Upgrade
Get started free

Privacy Policy

InvestKit – Privacy Policy (v2) Effective Date: February 10, 2026 • Last Updated: February 10, 2026 This Privacy Policy explains how InvestKit ("we", "us", "our") collects, uses, shares, and protects your personal data when you use the InvestKit website, applications, and related services (the "Service"). We are based in the European Union and process all personal data in accordance with the EU General Data Protection Regulation (GDPR). Users outside the EU benefit from the same protections. By creating an account or using the Service, you acknowledge that you have read and understood this Privacy Policy. 1. Who We Are Data Controller: InvestKit ([Legal Entity Name], [Registration Number], [Registered Address]) Contact: support@investkit.io InvestKit is a financial analytics platform operated by an EU-based entity. We are the data controller for the personal data described in this policy. 2. What Data We Collect We collect the minimum data necessary to provide and improve the Service. 2.1 Account Data When you sign up, we collect: • Email address (required — your primary identifier) • Name (optional — if provided via your Google account) • Profile picture URL (optional — if provided via your Google account) • Authentication identifiers (Google OAuth provider ID) We support two sign-in methods: • Google OAuth (we receive your email, name, and profile picture from Google) • Passwordless email login (we send a time-limited magic link to your email) We do not store passwords. We do not access your Google account beyond basic profile information. 2.2 Subscription and Billing Data When you subscribe to a paid plan, we collect: • Stripe Customer ID (a unique identifier linking you to your Stripe account) • Subscription details (plan tier, billing cycle, subscription status, billing period dates) We do NOT collect or store: • Credit card numbers • Bank account details • Payment card expiration dates or CVVs All payment information is handled directly by Stripe, our payment processor. Your payment details are entered on Stripe-hosted pages that never touch our servers. Stripe is PCI-DSS Level 1 certified. 2.3 Usage Data We collect information about how you use the Service: • Pages visited and features used • Search queries (ticker symbols, company lookups) • Projections and models you create • Interactions with charts and tools This data helps us understand which features are valuable and where to improve. 2.4 Device and Technical Data When you access the Service, we automatically collect: • IP address • Approximate geographic location (country, region, and city) derived from your IP address • Browser type and version • Device type and operating system • Referring URL • Date and time of access 2.5 Cookies and Local Storage We use cookies and local storage for the following purposes: Essential (no consent required): • Authentication session cookie — keeps you logged in • CSRF protection cookie — prevents cross-site request forgery • Rate-limiting cookie (rl_anon) — used to enforce API rate limits and prevent abuse. Contains a signed anonymous identifier and does not store directly identifying personal information. Duration: 30 days. Analytics (consent-based): • Analytics cookies — help us understand product usage patterns We do not use cookies for advertising, retargeting, or cross-site tracking. You can manage your cookie preferences at any time using the "Manage Cookies" link in the footer of any page. 2.6 Communications We send transactional emails only: • Magic link login emails • Subscription confirmation and billing-related emails (sent by Stripe) We do not send marketing emails. We do not sell your email address or share it for marketing purposes. 2.7 User-Created Content You may create content within the Service, such as: • Financial projections (DCF models) • Reverse DCF calculations This content is stored in our database and associated with your account. 2.8 Consent and Legal Records We track: • Which version of our Terms & Conditions you accepted and when • Which version of this Privacy Policy you accepted and when • Whether you acknowledged the financial disclaimer This is required for legal compliance and is retained as long as necessary. 3. How We Use Your Data We use your personal data for the following purposes: • Provide the Service (authentication, feature access) — Data used: account data, session data — Legal basis: contractual necessity • Process subscriptions and billing — Data used: email, Stripe IDs, subscription details — Legal basis: contractual necessity • Send login and authentication emails — Data used: email address — Legal basis: contractual necessity • Feature gating based on subscription tier — Data used: subscription tier and status — Legal basis: contractual necessity • Product analytics and improvement — Data used: usage data, device data — Legal basis: legitimate interest • Error detection and debugging — Data used: technical data, error context — Legal basis: legitimate interest • Security and fraud prevention — Data used: IP address, session data — Legal basis: legitimate interest • Legal compliance and record-keeping — Data used: consent records, billing data — Legal basis: legal obligation We do NOT: • Sell your personal data to anyone • Use your data for advertising or ad targeting • Build marketing profiles from your usage data • Share your data with data brokers 4. Who We Share Data With We share personal data only with service providers who help us operate the Service. Each provider has a specific, limited role: 4.1 Payment Processing — Stripe • What we share: Your email address and an internal user ID (in metadata) • What Stripe handles: Payment card details, billing addresses, invoices, receipts • Why: To process subscription payments • Stripe's privacy policy: stripe.com/privacy 4.2 Product Analytics — PostHog • What is collected: Page views, feature usage events, user ID (for session linking) • Why: To understand how the product is used and identify improvements • Configuration: Autocapture is disabled; we track only specific, defined events. We respect the Do-Not-Track (DNT) browser signal. • PostHog's privacy policy: posthog.com/privacy 4.3 Error Monitoring — Sentry • What is collected: Error stack traces, request URLs, browser/device info, user ID (for error context) • Why: To detect, diagnose, and fix application errors • Sentry's privacy policy: sentry.io/privacy 4.4 Logging — Axiom • What is collected: Server-side request metadata (anonymized IP address, approximate geographic location, request path, HTTP method, user agent, referrer URL), API error logs, system events, and Stripe webhook event metadata • Why: Application monitoring, performance