Privacy Policy
Effective February 4, 2026 · Updated May 20, 2026. How Irish Investor collects, stores, and protects your data.
Introduction
Data controller. Irish Investor (the “Service”) is operated from Ireland. For privacy-related matters, contact the operator at support@irish-investor.com. Full business registration details will be published here once finalized.
Information We Collect
We collect only what is necessary to provide the service:
- Identity — email address, authentication credentials (password hashed or Google OAuth ID), optional person records (name and PPS number, encrypted at rest)
- Financial profile — annual income by year, marital status, spouse income, other unearned income (for Irish marginal tax rate calculations)
- Investment data — transactions, holdings, broker reports (processed on upload, stored only if you opt in to debug sharing), deemed disposal events, tax calculations, encrypted server-side backups (up to 5 per user, retained 90 days)
- Integration credentials — broker API keys and secrets (encrypted with Fernet AES-128) only if you enable API sync
- Operational records — Stripe customer identifier, payment and refund history, feedback submissions and attachments
- Security telemetry — rate-limit events keyed by email or IP (24-hour cleanup), revoked-JWT identifiers, password-reset token IDs (purged at natural expiry), anonymous-on-delete API usage log
- Technical metadata — JWT token and theme preference in localStorage, IP address (redacted /24 or /48 in logs), browser and device info
Legal Basis for Processing
- Contract (Art. 6(1)(b)) — account creation, service provision, payment processing
- Legal obligation (Art. 6(1)(c)) — 6-year retention of tax-report-supporting records per Irish TCA 1997 s.886
- Legitimate interest (Art. 6(1)(f)) — security, fraud prevention, rate-limit telemetry
- Consent (Art. 6(1)(a)) — Google Analytics 4 and Vercel Speed Insights (disabled until you accept the cookie banner)
Data Storage & Security
All data stored within the European Union. PPS numbers and broker API credentials encrypted at rest using Fernet (AES-128). All traffic encrypted via TLS/SSL. Passwords hashed using PBKDF2-SHA256 with per-user salt (never reversible). Strict multi-tenancy isolation.
Breach notification. We will notify the Irish Data Protection Commission within 72 hours of a personal-data breach likely to result in risk to your rights, per GDPR Article 33, and will notify affected users directly when Article 34 applies.
Third-Party Services
- Stripe — historical payment records and future checkout readiness if paid access is reintroduced (EU via Stripe Technology Europe Ltd.; SCCs cover US pipeline steps)
- Google — optional OAuth sign-in and Google Analytics 4 with Consent Mode v2 (US; SCCs)
- Vercel Speed Insights — consent-gated real-user performance measurements (EU plus global edge; SCCs)
- Resend — transactional email delivery (US; SCCs)
- CoinGecko / CryptoCompare / yfinance / Stooq / European Central Bank / Frankfurter — price and FX data (asset tickers only, no user PII)
- Binance, Bybit, Kraken — only when you explicitly enable broker API sync in Settings → Integrations; CSV imports involve no broker communication
- Railway — backend hosting and PostgreSQL (primary EU region; SCCs for US fallback)
- Vercel — frontend hosting and edge CDN (no user data stored on edge beyond HTTP access logs; SCCs)
Cookies & Tracking
The cookie banner offers two categories: Essential cookies (always on — authentication, session, your saved preferences) and Analytics (toggleable, default off). We use Google Consent Mode v2: analytics_storage defaults to denied at page load. Google Tag Manager, GA4, and Vercel Speed Insights do not load until you opt in. No advertising cookies, retargeting, or profiling. Your choice is stored as versioned JSON in your browser's localStorage and may re-prompt on material policy changes; change it at any time via “Manage Cookies” in the page footer.
Data Retention
- Active accounts — retained while your account is active
- Deleted accounts — personal and financial data permanently deleted within 30 days
- Encrypted backups — retained 90 days for disaster recovery, then purged
- Debug files — automatically deleted after 30 days
- Operational logs (API call timing, export events, rate-limit telemetry) — retained as necessary for service operation and security; automated retention limits being implemented
- Legal retention — for tax years where you have generated a filed tax report, supporting investment-transaction data retained 6 years per Irish Revenue (Taxes Consolidation Act 1997, section 886), together with payment and purchase records. Unfiled-year data eligible for erasure on request.
Your Rights Under GDPR
As an EU resident, you have the right to: access your data (Art. 15), rectify inaccuracies (Art. 16), erase your data (Art. 17), port your data in machine-readable JSON format via Settings → Account → Your Data (Art. 20), object to processing (Art. 21), restrict processing (Art. 18), withdraw consent (Art. 7(3)), and lodge a complaint with the Irish Data Protection Commission at www.dataprotection.ie (Art. 77). Account deletion is available in Settings → Account, or by emailing support@irish-investor.com if you cannot access your account. Verified deletion requests complete within 30 days, subject to records we are legally required to retain.
How to Exercise Your Rights
Email support@irish-investor.com describing the right you wish to exercise. We verify your identity via your registered email and respond within 1 month (extendable by 2 months for complex requests per Art. 12(3)). Self-service shortcuts: download data via Settings → Account → Your Data; rectify tax profile via Settings → Tax Profile; withdraw analytics consent via the cookie banner. Withdrawing analytics consent immediately updates Google Consent Mode, unmounts Vercel Speed Insights, and stops Web Vitals events from being sent from the page; reloading after Reject All starts without analytics scripts.
Data Sharing
We never sell, rent, or trade your data. Data is shared only with the service providers listed above as necessary for their function, or when required by law.
International Transfers
Your primary data at rest is in the European Union. Transfers to non-EU processors (Google, Resend, Yahoo Finance, US fallback for Railway or Vercel) are covered by Standard Contractual Clauses under GDPR Article 46.
Children's Privacy
The Service is not intended for individuals under 18 years of age (service-terms floor; note Irish Article 8 GDPR digital-age-of-consent is 16). We do not knowingly collect personal information from persons under 18. Contact us immediately if you believe we have inadvertently collected data from a minor.
Changes to This Policy
We may update this Privacy Policy from time to time. Changes will be posted here with an updated effective date. Material changes affecting your rights or introducing new data collection will be communicated via email at least 30 days before they take effect.
Contact Us
For questions about this Privacy Policy, to exercise your GDPR rights, or to report a data protection concern: support@irish-investor.com — we respond within 1 month.
This application requires JavaScript to run. Please enable JavaScript in your browser.
Contact: support@irish-investor.com