Privacy Policy

1. Data Controller

Responsible for data processing:

E-Mail: privacy@portdive.com

2. Overview of Processing

PortDive is in the alpha phase.
Access is by invitation only. The platform is used to test portfolio analysis functions using our own AI algorithms.

What data do we process?

• Account data: Name and email address (provided by OAuth provider during sign-in)
• OAuth identification: Provider-specific user ID (to link your account)
• Portfolio data: Investment information you enter (stocks, positions, analyses)
• Usage data: Login time, last activity
• Technical data: IP address (in server logs)

What we do NOT process:

• No passwords — sign-in exclusively via OAuth providers (Google, LinkedIn, GitHub, Meta)
• No sharing with third parties (no marketing partners, no external AI services)
• No tracking cookies (only one technically necessary HttpOnly cookie)
• No profiling for advertising purposes

3. Legal Basis for Processing

Art. 6 (1) GDPR:

• lit. a (Consent): You have voluntarily participated in the alpha test and consented to data processing.
• lit. b (Contract fulfillment): Provision of platform functions (OAuth login, portfolio management, AI analyses).
• lit. f (Legitimate interest): Technical security, server logs for error analysis, CDN delivery for performant and secure website serving.

4. Authentication and Sign-In

OAuth 2.0 Sign-In

PortDive uses OAuth 2.0 exclusively for authentication. No passwords are stored or processed. You sign in through one of the following providers:

Providers and data received:

• Google: Name, email address, profile picture URL
• LinkedIn: Name, email address, profile picture URL
• GitHub: Username, email address, profile picture URL
• Meta (Facebook): Name, email address, profile picture URL

We only receive the data listed above. We do not have access to your password at the provider, your contacts, or other profile information.

Legal basis: Art. 6 (1) lit. b GDPR (contract fulfillment — provision of login service)

Session security measures

• Token encryption: X25519 (ECDH) + AES-256-GCM
• Access token storage: Encrypted in WASM memory (AES-256-GCM), never stored in browser localStorage
• Access token validity: 14-day sliding window (extended on each use)
• Refresh token storage: HttpOnly cookie (not accessible via JavaScript)
• Refresh token validity: 30-day sliding window with rotation
• Exfiltration protection: Content Security Policy prevents data exfiltration to external servers

5. Storage Location and Security

Where is your data stored?

Backend server (application and API):

• Provider: Hetzner Online GmbH (Gunzenhausen, Bavaria, Germany)
• Location: Germany (Falkenstein / Nuremberg)
• Legal basis: Art. 28 DSGVO

Database:

• Provider: Aiven Oy (Helsinki, Finland (EU))
• Location: EU (Frankfurt / Amsterdam)
• Legal basis: Art. 28 DSGVO

Frontend / CDN:

• Provider: Cloudflare, Inc. (San Francisco, USA)
• Purpose: Content Delivery Network (CDN), DDoS protection, static frontend hosting
• Data processed: IP addresses, HTTP headers, timestamps (no authentication data, no user data)
• Transfer mechanism: EU-US Data Privacy Framework (DPF, participant #5666) + Standard Contractual Clauses (SCCs) as fallback
• Certifications: ISO 27001, ISO 27018, ISO 27701, BSI C5

Data transfers to third countries

Your personal data (account, portfolio, usage data) is processed exclusively on EU servers. Only for CDN delivery of the static website are IP addresses and HTTP headers processed by Cloudflare (see Section 8).

How do we protect your data?

• Encryption in transit: TLS 1.3 (HTTPS)
• Encryption at rest: AES-256-GCM (server-side)
• Token encryption: X25519 (ECDH) + AES-256-GCM
• Browser security: Encrypted in WASM memory (AES-256-GCM), never stored in browser localStorage
• Content Security Policy: Content Security Policy prevents data exfiltration to external servers
• Access control: Only authorized developers have access to the database
• Backups: Encrypted, within the EU

6. AI Processing (In-House)

Our own AI algorithms:

PortDive uses its own AI models running on our EU servers. Your portfolio data is not transmitted to external AI providers (e.g., OpenAI, Anthropic, Google).

