Privacy Policy

01Introduction

This Privacy Policy ("Policy") describes how WealthView Ltd ("WealthView," "we," "us," or "our"), a company registered and operating under applicable law, collects, uses, stores, discloses, and protects personal data when you use the WealthView platform, accessible at wealthview.ltd(the "Service").

WealthView Ltd acts as the Data Controllerwithin the meaning of Article 4(7) of the General Data Protection Regulation (EU) 2016/679 ("GDPR") for all personal data processed through the Service.

This Policy applies to all users of the Service, regardless of geographic location. We have designed this Policy to comply with the GDPR, the California Consumer Privacy Act (CCPA) as amended by the CPRA, the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("UAE PDPL"), and other applicable data protection legislation.

By creating an account or using the Service, you acknowledge that you have read and understood this Policy. If you do not agree with any part of this Policy, you must immediately discontinue use of the Service and request deletion of your account and associated data.

02Data We Collect

We collect and process the following categories of personal data. Each category is listed alongside the specific data points collected, the purpose for collection, and the lawful basis under Article 6 GDPR.

2.1 Account Information

2.2 Financial Data

2.3 Transaction Data

2.4 Usage Data

2.5 Device and Connection Information

2.6 Market Data (Third-Party Derived)

03How We Collect Data

3.1 Directly From You

The majority of data we process is provided directly by you when you:

• Create an account (email, password, display name, preferences)
• Add financial records (holdings, bank accounts, debts, budgets, goals, subscriptions, properties)
• Record transactions (trades, income events, manual entries)
• Configure settings (currency, language, notification preferences, 2FA enrollment)
• Contact us via email for support or feedback

3.2 Automatically

When you access the Service, we automatically collect certain technical data through server logs and essential cookies. This includes your IP address, browser type, operating system, referring URL, pages visited, timestamps, and error logs. We do not use third-party analytics platforms such as Google Analytics. All analytics are self-hosted.

3.3 From Third-Party APIs

When you add a stock ticker or cryptocurrency to your portfolio, we fetch publicly available market data from Financial Modeling Prep ("FMP") and CoinGecko. These API requests are made server-side from our infrastructure in Germany. We do not transmit your personal data (name, email, or financial holdings) to these third-party providers. Requests contain only the ticker symbol or asset identifier.

04Lawful Basis for Processing

Under Article 6 of the GDPR, we process personal data only where we have a valid lawful basis. The following table maps each processing activity to its corresponding lawful basis:

Where we rely on legitimate interest(Art. 6(1)(f)), we have conducted a Legitimate Interest Assessment ("LIA") and concluded that our interests do not override your fundamental rights and freedoms. You may request a copy of any LIA by contacting privacy@wealthview.ltd.

Where we rely on consent (Art. 6(1)(a)), you may withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal. Consent withdrawal can be performed in your account settings or by contacting privacy@wealthview.ltd.

05Why We Collect Data

We collect and process personal data strictly for the following specific, explicit, and legitimate purposes:

06How We Store Data

6.1 Database

We use a self-hosted PostgreSQL database managed through Supabase (self-hosted instance, not Supabase Cloud). This means your data is never processed by Supabase Inc. or stored on Supabase-managed infrastructure. The database runs entirely on our Hetzner servers under our exclusive administrative control.

6.2 Encryption at Rest

All sensitive data fields are encrypted using AES-256-GCM (256-bit Advanced Encryption Standard in Galois/Counter Mode) before being written to the database. Encryption keys are stored separately from the database in environment-restricted key stores and are rotated on a quarterly basis. Full-disk encryption (LUKS) is enabled on all server volumes.

6.3 Encryption in Transit

All data transmitted between your browser and our servers is encrypted using TLS 1.3 with forward secrecy. We enforce HSTS (HTTP Strict Transport Security) with a minimum max-age of one year and include the preload directive. Our TLS configuration receives an A+ rating from Qualys SSL Labs. Internal communication between application services and the database uses mutual TLS (mTLS).

6.4 Backups

Automated encrypted backups are performed daily and retained for 30 days. Backups are encrypted with AES-256 before being written to disk and are stored on a separate Hetzner storage volume in the same German data centre region. Backup restoration procedures are tested monthly. Backups older than 30 days are securely deleted using cryptographic erasure.

07Data Sharing

We share limited data with the following categories of recipients, strictly as necessary to operate the Service:

For FMP and CoinGecko, we emphasise that no personal data is transmitted. API requests contain only the ticker symbol or coin identifier (e.g., "AAPL" or "bitcoin"). These providers cannot identify which user requested which data point.

