Privacy Policy

Privacy Policy

Version: 2.0 Last Updated: May 25, 2026 Data Controller: WealthHive OU

⚠️ Service shutdown

The MyInvestments application is being wound down and will be permanently shut down on 10 June 2026. After that date, user accounts and portfolio data will be permanently deleted.

If you want to exercise your GDPR rights — access (art. 15), data portability (art. 20), or early erasure (art. 17) — before the database is permanently destroyed, write to kontakt@myinvestments.pl by 10 June 2026. After that date, requests can no longer be effectively fulfilled.

Data we are legally required to retain (in particular Stripe invoicing records — 5 years under tax law) will remain in retention with the relevant sub-processors for the periods required by law.

Introduction

This Privacy Policy explains how WealthHive OU ("we", "Operator") processes personal data of users of the MyInvestments service available at https://myinvestments.pl ("Service"). The document is aligned with Regulation (EU) 2016/679 ("GDPR"), the Estonian Personal Data Protection Act and the Polish Personal Data Protection Act of 10 May 2018.

1. Data Controller

| Field | Value | |-------|-------| | Name | WealthHive OU | | Address | Saani tn 2/2-26, 10149 Tallinn, Estonia | | Registry code | 16390486 | | VAT EU | EE102742499 | | Contact email | kontakt@myinvestments.pl |

Data Protection Officer (DPO): not appointed — processing does not meet the criteria for a mandatory DPO designation (GDPR art. 37). Decision documented in an internal register.

2. What data we process

2.1. Account data

  • first and last name (if provided) or pseudonym
  • email address
  • password hash (bcrypt/argon2)
  • session tokens, device identifiers
  • OAuth tokens (Google) — only if you use social sign-in

2.2. Investment portfolio data

  • asset names, types (stocks / ETFs / crypto / real estate / metals / forex)
  • quantities, purchase prices, transaction dates
  • currencies, locations (broker, bank, wallet)
  • user labels and notes
  • historical performance snapshots

Important: all data is entered manually by the user. We do not connect to brokerage, bank or crypto exchange accounts unless you explicitly configure an integration yourself (Exante, MetaMask, Bitcoin — see § 5).

2.3. Payment data

  • subscription data (plan, status, dates)
  • billing data (if required: name, VAT ID, address)
  • card number is NOT stored by us — Stripe (PCI DSS Level 1) handles it

2.4. Technical and log data

  • IP address
  • browser type, operating system, device identifier
  • access time, referring URLs
  • cookies (see Cookie Policy)

2.5. Communication data

  • content of messages submitted to support / contact form
  • communication preferences (newsletter — opt-in)

3. Purposes and legal bases of processing

| Data category | Purpose | Legal basis (GDPR art. 6) | Retention | |---------------|---------|---------------------------|-----------| | Account data | Providing the service, authentication | (b) — contract performance | Until account deletion + 30 days | | Portfolio data | Providing the service | (b) — contract performance | Until account deletion + 30 days | | Payment data | Payment processing, accounting obligations | (b) + (c) (Estonian Accounting Act, Polish Accounting Act) | 7 years (accounting books) | | IP, access logs | Security, abuse detection | (f) — legitimate interest (infrastructure protection) | 12 months | | Analytics cookies | Product optimization | (a) — consent (cookie banner) | As per Cookie Policy | | Marketing cookies / Google Ads | Ad campaign measurement, remarketing | (a) — consent (cookie banner) | As per Cookie Policy | | Newsletter / email marketing | Marketing communication | (a) — opt-in consent | Until consent withdrawn | | Communication data | Handling support tickets | (b) / (f) | 24 months from case closure | | Invoices, accounting records | Tax obligations (EE, PL) | (c) — legal obligation | 7 years (per tax law) |

4. Data security

In line with GDPR art. 32 we apply technical and organisational measures appropriate to the risk, including:

  • in-transit encryption (TLS 1.2+)
  • password hashing (bcrypt/argon2 — never plain text)
  • two-factor authentication (2FA) and passkeys (WebAuthn) support
  • access controls at application and database level
  • security monitoring and event logging
  • regular backups with restore testing
  • breach handling procedure (72h notification per GDPR art. 33)
  • Encrypted Vault (PRO) — optional client-side encryption of selected fields (amounts, purchase prices, location names, label names) with a key known only to the user

The measures applied undergo periodic state-of-the-art reviews. Absolute security does not exist — should a breach occur, we will notify supervisory authorities and affected individuals as required by GDPR art. 33–34.

