Privacy Policy

The data controller responsible for your personal data is:

ACCE Investments
Email: privacy@acceinvestments.com
Website: acceinvestments.com

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use the ACCE Investments platform (the "Service"), in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable national data protection laws.

2.1 Data you provide directly

Account information: email address, full name, and password (hashed) when you register. Payment information: billing details processed by Stripe; we do not store credit card numbers on our servers. Profile preferences: alert preferences, followed indices and stocks, and display settings. Portfolio data: stock transactions you manually enter, including ticker, date, shares, price, and optional notes. Contact communications: any messages you send to us via email.

2.2 Data collected automatically

Usage data: pages visited, features used, timestamps, and interaction patterns. Device and technical data: IP address, browser type and version, operating system, screen resolution, and referring URL. Authentication data: session tokens and authentication state managed by Supabase.

2.3 Data we do not collect

We do not collect special categories of personal data (such as racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data). We do not collect data from your brokerage accounts or financial institutions. We do not collect data from minors; the Service is restricted to users aged 18 and over.

We process your personal data under the following legal bases as defined in Article 6 of the GDPR:

Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service, manage your account, process payments, deliver subscription content, and maintain the portfolio tracker.

Legitimate interests (Art. 6(1)(f)): Processing for platform security, fraud prevention, service improvement, analytics to understand usage patterns, and communication about Service updates. Our legitimate interest is balanced against your rights and does not override your fundamental rights and freedoms.

Consent (Art. 6(1)(a)): Where required, such as for marketing emails, optional cookies, and non-essential analytics. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

Legal obligation (Art. 6(1)(c)): Processing necessary to comply with applicable tax, accounting, and legal requirements.

We use your personal data to: provide, operate, and maintain the Service and your account; process subscription payments and manage billing; deliver personalised content based on your followed indices and stocks; send transactional emails (account confirmations, password resets, payment receipts); send alert and digest emails based on your configured preferences; compute and display portfolio analytics based on data you provide; improve the Service through aggregate usage analytics; detect and prevent fraud, abuse, and security incidents; and comply with legal obligations.

We do not sell, rent, or trade your personal data to any third party. We share data only with the following categories of processors, each bound by data processing agreements:

Supabase (infrastructure & authentication): Hosts our database and manages authentication. Supabase processes account data and usage data on servers located in the EU (AWS eu-central-1, Frankfurt). Privacy policy: supabase.com/privacy.

Vercel (hosting): Hosts and serves the ACCE platform. Processes IP addresses and request data. Edge functions may process requests in multiple regions. Privacy policy: vercel.com/legal/privacy-policy.

Stripe (payments): Processes subscription payments and stores payment method information. Stripe is a certified member of the EU-US Data Privacy Framework. Privacy policy: stripe.com/privacy.

Anthropic (AI processing): Powers AI-generated content such as stock analysis, alerts, and picks. We send aggregated market data and stock information to the Anthropic API; we do not send your personal data, email, or portfolio information to Anthropic for content generation. Privacy policy: anthropic.com/privacy.

Resend (email delivery): Delivers transactional and alert emails on our behalf. Processes your email address. Privacy policy: resend.com/legal/privacy-policy.

We may also disclose your data if required by law, court order, or governmental authority, or if necessary to protect our rights, safety, or property.

Some of our processors operate outside the European Economic Area (EEA). Where personal data is transferred outside the EEA, we ensure appropriate safeguards are in place, including: EU-US Data Privacy Framework adequacy (for certified US processors such as Stripe); Standard Contractual Clauses (SCCs) approved by the European Commission; or adequacy decisions of the European Commission.

You may request information about the specific safeguards applied to international transfers by contacting privacy@acceinvestments.com.

We retain your personal data only for as long as necessary to fulfil the purposes described in this policy:

Account data is retained for as long as your account is active and for 30 days after deletion to allow recovery. Payment records are retained for 7 years as required by tax and accounting regulations. Portfolio data is retained for as long as your account is active and is deleted upon account deletion. Usage analytics are anonymised after 26 months. Email logs are retained for 12 months. Alerts and notification history is retained for 12 months.

When data is no longer needed, it is securely deleted or anonymised so that it can no longer be associated with you.

As a data subject under the GDPR, you have the following rights:

Right of access (Art. 15): You may request a copy of the personal data we hold about you.

Right to rectification (Art. 16): You may request correction of inaccurate or incomplete personal data.

Right to erasure (Art. 17): You may request deletion of your personal data where there is no compelling reason for its continued processing.

Right to restriction (Art. 18): You may request restriction of processing in certain circumstances.

Right to data portability (Art. 20): You may request your data in a structured, commonly used, machine-readable format.

Right to object (Art. 21): You may object to processing based on legitimate interests, including profiling. You may object to direct marketing at any time.

Right to withdraw consent (Art. 7): Where processing is based on consent, you may withdraw it at any time.

Right to lodge a complaint: You have the right to lodge a complaint with your national data protection authority. In Spain, this is the Agencia Espanola de Proteccion de Datos (AEPD) at aepd.es.

To exercise any of these rights, contact us at privacy@acceinvestments.com. We will respond within 30 days. No fee is required unless requests are manifestly unfounded or excessive.

We use cookies and similar technologies to operate the Service. For full details, see our Cookie Policy.

Essential cookies (authentication, session management, security) are used under legitimate interest and contractual necessity. Non-essential cookies (analytics, marketing) are only placed with your explicit consent.

We implement appropriate technical and organisational measures to protect your personal data, including: encryption of data in transit (TLS/HTTPS) and at rest; secure password hashing; Row Level Security (RLS) policies in our database ensuring users can only access their own data; access controls limiting admin access to authorised personnel; regular review of security practices; and use of established, security-audited infrastructure providers.

While we take reasonable measures to protect your data, no method of transmission or storage is 100% secure. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay, as required by Articles 33 and 34 of the GDPR.

The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a child under 18, we will delete it promptly. If you believe a minor has provided us with personal data, please contact us at privacy@acceinvestments.com.

Our scoring engine computes stock scores based on quantitative financial metrics using automated processing. These scores are applied to stocks (not to users) and do not constitute automated decision-making that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 of the GDPR.

AI-generated content (alerts, picks, analysis) is created by automated systems but is directed at general audiences, not at individual users based on their personal data.

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. Material changes will be communicated via email or a prominent notice on the Service at least 30 days before they take effect. The "Last updated" date at the top of this page indicates the most recent revision.

For any questions, requests, or concerns regarding this Privacy Policy or our data processing practices, contact:

ACCE Investments, Data Protection
Email: privacy@acceinvestments.com
General inquiries: contact@acceinvestments.com
Website: acceinvestments.com