7.1 Law Enforcement Disclosure

We may disclose personal data to law enforcement or regulatory authorities if required to do so by law (Art. 6(1)(c) GDPR) or in response to valid legal process (e.g., a court order, subpoena, or binding regulatory request). In such cases, we will: (a) verify the legal validity of the request; (b) limit the scope of data disclosed to the minimum necessary; (c) notify the affected user, unless legally prohibited from doing so; and (d) document the disclosure internally.

08Data Retention

We retain personal data only for as long as necessary to fulfil the purposes described in this Policy, or as required by applicable law. The following table sets out our specific retention periods:

8.1 Account Deletion

When you request account deletion (via account settings or by emailing privacy@wealthview.ltd), we initiate the following process:

1. Your account is immediately deactivated and you are logged out of all sessions.
2. A 30-day grace period begins. During this period, you may contact us to reverse the deletion.
3. After 30 days, all personal data associated with your account is permanently deleted from the production database. This includes all financial data, transaction records, preferences, and usage data.
4. Within the next 30-day backup rotation cycle, all references to your data are purged from encrypted backups via cryptographic erasure.
5. Anonymised, aggregated statistical data that cannot be linked back to you may be retained indefinitely.

09Your Rights Under GDPR

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under the GDPR and equivalent legislation. These rights are not absolute and may be subject to legal exemptions.

10Your Rights Under CCPA

If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), provides you with the following rights regarding your personal information:

To exercise any CCPA right, email privacy@wealthview.ltd with the subject line "CCPA Request" or use the in-app data export and deletion tools. We will verify your identity before processing the request by confirming your email address and, if necessary, requesting additional verification.

11Your Rights Under UAE PDPL

If you are located in the United Arab Emirates, Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("UAE PDPL") and its implementing regulations grant you the following rights:

To exercise any right under the UAE PDPL, contact privacy@wealthview.ltd. We will respond within the timeframes prescribed by the UAE Data Office. If you are dissatisfied with our response, you have the right to lodge a complaint with the UAE Data Office.

12International Data Transfers

12.1 EU-to-UAE Transfers

Where WealthView Ltd or its operators access personal data from the United Arab Emirates for administrative purposes (e.g., customer support, system maintenance), such access constitutes an international data transfer under Chapter V of the GDPR (Articles 44-49). The UAE has not received an adequacy decision from the European Commission as of the date of this Policy.

To ensure lawful transfer, we rely on the following safeguards:

• Standard Contractual Clauses (SCCs): We implement the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) for any transfer of personal data to the UAE, as required by Article 46(2)(c) GDPR.
• Transfer Impact Assessment (TIA): We have conducted a Transfer Impact Assessment evaluating the legal framework of the UAE, including the UAE PDPL, to determine whether the laws of the UAE provide an essentially equivalent level of data protection. A copy of the TIA is available upon request.
• Supplementary Measures: All remote access from the UAE is conducted via encrypted VPN tunnels with multi-factor authentication. Access is restricted to the minimum necessary data, and all administrative actions are logged and audited.

12.2 Transfers to Market Data Providers

API requests to FMP (United States) and CoinGecko (Singapore) contain only non-personal ticker identifiers. As no personal data is transmitted to these providers, these interactions do not constitute international data transfers under the GDPR. Nevertheless, we have assessed these data flows as part of our overall privacy impact analysis.

12.3 Cloudflare

Cloudflare may process IP addresses and request metadata at global edge nodes. Cloudflare is certified under the EU-US Data Privacy Framework and we have entered into a Data Processing Agreement (DPA) with Cloudflare that includes the Standard Contractual Clauses. We have configured Cloudflare to route EU traffic through EU data centres where possible.

13Cookies and Tracking

WealthView uses a minimal number of cookies, strictly limited to those necessary for the operation and security of the Service. We do not use third-party advertising or tracking cookies.

13.1 Strictly Necessary Cookies

These cookies are essential for the functioning of the Service and cannot be disabled. They do not require consent under Article 5(3) of the ePrivacy Directive (2002/58/EC) as they are strictly necessary for the provision of the Service explicitly requested by the user.

13.2 Analytics Cookies

We do not currently use any analytics cookies. If we introduce analytics cookies in the future, they will be opt-in only and will require your explicit consent before being set. We will update this Policy and display a cookie consent banner accordingly.

13.3 Managing Cookies

You can manage cookies through your browser settings. Please note that disabling strictly necessary cookies will prevent you from using the Service, as they are required for authentication and security. Instructions for managing cookies can be found in your browser's help documentation.

