Privacy Policy

Data We Collect

• Account data: your email address and an Argon2-hashed password (or an OAuth provider token if you sign in via Google or GitHub). We never store your password in plain text.
• Billing data: if you subscribe to a paid plan, a Stripe customer ID and subscription status. Card details are entered directly with Stripe and never reach our servers.
• Portfolio data: transactions, broker names, TER values, and cash flows that you enter manually or import via CSV.
• Session tokens: short-lived access tokens and longer-lived refresh tokens stored in HttpOnly cookies. These expire automatically and are pruned from the database when they do.
• IP addresses: used transiently by the rate-limiter to prevent brute-force attacks. Not stored persistently in the database.
• Audit log: timestamps and actions for sensitive operations (e.g. account deletion, password change) for security purposes.

What We Do Not Collect

• Analytics or behavioural tracking cookies
• Device fingerprints or advertising identifiers
• Financial account credentials or broker login details

How We Use Your Data

• To authenticate you and maintain your session
• To display and calculate your portfolio analytics
• To send transactional emails (email verification, password reset) via Resend, only when you initiate these actions
• To process subscription payments via Stripe, if you sign up for a paid plan
• To enforce rate limits and protect against abuse

Third-Party Services

Valence uses the following sub-processors. None of them receive your portfolio data (transactions, brokers, TER values, or cash flows).

• Yahoo Finance (yfinance): live and historical market prices are fetched using ticker symbols only. No account data is sent.
• Resend: transactional email delivery. Your email address is transmitted to Resend only when sending a verification or password-reset email. Resend Privacy Policy.
• Stripe: payment processing for paid subscriptions. If you subscribe, your email address and payment details are handled by Stripe; card data is entered on Stripe's hosted checkout and never reaches our servers. We store only a Stripe customer ID and your subscription status. Stripe Privacy Policy.
• Sentry (optional): if configured, application errors are reported without request bodies or personally identifiable information (send_default_pii=False, max_request_body_size="never"). Sentry Privacy Policy.
• Hosting provider: the server and database are hosted on a VPS. The provider has access to the physical host but not to application-level data.

Cookies

Valence sets two session cookies, both HttpOnly and SameSite=Strict:

• access_token — short-lived session token (default: 30 minutes)
• refresh_token — longer-lived token used to renew the session without re-login (default: 7 days, path restricted to /auth/refresh)

If you sign in with Google or GitHub, a short-lived oauth_state cookie (10 minutes, SameSite=Lax) is set during the sign-in redirect to prevent CSRF, and is cleared once sign-in completes. No tracking, analytics, or advertising cookies are set.

Data Retention

Your data is retained for as long as your account exists. Expired session tokens are automatically pruned from the database. When you delete your account, all associated data (transactions, brokers, TER values, session tokens, and your email address) is removed immediately from the live database and cannot be recovered. Copies that remain in routine database backups are rotated out within 30 days.

Legal Basis for Processing

We process your personal data on the following legal bases (GDPR Art. 6):

• Contract (Art. 6(1)(b)): processing your email address and portfolio data is necessary to provide the Service you signed up for.
• Legitimate interest (Art. 6(1)(f)): rate-limit logging and audit logging are necessary to protect the security and integrity of the Service.
• Legal obligation (Art. 6(1)(c)): we may retain certain records where required by applicable law.

We do not rely on consent as a legal basis because we do not send marketing emails or use tracking technologies that require it.

Your Rights (GDPR)

If you are located in the European Economic Area, you have the right to:

• Access and portability: download all your transactions as CSV via Account Settings → Download transactions.csv (or GET /auth/me/export). Other personal data we hold (brokers, TER values, watchlists, and account details) is available on request via the contact address below.
• Erasure: delete your account and all associated data via Account Settings → Delete Account (or DELETE /auth/me).
• Rectification: edit or delete individual transactions at any time within the app.
• Objection / restriction: contact us at the address below to request restriction of processing.
• Complaint: you have the right to lodge a complaint with your national data protection authority (e.g. the Dutch Autoriteit Persoonsgegevens at autoriteitpersoonsgegevens.nl, or the authority in your country of residence).

Data Transfers

Your data is stored on a server in the EU. If a sub-processor (e.g. Resend, Sentry) transfers data outside the EEA, it does so under Standard Contractual Clauses or an equivalent adequacy mechanism as described in their respective privacy policies.

Security

Passwords are hashed with Argon2 before storage. All communication is encrypted via HTTPS/TLS. Auth cookies are HttpOnly (not accessible to JavaScript), SameSite=Strict (CSRF protection), and Secure (HTTPS only). A Content-Security-Policy header is enforced on every response.

Children's Data

Valence is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, contact us and we will delete it.

Contact

For privacy-related requests or questions, email [email protected]. We will respond within 30 days.

Changes to This Policy

If we make material changes, we will update the "Last updated" date above. Continued use of the service after changes constitutes acceptance of the updated policy.