  • Session cookie — an httpOnly, secure cookie that maintains your authenticated session. Expires when you log out or after the session timeout period.
  • Cloudflare Turnstile — Turnstile may set a transient cookie (cf_bm) to complete its bot-detection challenge on signup, login, and contact forms. This cookie is classified as strictly necessary (bot protection) and contains no personal identifiers.

Analytics Cookies (optional, consent required)

If you choose "Accept All" in the cookie banner, we use Google Analytics 4 to understand how visitors use trefolio. Google Analytics sets the following cookies:

  • _ga — distinguishes unique visitors. Expires after 2 years.
  • _ga_* — maintains session state. Expires after 2 years.

These cookies are only set after you give explicit consent. You can withdraw consent at any time by clearing your browser cookies and revisiting the site. We use Google Analytics with IP anonymization enabled. If consent is granted, we may also send conversion events (signup/checkout milestones) through Google tags for campaign attribution. Data collected by Google Analytics is processed by Google LLC under their Data Processing Terms.

Advertising Cookies (optional, consent required)

If you choose "Accept All" in the cookie banner and are on the free plan, we use Google AdSense to display relevant advertisements. Google AdSense may set cookies to serve ads based on your browsing history. Paid Trefolio subscribers are never shown ads and no advertising cookies are set.

You can opt out of personalized advertising at Google Ads Settings.

10. International Transfers

Your data may be processed outside the EEA by our third-party service providers (Vercel, OpenAI, Stripe, Cloudflare, Google Analytics, Google AdSense, Finnhub, Interactive Brokers, SnapTrade, Resend, Telegram, Linear). Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.

Cloudflare processes Turnstile bot-detection data as both a data processor (acting on our instructions to protect our forms) and an independent data controller (to improve its bot-detection models under legitimate interest). Cloudflare's Turnstile Privacy Addendum governs this processing.

11. Children

trefolio is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children. If we become aware that a child has provided us with personal data, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify registered users of material changes via email. The "last updated" date at the top of this page indicates when the policy was last revised.