This Privacy Policy describes how Calavis(hereinafter, the “Controller” or “we”) processes the personal data of users of the Calavis service, an online investment portfolio tracking application, in accordance with Regulation (EU) 2016/679 (GDPR) and applicable data protection law.
1. Data controller
- Data controller: Calavis
- Website: https://calavis.io
- Privacy email: privacy@calavis.io
No Data Protection Officer (DPO) has been appointed, as this is not required under applicable law given the volume and nature of processing activities.
2. Scope
This policy applies to processing carried out through the website and the Calavis application, including account registration, authentication, CSV statement imports (for example, from Trade Republic), portfolio metrics display, and service-related communications.
3. Data we process
We may process the following categories of data:
- Identification and contact data: name, email address, and account identifier.
- Authentication data: encrypted credentials, session tokens, and, if enabled, an identifier linked to Google sign-in (OAuth).
- Portfolio financial data: transactions, positions, dividends, fees, and amounts you import manually or via CSV uploads.
- Technical data: IP address, device/browser identifiers, access logs, and cookies or similar technologies strictly necessary for operation and security.
- Usage data: interactions with the platform for maintenance, support, and service improvement.
We do not request special categories of data (health, ideology, etc.). You should not enter data in the service that is not necessary for tracking your portfolio.
4. Purposes and legal bases
- Provision of the contracted or requested service (registration, import, metric calculation, and portfolio display): performance of a contract or pre-contractual measures (Art. 6(1)(b) GDPR).
- Authentication, security, fraud prevention, and incident management: legitimate interest of the Controller (Art. 6(1)(f) GDPR), subject to measures safeguarding your rights.
- Compliance with legal obligations (retention of required information, response to authority requests): legal obligation (Art. 6(1)(c) GDPR).
- Operational communications about your account (technical notices, material service changes): contract performance or legitimate interest.
- Aggregated analysis and internal product improvement: legitimate interest, preferably using aggregated or pseudonymized data where possible.
We do not make automated decisions with legal effects concerning you, nor do we create profiles with that scope. Metrics shown (performance, estimated dividends, etc.) are informational and based on data you provide or import.
5. Recipients and processors
We may share data with providers that supply services to the Controller, acting as processors and only under our documented instructions, including:
- Authentication and user database provider (e.g. Supabase).
- Hosting and infrastructure provider (e.g. Vercel or other cloud services used in deployment).
- Market data or instrument logo providers, when necessary to display contextual information.
We do not sell or transfer your personal data to third parties for their own commercial purposes. Additional disclosures will only occur where required by law or with your prior consent.
6. International transfers
Some processors may be located outside the European Economic Area (EEA), particularly in the United States. In those cases, we ensure an adequate level of protection through Standard Contractual Clauses approved by the European Commission, adequacy decisions, or other mechanisms provided under the GDPR, depending on the specific provider.
7. Retention periods
- Account and portfolio data: while your account remains active and, after closure, for the period necessary to meet legal obligations or claims (typically up to 5 years for contractual matters, unless a different obligation applies).
- Technical and security logs: limited period, generally not exceeding 12 months, except for incident investigation.
- Data processed on the basis of consent: until withdrawal or end of the associated purpose.
After the retention periods expire, data will be deleted or irreversibly anonymized.
8. Cookies and similar technologies
We use cookies and local storage strictly necessary for session, security, and essential service preferences. We do not use third-party advertising cookies in the current version of the product. You may configure your browser to block them, although this may prevent the application from functioning correctly.
9. Your rights
If you are signed in, you can export your trades and request account deletion from My account. You may also exercise the following rights by contacting privacy@calavis.io, verifying your identity when necessary:
- Access to your personal data.
- Rectification of inaccurate or incomplete data.
- Erasure ("right to be forgotten") where applicable.
- Restriction of processing in legally provided cases.
- Portability of data you have provided, in a structured format.
- Objection to processing based on legitimate interest.
- Withdrawal of consent at any time, without affecting the lawfulness of prior processing.
You also have the right to lodge a complaint with the Spanish Data Protection Agency (www.aepd.es) if you believe processing does not comply with applicable law.
10. Minors
The service is not directed at persons under 18. If we detect that a minor has registered without parental or legal guardian authorization, we will delete the account and associated data.
11. Security
We apply appropriate technical and organizational measures (encryption in transit, access control, backups, and secure development practices) to protect your data against unauthorized access, loss, or alteration. No system is completely infallible; we recommend using strong passwords and keeping your credentials confidential.
12. Changes to this policy
We may update this Privacy Policy to reflect legal or service changes. We will publish the current version on this page and indicate the update date. If changes are material, we will notify you by reasonable means (for example, email or an in-app notice).