Last updated: 18 February 2026

This Privacy Policy explains how folio ("we", "us", "our") collects, uses, and protects your personal information when you use our Service. We are committed to handling your data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Information We Collect

Information you provide

• Account information: Your first name, last name, and email address when you register
• Portfolio data: Transaction records, holding quantities, and investment notes you enter into the Service
• Communications: Any messages you send us via the contact form
• API keys: If you choose to add a third-party API key (e.g. EODHD), this is stored encrypted in our database

Information collected automatically

• Usage data: Pages viewed and timestamps, used for analytics
• Technical data: IP address at time of login (for security purposes)
• Cookies: Session cookies and preference cookies — see our Cookie Policy

2. How We Use Your Information

We use your information to:

• Provide, operate, and improve the Service
• Authenticate you and keep your account secure
• Calculate and display portfolio valuations and analytics
• Communicate with you about your account or in response to contact form submissions
• Detect and prevent fraudulent or abusive activity
• Comply with legal obligations

We do not sell, rent, or share your personal information with third parties for marketing purposes.

3. Legal Basis for Processing

Under UK GDPR, we process your data on the following legal bases:

• Contract performance: Processing necessary to provide the Service you have registered for
• Legitimate interests: Security monitoring, analytics, and service improvement
• Legal obligation: Where we are required by law to retain or process data

4. Third-Party Services

The Service integrates with the following third-party services:

• EODHD API: Used to fetch dividend data. If you provide your own API key, it is stored encrypted. No personal data is shared with EODHD beyond the API requests made.
• Financial Modelling Prep (FMP): Used to search for and retrieve asset price data. Requests include asset ticker symbols only.

5. Data Retention

We retain your personal data for as long as your account is active. If you delete your account, we will erase your personal information within 30 days, except where retention is required by law or for legitimate business purposes (e.g. fraud prevention). Aggregated, anonymised usage statistics may be retained indefinitely.

6. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption of sensitive data at rest (API keys) and in transit (TLS/HTTPS)
• Hashed passwords using a secure one-way algorithm (bcrypt)
• Access controls limiting data access to authorised personnel only
• Regular security updates and patching

7. Your Rights

Under UK GDPR, you have the right to:

• Access: Request a copy of the personal data we hold about you
• Rectification: Request correction of inaccurate data
• Erasure: Request deletion of your data ("right to be forgotten")
• Portability: Receive your data in a structured, machine-readable format
• Restriction: Request that we restrict processing of your data
• Objection: Object to processing based on legitimate interests

To exercise any of these rights, please contact us. We will respond within 30 days.

8. Cookies

We use cookies to maintain your session and remember preferences. For full details, please see our Cookie Policy.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or by posting a notice within the Service. The "last updated" date at the top of this page will reflect any revisions.

10. Contact & Complaints

For privacy-related queries, please contact us. If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.