13.4 Do Not Track

WealthView honours "Do Not Track" (DNT) browser signals. As we do not engage in cross-site tracking, no behavioural changes are necessary in response to DNT signals, but we recognise and respect them as an expression of user preference.

14Security Measures

We implement comprehensive technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction, in accordance with Article 32 of the GDPR.

14.1 Encryption

• Data at rest: AES-256-GCM encryption for all sensitive data fields in the database. Full-disk encryption (LUKS) on all server volumes.
• Data in transit: TLS 1.3 with forward secrecy for all client-server communication. HSTS enforced with preload. Internal services communicate via mutual TLS (mTLS).
• Backups: AES-256 encrypted before storage. Decryption keys stored in separate, access-controlled key stores.

14.2 Authentication and Access Control

• Password hashing: All passwords are hashed using bcrypt with a minimum cost factor of 12. Plaintext passwords are never stored or logged.
• Two-Factor Authentication (2FA): TOTP-based two-factor authentication is available and recommended for all users. 2FA secrets are encrypted with AES-256 before storage.
• Row-Level Security (RLS): PostgreSQL Row-Level Security policies ensure that each authenticated user can only access their own data. RLS is enforced at the database level, providing defence-in-depth even if application-level access controls are bypassed.
• Session management: Short-lived JWT access tokens (1-hour expiry) with refresh token rotation. Concurrent session limits enforced.
• Administrative access: Server access is restricted to key personnel via SSH key-based authentication only (password SSH disabled). All administrative actions are logged.

14.3 Network Security

• Firewall: UFW (Uncomplicated Firewall) configured with a default-deny inbound policy. Only ports 80 (HTTP, redirects to HTTPS), 443 (HTTPS), and a non-standard SSH port are open.
• Brute-force protection: fail2ban monitors SSH and application authentication endpoints, automatically banning IP addresses after repeated failed attempts.
• DDoS protection: Cloudflare Tunnel provides DDoS mitigation and rate limiting. The server's public IP is not directly exposed.
• Rate limiting: API endpoints are rate-limited to prevent abuse. Authentication endpoints have stricter limits (5 attempts per minute per IP).

14.4 Monitoring and Incident Response

• Real-time server monitoring with alerting for anomalous activity.
• Centralised logging with tamper-evident log storage.
• Documented incident response plan with defined roles and escalation procedures.
• Regular security assessments and dependency vulnerability scanning.

15Data Breach Notification

In the event of a personal data breach as defined by Article 4(12) of the GDPR (a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data), we will take the following actions:

15.1 Supervisory Authority Notification (Art. 33 GDPR)

Where a breach is likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority (the Bundesbeauftragte für den Datenschutz und die Informationsfreiheit, "BfDI", for Germany) without undue delay and no later than 72 hours after becoming aware of the breach. The notification will include: (a) the nature of the breach including approximate number of affected data subjects and records; (b) the name and contact details of our DPO or point of contact; (c) the likely consequences of the breach; and (d) the measures taken or proposed to address and mitigate the breach.

15.2 User Notification (Art. 34 GDPR)

Where a breach is likely to result in a high risk to your rights and freedoms, we will notify affected users without undue delay via: (a) email to your registered email address; and (b) an in-app notification banner visible upon login. The notification will describe the nature of the breach, the likely consequences, and the measures taken to address and mitigate it, along with recommendations for protective steps you can take (e.g., changing your password, enabling 2FA).

15.3 UAE PDPL Notification (Art. 9, UAE PDPL)

Where the breach affects data subjects located in the UAE, we will additionally notify the UAE Data Office immediately upon becoming aware of the breach, as required by the UAE PDPL and its implementing regulations.

15.4 US State Law Compliance

For users located in the United States, we will comply with applicable state breach notification laws, including but not limited to the California Data Breach Notification Law (Cal. Civ. Code § 1798.82), which requires notification "in the most expedient time possible and without unreasonable delay."

15.5 Breach Documentation

In accordance with Article 33(5) GDPR, we maintain a comprehensive internal register of all personal data breaches, regardless of whether they trigger a notification obligation. This register documents the facts of each breach, its effects, and the remedial actions taken. The register is maintained for a minimum of 5 years and is available for inspection by the competent supervisory authority upon request.

16Children and Minors

WealthView does not knowingly collect, solicit, or process personal data from children under the age of 18. By creating an account, you represent and warrant that you are at least 18 years of age.

COPPA Compliance:In compliance with the Children's Online Privacy Protection Act (COPPA, 15 U.S.C. §§ 6501-6506), we do not knowingly collect personal information from children under the age of 13 in the United States.

