Privacy Policy

Last updated: February 2026

1. Data Controller

Docevo s.r.o., Company ID (IČO): 17985366. Contact: support@myfinverse.app

2. Data We Collect

We collect the following data:

  • From Google OAuth: email address, display name, Google user ID
  • User-provided data: watchlist items, stock transactions (buy/sell with dates, prices, shares, fees), dividends received, portfolio groups, saved simulations, custom categories
  • Preferences: language, theme, debug logging setting
  • Security logs: IP address, user agent, login/logout events, CSRF violations, rate limit events
  • Technical: JWT tokens in HTTP-only cookies for authentication

3. Purpose of Processing

We process your data for the following purposes: providing portfolio tracking and investment simulation services, authentication and account security, and application improvement based on aggregate usage patterns. We do NOT use your data for advertising, profiling, or selling to third parties.

4. Legal Basis

We process your data based on: Contract performance (Art. 6(1)(b) GDPR) for providing the service you signed up for; Legitimate interest (Art. 6(1)(f) GDPR) for security logging; and Consent, which you can withdraw by deleting your account.

5. Data Storage and Security

Data is stored in a PostgreSQL database. Authentication uses JWT tokens in HTTP-only, Secure, SameSite cookies. All POST endpoints are protected with CSRF tokens. API endpoints have rate limiting. All API access requires authentication. No personal data is stored in local files in production mode.

6. Third-Party Services

We use the following third-party services: Google OAuth for authentication only (Google receives your auth request during sign-in); Yahoo Finance via yfinance library for stock market data (no personal data is sent). We do not use any analytics services, advertising networks, or tracking pixels.

7. Cookies

We use ONLY essential functional cookies. No tracking, analytics, or advertising cookies are used.

  • access_token: JWT authentication token (1 hour expiry)
  • refresh_token: JWT refresh token (7 days expiry)
  • csrf_token: CSRF protection token

8. Your Rights under GDPR

Under the General Data Protection Regulation (GDPR), you have the following rights:

  • Right to access your personal data
  • Right to rectification of inaccurate data
  • Right to erasure (delete your account and all data)
  • Right to data portability (export in JSON format)
  • Right to withdraw consent at any time
  • Right to lodge a complaint with the supervisory authority (ÚOOÚ — Úřad pro ochranu osobních údajů, Czech Republic)
  • Contact us at: support@myfinverse.app

9. Data Retention

Account data is retained until you delete your account. Audit logs are retained for 12 months for security purposes. Upon account deletion, all personal data is permanently removed (CASCADE delete).

10. International Transfers

Your data is processed within the EU/EEA. We do not transfer personal data to third countries.

11. Changes to This Policy

We may update this privacy policy. Changes become effective upon posting. Last updated: February 2026.