Privacy Policy
Effective date: 2026-05-20
Data controller: Wael Benamor — 7 bd Marceau, 92700 Colombes, France — legal@portfoliq.io
1. Data we collect
- Email address — required for account registration and transactional communications.
- Password (hashed) — stored as a bcrypt hash (cost 12). We never store passwords in plain text.
- API usage data — request counts and timestamps, aggregated per hour, retained for 90 days.
- Payment information — processed exclusively by Stripe, Inc. We do not store card numbers or bank details.
- Audit logs — authentication events (login, registration, key creation/revocation), retained for 90 days.
2. Legal basis for processing
- Contract performance (Art. 6(1)(b) GDPR) — to provide access to the API and process payments.
- Legitimate interest (Art. 6(1)(f) GDPR) — security monitoring and fraud prevention.
- Consent (Art. 6(1)(a) GDPR) — transactional emails (password reset, welcome).
3. Your rights (GDPR Articles 15–22)
- Right of access (Art. 15) — use
GET /auth/meor contact us. - Right to erasure (Art. 17) — use
DELETE /auth/meto delete your account and anonymize your personal data. All active API keys are revoked and your Stripe subscription is cancelled. - Right to portability (Art. 20) — contact legal@portfoliq.io.
- Right to rectification (Art. 16) — contact legal@portfoliq.io.
- Right to object (Art. 21) — contact us at the address above.
3b. Sub-processors (GDPR Art. 28 + Art. 30)
portfolIQ uses the following sub-processors to deliver the Service. All transfers outside the EEA are covered by Standard Contractual Clauses (SCCs) per GDPR Art. 46(2)(c). We update this list 30 days in advance of material changes per GDPR Art. 28(2).
| Provider | Service | Location | Transfer basis | DPA |
|---|---|---|---|---|
| Hetzner Online GmbH | Infrastructure (database, compute) | Germany (EEA) | EEA hosting — no transfer | DPA |
| Stripe Inc. | Payments processing | USA | SCCs + GDPR Art. 46 | DPA |
| Anthropic PBC | AI / LLM provider (enriched analyses) | USA | SCCs + GDPR Art. 46 | DPA |
| Cloudflare Inc. | CDN + DDoS protection | USA (EEA edges) | SCCs + GDPR Art. 46 | DPA |
| Resend Inc. | Transactional email | USA | SCCs + GDPR Art. 46 | DPA |
| Backblaze Inc. | Backup storage (B2) | USA / EU regions | SCCs + GDPR Art. 46 | DPA |
| Vercel Inc. | Frontend hosting | USA (EEA edges) | SCCs + GDPR Art. 46 | DPA |
Material changes to this list are announced at /legal/changelog 30 days in advance per GDPR Art. 28(2).
4. Data hosting and transfers
All personal data is processed and stored on Hetzner Cloud, Falkenstein datacenter, Germany (EU). No personal data is transferred outside the European Economic Area.
Payment data is processed by Stripe, Inc.(USA), covered by Standard Contractual Clauses (SCCs) as per Stripe's DPA.
5. Data retention
- Account data: retained until deletion request
- API usage logs: 90 days
- Audit logs: 90 days
- Anonymized deletion records: retained for audit trail (no PII retained after deletion)
6. Cookies
portfoliq.io uses only strictly necessary cookies (session management). No advertising or analytics cookies are set. No third-party tracking.
7. Contact and complaints
For any privacy-related request: legal@portfoliq.io
You have the right to lodge a complaint with the relevant supervisory authority (CNIL in France: www.cnil.fr).