5. Sub-processors and data transfers

We rely on the following entities that process data on our instructions. Each sub-processor is bound by a data processing agreement (DPA) under GDPR art. 28.

| Sub-processor | Purpose | Processing location | Transfer mechanism outside EEA | |---------------|---------|---------------------|--------------------------------| | Stripe Payments Europe Ltd / Stripe Inc. | Payment processing | Ireland + USA | SCC + EU-US Data Privacy Framework (DPF) | | Vercel Inc. | App hosting, CDN, Edge Functions | USA (EU regions for Edge data) | SCC + DPF | | Supabase Inc. | PostgreSQL database, authentication | EU (Frankfurt) | No transfer — EU region | | Render Services Inc. | Background workers (price refresh, snapshots) | USA | SCC + DPF | | Google LLC | OAuth (social sign-in), Google Analytics, Google Ads | USA | SCC + DPF | | Vercel Inc. (Analytics, Speed Insights) | Cookieless traffic and performance analytics | USA | SCC + DPF | | Brevo (Sendinblue SAS) | Transactional email delivery | France, EU | No transfer — EU region | | CoinGecko Ltd | Crypto market data | United Kingdom | UK adequacy decision (28.06.2021) | | Finnhub.io | US stock market data | USA | SCC + DPF — no personal data in requests | | Yahoo Finance | Market data (international instruments) | USA | SCC — no personal data in requests | | NBP (National Bank of Poland) | FX rates, Polish retail bonds | Poland, EU | No transfer — EU region | | ExchangeRate-API LLC | FX rates | USA | SCC — no personal data in requests | | Moralis (MetaMask integration — optional) | Reading ERC-20/ETH balances | USA | SCC + DPF — invoked on user request | | Exante (broker integration — optional) | Position synchronisation | Malta, EU / Cyprus | No transfer — EU region |

The sub-processor list is updated on an ongoing basis. We notify of any new sub-processor 30 days in advance (email). Users may raise a justified objection — in which case they have the right to terminate the subscription with a pro-rata refund.

6. Data sharing outside sub-processors

We DO NOT sell personal data. We may share data only:

  • at the request of competent authorities (courts, prosecutors, tax authorities) — strictly within the limits required by law
  • in the event of a merger, acquisition or asset sale — with an obligation for the acquirer to honor this Policy
  • with the user's explicit consent

7. Your rights (GDPR art. 15–22)

You are entitled at any time to:

  1. Right of access to your data (art. 15) — you may obtain a copy of your data and information about processing
  2. Right to rectification of inaccurate data (art. 16)
  3. Right to erasure ("right to be forgotten", art. 17)
  4. Right to restriction of processing (art. 18)
  5. Right to data portability in a structured format (art. 20)
  6. Right to object to processing based on legitimate interest or direct marketing (art. 21)
  7. Right not to be subject to a decision based solely on automated processing, including profiling (art. 22) — we do not apply automated decision-making to users
  8. Right to withdraw consent at any time (where processing is based on consent) — withdrawal does not affect the lawfulness of processing prior to withdrawal

How to exercise your rights

Email: kontakt@myinvestments.pl or account settings ("Privacy and data" panel).

Response time: up to 1 month (GDPR art. 12(3)), extendable by another 2 months in complex cases — we will inform you within the first month.

Right to lodge a complaint (art. 77)

If you believe we process your data unlawfully, you have the right to lodge a complaint with:

  • President of the Personal Data Protection Office (UODO) — Poland, ul. Stawki 2, 00-193 Warsaw, https://uodo.gov.pl
  • Andmekaitse Inspektsioon (AKI) — Estonia, Tatari 39, 10134 Tallinn, https://www.aki.ee
  • or any other supervisory authority in your country of habitual residence, place of work or place of the alleged infringement

8. Cookies

We use cookies and similar technologies for the Service to work and — with your consent — for preferences, analytics and marketing purposes. Details, full cookie list and consent management: Cookie Policy.

You can change your cookie preferences at any time by clicking the 🍪 icon in the Service footer.

9. Territorial scope and choice of law

Data processing is subject to GDPR and the local laws of EU/EEA member states where users are located.

This Privacy Policy is governed by the law of the Republic of Estonia (seat of the Controller). The above choice of law shall not deprive a consumer of the protection afforded by mandatory provisions of the law of the country in which the consumer has their habitual residence (Regulation Rome I, art. 6(2)).

10. Children

MyInvestments is not intended for individuals under 18 years of age. We do not knowingly collect data from children. If we discover that we have collected data from a person under 18 without legal guardian's consent, we will delete it without undue delay. Reports: kontakt@myinvestments.pl.

11. Changes to this Privacy Policy

We may update this Privacy Policy. Significant changes will be communicated:

  • by email to registered users at least 30 days in advance,
  • by in-app notification,
  • by publishing a new version with the updated date.

Archived versions are available on request at kontakt@myinvestments.pl.

12. Contact

WealthHive OU Saani tn 2/2-26, 10149 Tallinn, Estonia Registry code: 16390486 VAT EU: EE102742499

  • Contact (all matters): kontakt@myinvestments.pl

13. Disclaimers

MyInvestments does not provide investment, financial, tax or legal advice. The Service is a portfolio tracking tool. Data presented in the Service is informational only. Consult a licensed investment advisor for investment matters.

By using MyInvestments, you acknowledge that you have read and understood this Privacy Policy.