analysis, error investigation, and abuse detection • IP addresses are masked before transmission (last octet removed). Geographic location (country, region, city) is derived from the IP address and used to monitor regional service performance. • Axiom’s privacy policy: axiom.co/privacy 4.5 Hosting — Vercel • What is processed: All request/response data passes through Vercel's infrastructure • Why: The Service is hosted on Vercel's platform • Vercel's privacy policy: vercel.com/legal/privacy-policy 4.6 Database — Neon • What is stored: All account data, subscription data, and user-created content • Why: Neon provides our PostgreSQL database infrastructure • Neon's privacy policy: neon.tech/privacy 4.7 Email Delivery — Resend • What is shared: Your email address and login link content • Why: To deliver magic link authentication emails • How: Emails are sent via Resend, a transactional email delivery service • Email is processed transiently and not stored beyond delivery • Resend’s privacy policy: resend.com/legal/privacy-policy 4.8 Authentication — Google • What is shared: Authentication requests (email, name, and profile picture are received from Google during OAuth sign-in) • Why: To provide “Sign in with Google” functionality • Google’s privacy policy: policies.google.com/privacy 4.9 Caching and Infrastructure — Upstash • Upstash provides caching and infrastructure services used to improve application performance and reliability. Upstash may process transient request metadata and cache keys required to operate these services. • Data is processed transiently and is not used for profiling or analytics. • Upstash’s privacy policy: upstash.com/trust/privacy.pdf We require all processors to handle data in accordance with our instructions and applicable data protection law. We maintain appropriate contractual protections with our processors in accordance with GDPR Article 28, including Data Processing Agreements where applicable. 5. Financial Data Providers The Service displays financial data sourced from third-party providers including SEC EDGAR, Finnhub, and EODHD. When we request data from these providers, we send only ticker symbols and company identifiers. No personal data about you is shared with financial data providers. 6. International Data Transfers We are based in the EU. Some of our service providers process data outside the European Economic Area (EEA), including in the United States. Where personal data is transferred outside the EEA, we rely on: • Standard Contractual Clauses (SCCs) approved by the European Commission • The EU-US Data Privacy Framework (where the processor is certified) • Other legally recognized transfer mechanisms Our key processors and their locations: • Stripe — United States (EU-US Data Privacy Framework certified) • PostHog — European Union • Sentry — United States (Standard Contractual Clauses) • Axiom — United States (Standard Contractual Clauses) • Vercel — European Union • Neon — European Union • Resend — European Union • Upstash — See upstash.com/trust/privacy.pdf for processing locations 7. Data Retention We retain personal data only as long as necessary for each purpose: • Account data (email, name, profile) — until you delete your account • Authentication sessions — automatically expire after ~30 days • Magic link tokens — automatically expire after 10 minutes • Subscription data — until account deletion (billing records may be retained longer for tax/legal compliance) • User-created content (projections, models) — until you delete them or delete your account • Analytics data (PostHog) — per our PostHog retention configuration • Error data (Sentry) — 90 days (Sentry default) • System logs (Axiom) — per our Axiom retention configuration • Legal consent records — retained as long as legally required When you delete your account, we delete your personal data from our database. Some data may persist in backups for a limited period and in third-party systems according to their retention policies. 8. Your Rights If you are in the EU/EEA (or where similar rights apply), you have the following rights: • Right of access — Request a copy of the personal data we hold about you. • Right to rectification — Ask us to correct inaccurate data. • Right to erasure ("right to be forgotten") — Request deletion of your account and personal data. • Right to restriction — Ask us to limit how we process your data. • Right to data portability — Receive your data in a structured, machine-readable format. • Right to object — Object to processing based on legitimate interests (including analytics). • Right to withdraw consent — Where processing is based on consent (e.g., analytics cookies), you may withdraw at any time. To exercise any of these rights, contact us at support@investkit.io. We will respond within 30 days as required by GDPR. You also have the right to lodge a complaint with your local data protection supervisory authority. 9. Data Security We implement appropriate technical and organizational measures to protect your personal data: • All data transmitted between your browser and our servers is encrypted via TLS/HTTPS. • Database access is restricted and authenticated. • Payment data is handled entirely by Stripe (PCI-DSS Level 1 certified) and never stored on our servers. • Authentication uses secure, time-limited tokens — no passwords are stored. • OAuth tokens are stored securely in our database and protected by encryption at rest. • We use application-level error monitoring and logging to detect anomalies. No system is 100% secure. While we take reasonable precautions, we cannot guarantee absolute security of your data. 10. Children's Privacy The Service is intended for individuals aged 18 and older. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, please contact us at support@investkit.io and we will promptly delete it. 11. Do-Not-Track We respect the Do-Not-Track (DNT) browser signal. When DNT is enabled, our analytics tools will not track your activity. 12. Changes to This Privacy Policy We may update this Privacy Policy as our Service or legal requirements evolve. When we make material changes: • We will update the "Effective Date" at the top of this policy. • We will notify you by email or in-app notification. • For significant changes, we may ask you to review and accept the updated policy before continuing to use the Service. We maintain previous versions of this Privacy Policy at investkit.io/privacy for your reference. 13. Contact Us For any questions about this Privacy Policy, your personal data, or to exercise your rights: Email: support@investkit.io We aim to respond to all privacy-related inquiries within 30 days.

Version: 2026-02-10 · Effective: February 10, 2026