Processing purpose:

• Creation of portfolio analyses
• Identification of market trends
• Generation of investment hints (not investment advice)

Legal basis: Art. 6 (1) lit. b GDPR (contract fulfillment)

Important note: AI analyses are for informational purposes only. PortDive does not provide investment advice within the meaning of German securities law (WpHG). You make investment decisions at your own responsibility.

7. Cookies and Tracking

Which cookies do we use?

Technically necessary cookies (no consent required):

Browser storage (not a cookie):

Additionally, a temporary flag is stored in sessionStorage (portdive_auth_state), used solely to preserve login status during page reload. This flag contains no personal data and is automatically deleted when the browser tab is closed.

Tracking/Analytics:

We do not use any analytics tools (no Google Analytics, no Facebook Pixel, no Cloudflare Web Analytics).

Legal basis: Art. 6 (1) lit. f GDPR (legitimate interest in technical functionality)

8. Data Sharing

Who do we share data with?

1. Backend hosting (data processor):

• Provider: Hetzner Online GmbH
• Headquarters: Gunzenhausen, Bavaria, Germany
• Purpose: Provision of server infrastructure (application, API, gRPC)
• Data location: Germany (Falkenstein / Nuremberg)
• Legal basis: Art. 28 DSGVO
• Data protection: Data Processing Agreement (DPA) concluded

2. Database hosting (data processor):

• Provider: Aiven Oy
• Headquarters: Helsinki, Finland (EU)
• Purpose: Managed PostgreSQL database for user and portfolio data
• Data location: EU (Frankfurt / Amsterdam)
• Legal basis: Art. 28 DSGVO
• Data protection: Data Processing Agreement (DPA) concluded

3. CDN / frontend hosting (data processor):

• Provider: Cloudflare, Inc.
• Headquarters: San Francisco, USA
• Purpose: Content Delivery Network (CDN), DDoS protection, static frontend hosting
• Data processed: IP addresses, HTTP headers, timestamps (no authentication data, no user data)
• Transfer mechanism: EU-US Data Privacy Framework (DPF, participant #5666) + Standard Contractual Clauses (SCCs) as fallback
• Certifications: ISO 27001, ISO 27018, ISO 27701, BSI C5
• Legal basis: Art. 6 Abs. 1 lit. f DSGVO (legitimate interest)
• Data protection: Data Processing Agreement (DPA) concluded

4. OAuth providers (joint responsibility during sign-in):

• Google: Name, email address, profile picture URL
• LinkedIn: Name, email address, profile picture URL
• GitHub: Username, email address, profile picture URL
• Meta (Facebook): Name, email address, profile picture URL

During sign-in, data is exchanged between PortDive and the chosen OAuth provider. We only receive the basic data listed above (name, email). The provider learns that you are signing in to PortDive.

Legal basis: Art. 6 (1) lit. b GDPR (contract fulfillment)

No other third parties:

Your data will not be shared with other companies, advertising partners, or authorities (except where legally required, e.g., law enforcement).

9. Data Retention

After alpha phase:

If the alpha phase ends, you will be informed. You will then have 60 days to export your data before it is deleted.

10. Your Rights (Art. 15-22 GDPR)

You have the following rights:

12. Changes to this Privacy Policy

We reserve the right to update this privacy policy (e.g., for new features or legal changes).

Notification:

For significant changes, you will be notified by email (to the email address stored in your account).

Version history:

• Version 2.0 – February 17, 2026 (Concrete hosting providers, OAuth authentication, security measures)
• Version 1.0 – January 31, 2026 (Alpha launch)

13. Contact

Privacy questions:
privacy@portdive.com

General questions:
legal@portdive.com

Postal address: