Privacy Policy
Last updated: 18 April 2026
Note: FolioTrack is operated by an individual, not a registered company. The data controller for your personal data is the individual operator. Contact details are at the bottom of this page.
1. Who We Are
FolioTrack ("the Service", "we", "us") is a personal investment portfolio tracking tool operated by an individual. Our contact email is contact@folio-track.com.
As the operator of this Service, we act as the data controller for personal data collected through FolioTrack under the EU General Data Protection Regulation (GDPR) and applicable US state privacy laws including the California Consumer Privacy Act (CCPA).
2. What Data We Collect
We only collect data that is necessary to provide the Service:
- Account data: Your email address and a hashed (bcrypt) password when you register.
- Portfolio data: Asset symbols, quantities, purchase prices, and purchase dates that you enter manually.
- Watchlist data: Symbols you add to your watchlist.
- Subscription data: Your subscription status and trial end date. Payment card details are processed directly by Paddle and are never stored on our servers.
- Session data: A temporary server-side session to keep you logged in.
We do not collect:
- Analytics or tracking data (no Google Analytics, no pixel tracking)
- Precise location data
- Any data from your device beyond what your browser sends in a standard HTTP request
3. How We Use Your Data
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing the portfolio tracking service | Performance of contract (Art. 6(1)(b)) |
| Processing subscription payments via Paddle | Performance of contract (Art. 6(1)(b)) |
| Keeping your account secure (session, CSRF protection) | Legitimate interest (Art. 6(1)(f)) |
| Responding to your support enquiries | Legitimate interest (Art. 6(1)(f)) |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |
We do not use your data for marketing, profiling, or automated decision-making.
4. Third-Party Services
We share data with the following third parties only to the extent necessary:
- Paddle (paddle.com) — payment processing. When you subscribe, you interact directly with Paddle's secure checkout. We receive a subscription status token; we never see or store your card details. Paddle's privacy policy: paddle.com/legal/privacy.
- EODHD (eodhd.com) — market data API. We send asset symbols (e.g. "AAPL") to retrieve price and fundamental data. No personal data is sent to EODHD.
We do not sell, rent, or otherwise disclose your personal data to any other third party, advertiser, or data broker.
5. Cookies
FolioTrack uses strictly necessary cookies only:
- Session cookie — keeps you authenticated during your visit.
- XSRF-TOKEN — prevents cross-site request forgery attacks.
These cookies are essential for the Service to function. Under GDPR, strictly necessary cookies do not require consent. We do not use any advertising, analytics, or tracking cookies.
6. Data Retention
- Account and portfolio data — retained for as long as your account is active.
- After account deletion — your personal data is deleted within 30 days, except where retention is required by law (e.g. financial records for tax purposes, up to 7 years).
- Server logs — retained for up to 90 days for security monitoring, then deleted.
7. Your Rights
Under GDPR (EU/EEA residents) you have the right to:
- Access — request a copy of your personal data.
- Rectification — correct inaccurate data (most data can be edited directly in the app).
- Erasure — request deletion of your account and all associated data.
- Portability — receive your portfolio data in a machine-readable format (CSV export is available in the app).
- Restriction — request we restrict processing in certain circumstances.
- Object — object to processing based on legitimate interest.
- Lodge a complaint — with your national data protection authority. In Bulgaria: Commission for Personal Data Protection (КЗЛД). You may also complain to the supervisory authority in your country of residence.
Under CCPA (California residents) you have the right to:
- Know what personal information is collected and how it is used.
- Request deletion of your personal information.
- Opt out of the sale of personal information. (We do not sell personal information.)
- Non-discrimination for exercising your privacy rights.
To exercise any of these rights, email us at contact@folio-track.com. We will respond within 30 days (GDPR) or 45 days (CCPA).
8. Data Security
We implement appropriate technical and organisational measures to protect your data, including password hashing (bcrypt), HTTPS encryption in transit, CSRF protection, and access controls. However, no system is 100% secure. In the event of a data breach affecting your rights and freedoms, we will notify you and the relevant supervisory authority as required by law.
9. International Transfers
FolioTrack is hosted on Laravel Cloud (laravel.cloud), which runs on AWS (Amazon Web Services) infrastructure. AWS operates under Standard Contractual Clauses (SCCs) approved by the European Commission, providing an adequate level of protection for personal data transferred outside the EU/EEA. For more information, see AWS GDPR Centre.
The operator of FolioTrack is based in Bulgaria, an EU member state, and is subject to GDPR as both an EU resident and as a data controller. No transfers outside the EU/EEA occur except through the infrastructure providers described above.
10. Children
FolioTrack is not directed at anyone under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us and we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by updating the "Last updated" date at the top of this page. Continued use of the Service after changes constitutes acceptance of the revised policy.
12. Contact
For any privacy-related questions or to exercise your rights, contact:
Email: contact@folio-track.com