UK Age Appropriate Design Code: As a financial services application intended exclusively for adults, we do not design features to appeal to children and do not implement age-appropriate design features. The nature of the Service (investment tracking, debt management, portfolio analysis) is inherently directed at adults.

If we discover that we have inadvertently collected personal data from a minor under 18, we will:

1. Immediately suspend the account.
2. Delete all personal data associated with the account within 48 hours of discovery.
3. Purge the data from all backup systems within the next backup rotation cycle (maximum 30 days).
4. Notify the minor's parent or legal guardian, if contact information is available.

If you believe a minor has created an account or provided personal data to WealthView, please contact us immediately at privacy@wealthview.ltd.

17Automated Decision-Making and Profiling

In accordance with Article 22 of the GDPR, we provide the following disclosures about automated decision-making and profiling activities within the Service.

17.1 Financial Health Scores

WealthView may generate a "Financial Health Score" or similar aggregate metric based on your manually entered financial data. This score is calculated using deterministic algorithms that consider factors such as debt-to-income ratio, savings rate, portfolio diversification, budget adherence, and emergency fund adequacy. This feature is opt-in only and is activated only with your explicit consent.

Important: Financial Health Scores are provided for informational and educational purposes only. They do not constitute financial advice, credit scoring, creditworthiness assessments, or recommendations to buy, sell, or hold any financial instrument. The scores do not produce legal effects and are not used to make decisions that significantly affect you.

17.2 AI-Powered Insights

WealthView may offer AI-powered analytical insights about your portfolio (e.g., sector concentration warnings, correlation analysis, volatility assessments). These insights are generated by automated analysis of your portfolio composition against publicly available market data. This feature is opt-in only.

These insights:

• Are advisory only and do not constitute investment advice or personal recommendations
• Do not produce legal effects or similarly significantly affect you within the meaning of Art. 22(1) GDPR
• Are not shared with third parties
• Are not used for profiling for marketing or advertising purposes

17.3 Your Rights Regarding Automated Decisions

Under Article 22 GDPR, you have the right to:

• Opt out: Disable any automated analysis features at any time in your account settings.
• Obtain explanation: Request a meaningful explanation of the logic involved in any automated analysis, the significance, and envisaged consequences.
• Contest results: Request human review of any automated output you disagree with.
• Express your point of view: Provide feedback on the accuracy or appropriateness of any automated insight.

18Sub-processors

In accordance with Article 28 of the GDPR, we disclose the following third-party sub-processors that process personal data on our behalf or to whom personal data may be transmitted in the course of operating the Service:

We will notify users of any intended changes to our sub-processor list by updating this Policy and, for material changes, by notifying you via email at least 30 days before the new sub-processor begins processing personal data. If you object to a new sub-processor, you may terminate your account and request deletion of your data.

19Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or features of the Service. When we do, we will:

19.1 Non-Material Changes

For minor changes (e.g., typographical corrections, formatting changes, clarifications that do not alter the substance of the Policy), we will update the "Last updated" date at the top of this page and publish the revised Policy on the Service. Your continued use of the Service after the updated Policy is posted constitutes your acceptance of the changes.

19.2 Material Changes

For material changes (e.g., new categories of data collected, new sub-processors, changes to data sharing practices, changes to retention periods, introduction of new processing activities), we will:

1. Send a notification to your registered email address at least 30 days before the changes take effect.
2. Display a prominent in-app notification banner upon your next login.
3. Require you to actively re-accept the updated Policy before continuing to use the Service. We will not treat continued use as acceptance for material changes; affirmative action is required.
4. Provide a clear summary of what has changed, highlighting the specific sections affected.

19.3 Version History

We maintain a version history of all Privacy Policy revisions, accessible upon request. Each version is identified by its effective date and version number. The current version is Version 1.0, effective March 20, 2026.

If you do not agree with any material changes to this Policy, you must stop using the Service and request deletion of your account and data before the changes take effect.

20Contact and Complaints

20.1 Data Controller

20.2 Data Protection Officer

Given the nature and scale of our data processing activities, we are committed to appointing a Data Protection Officer (DPO) if and when our processing operations meet the thresholds set out in Article 37 of the GDPR. In the interim, all data protection inquiries should be directed to privacy@wealthview.ltd.

20.3 Supervisory Authority Complaints

If you believe that our processing of your personal data infringes the GDPR or other applicable data protection legislation, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement.

We encourage you to contact us directly at privacy@wealthview.ltd before filing a complaint with a supervisory authority, as we are committed to resolving any data protection concerns promptly and transparently. We aim to respond to all privacy-related inquiries within 5 business days.