Privacy Policy

Last updated: April 7, 2026 · Effective: April 7, 2026

Portfolio Analytics ("we," "us," or "our") is operated by Petru Ceciltan, based in Israel. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our web application at portfolio.ceciltan.com.

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

Name and email address (provided directly or via Google OAuth)
Password (stored as a bcrypt hash — we never store plain-text passwords)

1.2 Portfolio Data

You provide the following data when using the service:

Investment transactions (buy, sell, dividend entries)
Portfolio names and configurations
Cash flow entries (deposits, withdrawals)
Investment capital entries

1.3 Authentication Data

Two-Factor Authentication (TOTP) — encrypted secret key for authenticator apps
Trusted Device tokens — hashed tokens stored for 30 days to skip 2FA on recognized devices
Session identifiers — for single-device session enforcement
WebAuthn/Passkey credentials — public keys for biometric authentication

1.4 Technical Data

We automatically collect:

IP address and approximate location
Browser type, device type, operating system
Pages visited and interaction patterns (via Google Analytics)
Referring URL

2. How We Use Your Information

Purpose	Legal Basis (GDPR)
Providing the portfolio tracking service	Contractual necessity
Account creation and authentication	Contractual necessity
Sending verification and password reset emails	Contractual necessity
Two-factor authentication and security	Legitimate interest (security)
Analytics and service improvement	Consent (via cookie banner)
Preventing fraud and abuse	Legitimate interest

3. Third-Party Services

We use the following third-party services:

Service	Purpose	Data Shared
Google Analytics (GA4)	Usage analytics	IP address, page views, device info
Google Tag Manager	Tag management	Page interactions
Google OAuth	Social sign-in	Email, name (from Google)
Gmail SMTP	Transactional emails	Recipient email, email content
Neon (PostgreSQL)	Database hosting	All user data (encrypted at rest)
Hostinger	Application hosting	Server logs, request data
Yahoo Finance API	Stock price data	Stock symbols (no user data)

We do not sell, rent, or share your personal data with any third parties for marketing purposes.

4. Data Retention

Data Type	Retention Period
Account data	Until account deletion + 7-day grace period
Portfolio & transaction data	Until account deletion
Authentication tokens	24 hours (JWT), 30 days (trusted devices)
Email audit logs	30 days (auto-deleted)
Analytics data	14 months (Google Analytics default)
Server logs	30 days

When you delete your account, all associated data is permanently removed after a 7-day grace period. During this period, you can cancel the deletion by logging back in.

5. Data Security

We implement the following security measures:

Encryption in transit — all data transmitted via HTTPS/TLS
Encryption at rest — database encrypted via Neon's infrastructure
Password hashing — bcrypt with salt rounds
Two-factor authentication — TOTP-based, mandatory after first login
Single-device sessions — only one active session per account
Rate limiting — protection against brute-force attacks
Content Security Policy — Helmet.js CSP headers
Parameterized queries — protection against SQL injection
XSS prevention — HTML escaping on all user-generated content

6. Your Rights (GDPR)

If you are located in the European Economic Area (EEA), you have the following rights:

Right to Access — request a copy of your personal data
Right to Rectification — correct inaccurate personal data
Right to Erasure — request deletion of your data ("right to be forgotten")
Right to Data Portability — receive your data in a machine-readable format (CSV export)
Right to Restrict Processing — limit how we use your data
Right to Object — opt out of analytics tracking
Right to Withdraw Consent — withdraw consent for analytics at any time

To exercise any of these rights, contact us at the email below. We will respond within 30 days.

7. Cookies & Tracking

We use the following cookies and local storage:

Authentication token (localStorage) — keeps you logged in
Device trust token (localStorage) — remembers trusted devices for 30 days
UI preferences (localStorage) — card collapse states, column visibility
Google Analytics cookies — _ga, _ga_* for usage analytics

8. International Data Transfers

Your data may be processed in:

EU (Frankfurt) — Neon PostgreSQL database
EU/US — Hostinger application servers
US — Google Analytics, Google OAuth

Where data is transferred outside the EEA, we rely on adequacy decisions, Standard Contractual Clauses, or the service provider's compliance frameworks.

9. Children's Privacy

Portfolio Analytics is not intended for users under 16 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 16, we will delete it promptly.

10. Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

Notify the relevant supervisory authority within 72 hours
Notify affected users without undue delay if the breach is high-risk
Document the breach, its effects, and remedial actions taken

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the new policy on this page and updating the "Last updated" date. Continued use of the service after changes constitutes acceptance of the revised policy.

12. Contact Us

For privacy-related inquiries, data requests, or to exercise your rights:

Data Controller: Petru Ceciltan
Email: admin@ceciltan.com
Website: ceciltan.com

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority in the EU member state of your habitual residence.