← Home

Privacy Policy

Effective date
March 21, 2026
Operator
PortfolioCard
Service
PortfolioCard
Website
[https://portfoliocard.app](https://portfoliocard.app)

1. Data we collect

  • Account data: Email address, display name, and profile image URL obtained via Google OAuth at sign-in.
  • User-entered data: Stock tickers, share counts, average cost basis, card titles, and themes you input.
  • Usage logs: IP address, browser type, access timestamps — retained by Vercel's infrastructure.
  • Session data: Authentication cookies managed by Supabase Auth.

2. How we use your data

  • To provide, maintain, and improve the Service
  • To authenticate users and prevent unauthorized access
  • To detect and prevent fraud or abuse
  • To send important notices about the Service or these policies (via registered email)
  • For aggregated, anonymized analytics to understand usage patterns

3. Public card URLs and API access

Each portfolio card has a public URL. Anyone who has that URL can view your card in the browser, including the information you choose to display on the card (for example tickers, share counts, average cost, and P&L).

Our HTTP API also returns card configuration as JSON when a request includes a valid card identifier, without requiring sign-in. That JSON can include the same holding fields you entered in the app. If you do not want others to see your positions, do not share your card URL.

4. Legal basis for processing (GDPR)

For users in the EU/EEA, we process personal data under the following legal bases:

  • Contract performance — to provide the Service you signed up for
  • Legitimate interests — security, fraud prevention, service improvement
  • Consent — for optional analytics cookies (where applicable)

5. Third-party services

ServiceRolePrivacy policy
SupabaseAuthentication and database hostingsupabase.com/privacy
VercelWeb hosting and edge functionsvercel.com/legal/privacy-policy
FinnhubMarket data API (your portfolio data is never sent to Finnhub)finnhub.io/privacy
Google OAuthSign-in only; we do not access Drive, Gmail, or other Google datapolicies.google.com/privacy

6. Data retention

Your data is stored in Supabase (data centers primarily in the EU and US). We retain your data for as long as your account is active. Upon an account deletion request, we aim to delete your personal data within 30 days, except where retention is required by law.

7. Data security

We implement industry-standard security measures including TLS encryption in transit, row-level security (RLS) in the database, and access controls. No system is perfectly secure; please notify us immediately if you suspect unauthorized access.

8. Your rights

You may request at any time:

  • Access to the personal data we hold about you
  • Correction of inaccurate data
  • Deletion of your account and associated data
  • (GDPR only) Restriction of processing, data portability, or objection to processing
  • (GDPR only) Withdrawal of consent (where processing is consent-based)
  • (GDPR only) Lodge a complaint with your local supervisory authority

To exercise any of these rights, contact us at ingo@portfoliocard.app.

9. International transfers

Your data may be processed outside your country of residence (e.g., on Vercel or Supabase infrastructure in the US or EU). Where required by GDPR, transfers are made subject to appropriate safeguards such as Standard Contractual Clauses.

10. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be notified via the Service or by email at least 14 days before taking effect for EU users.

Contact / Data controller

Operator: PortfolioCard Service website: https://portfoliocard.app Email: ingo@portfoliocard.app

© 2026 PortfolioCard · portfoliocard.app