Legal GDPR Last updated: May 2026

Privacy Policy

This policy explains what personal data FinToolbox collects, why, how long we keep it, and the rights you have under the EU General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG).

1. Controller

The data controller within the meaning of Art. 4(7) GDPR is the operator of FinToolbox. Contact details are on the Impressum page. For privacy questions you can reach us at [email protected].

2. What we collect & why

2.1 Just visiting

When you visit the site, our hosting provider (Cloudflare) processes server logs containing IP address, user-agent, timestamp and the URL requested. This is necessary to serve the page and protect against abuse (Art. 6(1)(f) GDPR — legitimate interest). Logs are typically retained for up to 30 days.

2.2 Local preferences

We store preferences (theme, language, collapsed nav state, your sentiment vote for the day, recently used tool inputs) in your browser's localStorage. These never leave your device and are not personal data we control. You can clear them anytime in your browser settings.

2.3 Account & Trading Journal (optional)

If you create an account, we store your email, a username and (for Premium) a Stripe customer id, in our Supabase database. If you use the Trading Journal we store the trades you log there (entry/exit, instrument, notes, optional screenshot). Legal basis: Art. 6(1)(b) GDPR — performance of the contract you enter into when signing up.

2.4 Payments

Payments are handled by Stripe. We never see or store your card details — Stripe receives them directly and returns a customer id and subscription status to our worker. Legal basis: Art. 6(1)(b) GDPR.

2.5 Community sentiment poll

When you vote in the daily sentiment poll, we store a salted, daily-rotating fingerprint plus your choice (bull/bear) for the day, so the same browser cannot vote twice. We do not link this to an account. Legal basis: Art. 6(1)(f) GDPR — legitimate interest in preventing ballot stuffing.

3. Third-party processors

We use the following processors under Art. 28 GDPR (data processing agreements in place):

  • Cloudflare, Inc. — hosting (Pages), CDN, edge functions and the Worker API proxy. Data may be processed in the EU and the United States under SCCs.
  • Supabase, Inc. — authentication, database and file storage (for trading screenshots). EU region where available; SCCs otherwise.
  • Stripe, Inc. — subscription billing. Stripe is its own controller for payment data and is governed by its own privacy policy.
  • Google LLC — optional "Sign in with Google" (OAuth). Only used if you choose Google sign-in.
  • Google Fonts (CSS) — fonts are loaded from fonts.googleapis.com. This transfers your IP to Google.
  • External market-data providers — CoinGecko, Alternative.me, CryptoPanic, GoPlus, TradingView (for embedded widgets). When you load a tool, your browser may contact these endpoints directly or via our Worker.

4. Cookies & tracking

FinToolbox does not set advertising or analytics cookies on the free tools. Functional storage (localStorage) and the Supabase session cookie (only on auth-aware pages) are strictly necessary for the service to work and do not require consent under § 165 TKG. Cloudflare may set short-lived security cookies (e.g. __cf_bm) to mitigate bots.

5. International transfers

Some of our processors operate in the United States. Transfers are covered by EU Standard Contractual Clauses (Art. 46(2)(c) GDPR) and supplementary measures where required. You can request a copy of the relevant SCCs at [email protected].

6. Retention

  • Server logs: up to 30 days.
  • Account data & trading journal: for as long as your account exists. You can delete your account at any time on the account page; data is removed within 30 days, except where retention is legally required (e.g. tax/billing records up to 7 years).
  • Stripe billing records: kept by Stripe according to its own retention policy.
  • Sentiment poll fingerprints: rotated daily; no historical record per user.

7. Your rights

Under Art. 15–22 GDPR you have the right to:

  • access the personal data we hold about you;
  • rectify inaccurate data;
  • erase your data ("right to be forgotten");
  • restrict or object to processing;
  • data portability (receive your data in a machine-readable format);
  • withdraw consent at any time, where processing is based on consent.

To exercise any of these, email [email protected]. You also have the right to lodge a complaint with the Austrian Data Protection Authority (Datenschutzbehörde, dsb.gv.at).

8. Security

API keys live only on the server (Cloudflare Worker secrets), never in the frontend. Supabase enforces row-level security so users can only read their own rows. Traffic is TLS-encrypted end to end. No system is perfectly secure — please pick a strong, unique password and enable a password manager.

9. Changes

We may update this policy. Material changes are announced on the site or by email at least 14 days before they take effect.