Privacy Policy
Effective February 4, 2026 · Updated June 17, 2026. How Irish Investor collects, stores, and protects your data.
Introduction
Data controller. Irish Investor (the “Service”) is operated from Ireland by a natural person acting in a non-commercial capacity while Free Mode remains active. For privacy-related matters, contact the operator at support@irish-investor.com. The operator's full legal identity is disclosed on written request to that email address; see the Legal Notice for the matching service-provider disclosure.
Information We Collect
We collect only what is necessary to provide the service:
- Identity — email address, authentication credentials (password hashed or Google OAuth ID), optional person records (name and colour label)
- Financial profile — annual income by year, marital status, spouse income, other unearned income (for Irish marginal tax rate calculations)
- Investment data — transactions, holdings, broker reports (temporarily stored in compressed form for processing and restart retry, then cleared when no longer needed), deemed disposal events, tax calculations, encrypted server-side backups (up to 5 per user, retained 90 days), and opt-in debug file copies (retained up to 30 days)
- Integration credentials — broker API keys and secrets (encrypted with Fernet AES-128) only if you enable API sync
- Operational records — Stripe customer identifier, payment and refund history, feedback submissions and attachments
- Security telemetry — rate-limit events keyed by email or IP (24-hour cleanup), revoked-JWT identifiers, password-reset token IDs (purged at natural expiry), anonymous-on-delete API usage log for price, FX, and broker API calls
- Technical metadata — JWT token, theme preference, app preferences, and active upload recovery metadata in localStorage (including broker filters, crypto-trader broker selections, broker label, file name, and job metadata while recoverable), IP address (redacted /24 or /48 in logs), browser and device info
Legal Basis for Processing
- Contract (Art. 6(1)(b)) — account creation, service provision, payment processing
- Legal obligation (Art. 6(1)(c)) — 6-year retention of tax-report-supporting records per Irish TCA 1997 s.886
- Legitimate interest (Art. 6(1)(f)) — security, fraud prevention, rate-limit telemetry
- Consent (Art. 6(1)(a)) — Google Analytics 4 and Vercel Speed Insights (disabled until you accept the cookie banner)
Data Storage & Security
All data stored within the European Union. Broker API credentials and server-side backup snapshots are encrypted at rest using Fernet (AES-128). All traffic is encrypted via TLS/SSL. Passwords are hashed using PBKDF2-SHA256 with per-user salt (never reversible). Strict multi-tenancy isolation controls user access.
Breach notification. We will notify the Irish Data Protection Commission within 72 hours of a personal-data breach likely to result in risk to your rights, per GDPR Article 33, and will notify affected users directly when Article 34 applies.
Third-Party Services
- Stripe — historical payment records and future checkout readiness if paid access is reintroduced (EU via Stripe Technology Europe Ltd.; SCCs cover US pipeline steps)
- Google — optional OAuth sign-in and Google Analytics 4 with Consent Mode v2 (US; SCCs)
- Vercel Speed Insights — consent-gated real-user performance measurements (EU plus global edge; SCCs)
- Resend — transactional email delivery (US; SCCs)
- ImprovMX — support email forwarding for messages sent to support@irish-investor.com (EU/US infrastructure; SCCs where applicable)
- CoinGecko / CryptoCompare / yfinance / Stooq / European Central Bank / Frankfurter — price and FX data (asset tickers only, no user PII)
- Binance, Bybit, Kraken — only when you explicitly enable broker API sync in Settings → Integrations; CSV imports involve no broker communication
- Railway — backend hosting and PostgreSQL (primary EU region; SCCs for US fallback)
- Vercel — frontend hosting and edge CDN (no user data stored on edge beyond HTTP access logs; SCCs)
A concise provider list is published on the Sub-processors page.
Cookies & Tracking
The cookie banner offers two categories: Essential cookies (always on — authentication, session, your saved preferences) and Analytics (toggleable, default off). We use Google Consent Mode v2: analytics_storage defaults to denied at page load. Google Tag Manager, GA4, and Vercel Speed Insights do not load until you opt in. No advertising cookies, retargeting, or profiling. Your choice is stored as versioned JSON in your browser's localStorage and may re-prompt on material policy changes; change it at any time via “Manage Cookies” in the page footer.
Data Retention
- Active accounts — retained while your account is active
- Deleted accounts — personal and financial data permanently deleted within 30 days
- Encrypted backups — retained 90 days for disaster recovery, then purged
- Temporary upload processing storage — broker report bytes retained only while needed for parsing, restart retry, cancellation handling, or failed-upload cleanup
- Debug files — automatically deleted after 30 days
- Operational logs — API call timing, daily quota counters, and export events retained for 365 days for service operation, abuse prevention, and troubleshooting
- Support feedback — resolved or closed feedback submissions retained for 730 days, then deleted with any stored attachment bytes or legacy attachment files
- Legal obligations — investment transactions, income events, deemed-disposal records, and related account records that support tax calculations, audit trails, and user exports may be retained for 6 years per Irish Revenue (Taxes Consolidation Act 1997, section 886), together with payment records and purchase and refund history.
Your Rights Under GDPR
As an EU resident, you have the right to: access your data (Art. 15), rectify inaccuracies (Art. 16), erase your data (Art. 17), port your data in machine-readable JSON format, with feedback attachment bytes available as a separate ZIP archive, via Settings → Account → Your Data (Art. 20), object to processing (Art. 21), restrict processing (Art. 18), withdraw consent (Art. 7(3)), and lodge a complaint with the Irish Data Protection Commission at www.dataprotection.ie (Art. 77). Account deletion is available in Settings → Account, or by emailing support@irish-investor.com if you cannot access your account. Verified deletion requests complete within 30 days, subject to records we are legally required to retain.
How to Exercise Your Rights
Email support@irish-investor.com describing the right you wish to exercise. We verify your identity via your registered email and respond within 1 month (extendable by 2 months for complex requests per Art. 12(3)). Self-service shortcuts: download data via Settings → Account → Your Data; rectify tax profile via Settings → Tax Profile; withdraw analytics consent via the cookie banner. Withdrawing analytics consent immediately updates Google Consent Mode, unmounts Vercel Speed Insights, and stops Web Vitals events from being sent from the page; reloading after Reject All starts without analytics scripts.
Data Sharing
We never sell, rent, or trade your data. Data is shared only with the service providers listed above as necessary for their function, or when required by law.
International Transfers
Your primary data at rest is in the European Union. Transfers to non-EU processors (Google, Resend, Yahoo Finance, US fallback for Railway or Vercel) are covered by Standard Contractual Clauses under GDPR Article 46.
Children's Privacy
The Service is not intended for individuals under 18 years of age (service-terms floor; note Irish Article 8 GDPR digital-age-of-consent is 16). We do not knowingly collect personal information from persons under 18. Contact us immediately if you believe we have inadvertently collected data from a minor.
Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted here with an updated effective date. Material changes affecting your rights or introducing new data collection will be communicated via email at least 30 days before they take effect.
Contact Us
For questions about this Privacy Policy, to exercise your GDPR rights, or to report a data protection concern: support@irish-investor.com — we respond within 1 month.
This application requires JavaScript to run. Please enable JavaScript in your browser.
Contact: support@irish-investor.com