Skip to main content
FORTFOLIO

Privacy Policy

Last updated: 2026-06-01

Fortfolio is operated as an educational portfolio-analysis tool serving users in both the United States and India. This policy describes what personal information we collect, how we use it, the choices you have, and our compliance posture under the EU GDPR, the California Consumer Privacy Act (CCPA), and the Indian Information Technology Act 2000 along with the Digital Personal Data Protection Act 2023 (DPDP Act).

1. Information we collect

Fortfolio is designed to work without an account. The default stress-test, backtest and simulation tools do not require login, do not write any personal data to our servers, and do not set any tracking cookies. The holdings you enter live entirely in the URL of the page you are on. When you copy a share link, the holdings are encoded into the URL itself; no server-side write occurs unless you click the explicit “Copy link” action that creates a short share ID.

When you create a free account (optional), we collect: your email address, your display name and avatar URL as returned by Google OAuth, and the timestamp of account creation. We do not collect or store passwords — authentication is delegated to your identity provider (Google) and managed by NextAuth.

When you use a logged-in feature (saved portfolios, saved tests, alerts), we store the inputs you explicitly save. When you submit a bug report or feedback message, we store the message text, your email if you provide it, and the page URL you were on. We log standard server access metadata (IP address, user-agent, request path, timestamp) for 30 days for abuse mitigation, then purge.

2. How we use information

We use the data we collect to:

  • operate the service (run your stress tests, save the portfolios you save);
  • authenticate you when you return (Google OAuth session token);
  • respond to your support emails;
  • send alerts you have opted into (email-only; no SMS, no push);
  • aggregate anonymous usage statistics (e.g. “how many users ran a stress test today”) to understand product health;
  • fulfil our legal obligations under US, EU, UK and Indian law.

We do not sell your personal information. We do not share it with third parties for their own marketing. We do not run third-party advertising networks on the site. We do not load Google Analytics, Meta Pixel, TikTok Pixel, or any equivalent tracker.

3. Cookies and similar technologies

We set a small number of strictly-necessary cookies for session management (NextAuth session token, CSRF token) and currency preference. We do not set third-party advertising or analytics cookies. Full details are on the Cookie Policy page.

4. Third-party services we use

Our infrastructure is provided by DigitalOcean (US-region droplet). Email delivery (account verification, alerts) is handled by Resend. Identity authentication is delegated to Google OAuth. Ticker price data is sourced from yfinance (Yahoo Finance) and EODHD; we query these services from our servers, never from your browser, so they do not see your IP address. We do not use Cloudflare, Vercel Analytics or equivalent client-side instrumentation. Paid-tier billing, when active, is handled by Lemon Squeezy as the merchant of record.

5. Where we store your data

Primary storage is a managed PostgreSQL database hosted on DigitalOcean in the United States. Backups are encrypted at rest. Transit is encrypted with TLS 1.2 or higher. We do not transfer personal data to jurisdictions other than the United States and India without contractual safeguards.

6. Data retention

Account data is retained as long as your account is active. Saved portfolios, tests and alerts are retained as long as the account that owns them is active. Anonymous shared-link records (the short /c/abc123 URLs) are retained indefinitely so that links you have shared with others continue to work; they contain no personal identifier. Bug reports and support email are retained for 24 months. Server access logs are purged after 30 days.

If you delete your account, we delete the account record, your saved portfolios, your saved tests and your alerts within 30 days. Anonymous shared-link records you created are not deleted automatically — they were not associated with your account in the first place — but you can request deletion of specific share IDs by emailing us with the URLs.

7. Your rights

Subject to applicable law, you have the right to access, correct or delete the personal data we hold about you, to object to processing, to request that we restrict processing, to data portability, and to withdraw consent. EU and UK residents may complain to their local supervisory authority. Indian residents may approach the Data Protection Board of India under the DPDP Act 2023. Californian residents may request the categories of personal information collected and exercise the “Do Not Sell or Share” right under CCPA / CPRA — though as noted above, we do not sell or share personal information.

To exercise any of these rights, email privacy@fortfolio.app from the address associated with your account. We respond within 30 days.

8. Children

Fortfolio is not directed at children under 18 and we do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us with personal information, email us and we will delete it.

9. Security

For a full description of our security posture — encryption, access control, dependency hygiene — see the Security page. No system is perfectly secure; if you believe you have found a vulnerability, please email security@fortfolio.app and we will respond within 72 hours.

10. Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top of the page reflects the most recent change. Material changes will be announced via the email associated with your account if you have one, and noted on the home page for at least 14 days.

11. Contact

Questions about this policy: privacy@fortfolio.app. General contact: see the Contact page. Related: our Terms of Service and Cookie Policy.