Privacy Policy

1. Data Controller

FolioBrief is operated by:

For privacy inquiries and data subject requests, contact hello@foliobrief.io.

2. Data We Collect

This section constitutes our information notice pursuant to Art. 13 GDPR. We collect the following categories of personal data:

Account Information

• Email address (required for account creation and briefing delivery)
• Name (optional, from Google OAuth or user input)
• Profile image (from Google OAuth, if provided)

Portfolio Data

• Stock and crypto ticker symbols
• Number of shares/units held
• Average cost basis (optional)
• Watchlist entries and price targets

Usage Data

• Briefing open and click events (via email tracking pixel)
• Briefing feedback and ratings
• Aggregate site usage via privacy-friendly analytics (no personal data)

Payment Data

Payment processing is handled entirely by Stripe. We store only your Stripe customer ID and subscription ID. We never store credit card numbers, CVVs, or bank account details.

3. Legal Basis and Purpose of Processing

We process your personal data only where a legal basis under Art. 6 GDPR applies:

• Briefing generation: Portfolio data is sent to Claude AI (Anthropic) to generate personalized analysis. Only ticker symbols, share counts, and cost basis are included — never your email or identity. Legal basis: Art. 6(1)(b) GDPR — performance of contract.
• Email delivery: Your email address is used to deliver briefings and transactional emails (verification, billing). Legal basis: Art. 6(1)(b) GDPR — performance of contract.
• Service improvement: Anonymized usage data helps us improve briefing quality and features. Legal basis: Art. 6(1)(f) GDPR — legitimate interests in improving service quality.
• Billing and invoicing: Stripe customer IDs manage your subscription and payment history. Billing records are retained for tax compliance. Legal basis: Art. 6(1)(b) GDPR — performance of contract; Art. 6(1)(c) GDPR — compliance with legal obligations (§ 147 AO — 10-year retention for invoices and tax records).
• Email open tracking: Briefing emails include a 1×1 tracking pixel to measure open rates. Legal basis: Art. 6(1)(f) GDPR — legitimate interest in understanding delivery performance. You may block this via your email client's image blocking feature.
• Authentication (Google OAuth): Email, name, and profile image received via Google sign-in. Legal basis: Art. 6(1)(b) GDPR — performance of contract (account creation and authentication).
• Analytics: We use self-hosted Umami analytics — no cookies, no cross-site tracking, no personal data collected. Legal basis: Art. 6(1)(f) GDPR — legitimate interest in understanding aggregate site usage. No consent required as no personal data is processed.

4. Third-Party Processors

We share data only with the following third-party processors under Art. 28 GDPR data processing agreements or equivalent safeguards:

Anthropic and Stripe are based in the United States. Data transfers are conducted on the basis of Standard Contractual Clauses (Art. 46(2)(c) GDPR), ensuring an adequate level of data protection. Postal and Umami are self-hosted on our EU-based server (Germany) and data does not leave the EU.

We do not sell, rent, or trade your personal data to any third party.

5. Your Rights (Art. 15–22 GDPR)

As a data subject under the GDPR, you have the following rights. To exercise any of them, contact hello@foliobrief.io. We will respond within 30 days (extendable to 90 days for complex requests, with notification).

• Right of access (Art. 15 GDPR): Request a copy of all personal data we hold about you, including the categories of data, purposes of processing, and recipients.
• Right to rectification (Art. 16 GDPR): Request correction of inaccurate or incomplete personal data.
• Right to erasure (Art. 17 GDPR): Request deletion of your account and all associated personal data. Exceptions apply where retention is required by law (e.g. tax records per § 147 AO).
• Right to restriction of processing (Art. 18 GDPR): Request that we limit processing of your data — for example, while you contest the accuracy of data we hold, or while an objection is being assessed. Restricted data is stored but not actively processed.
• Right to data portability (Art. 20 GDPR): Request your personal data in a structured, commonly used, machine-readable format (e.g. JSON or CSV), where processing is based on contract or consent and carried out by automated means.
• Right to object (Art. 21 GDPR): Object to processing based on our legitimate interests (Art. 6(1)(f) GDPR) at any time. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
• Right to withdraw consent (Art. 7(3) GDPR): Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of processing carried out prior to withdrawal.
• Right to lodge a complaint (Art. 77 GDPR): You have the right to lodge a complaint with a supervisory authority. The competent authority for Bavaria (where the data controller is located) is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Promenade 27, 91522 Ansbach. You may also lodge a complaint with the supervisory authority of your EU member state of habitual residence or place of work.

6. Data Retention

• Account data: Retained as long as your account is active.
• Briefing history: Retained for 12 months, then automatically deleted.
• Market data cache: Ephemeral — expires within 24 hours.
• After account deletion: All personal data is permanently removed within 30 days, unless longer retention is required by law.
• Billing and invoice records: Retained for 10 years to comply with German tax law (§ 147 AO). This applies to invoices and payment records — not to your portfolio data or briefing content.

7. International Data Transfers

Anthropic (Claude AI) and Stripe are based in the United States. Google LLC (OAuth) is also a US company. Data transfers to these providers are conducted on the basis of Standard Contractual Clauses (SCCs) pursuant to Art. 46(2)(c) GDPR, which provide appropriate safeguards for the protection of your personal data.

Our email (Postal) and analytics (Umami) infrastructure is self-hosted on servers located in Germany. No personal data from these services is transferred outside the EU.

8. Security

We implement appropriate technical and organizational measures to protect your data against unauthorized access, loss, or alteration, including:

• Encrypted data in transit (TLS/HTTPS)
• Encrypted database connections
• Access controls and authentication requirements
• Regular security reviews

9. Cookies and Tracking

FolioBrief uses essential cookies for authentication and session management (legal basis: Art. 6(1)(b) GDPR). These are strictly necessary for the service to function and cannot be disabled.

We use self-hosted Umami analytics, which does not use cookies and does not collect or process personal data. No cookie consent banner is required for this.

Briefing emails include a 1×1 tracking pixel to measure open rates (legal basis: Art. 6(1)(f) GDPR — legitimate interest in understanding delivery performance). You may block this by disabling automatic image loading in your email client.

10. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via email at least 30 days before they take effect. The date at the top of this page indicates the last revision.

11. Contact

For any privacy-related questions, data subject requests, or concerns:

We will respond within 30 days.