Privacy Policy

Last updated: 21 June 2026

This Privacy Policy explains how InvestIQ collects, uses and protects your personal data when you use getinvestiq.com and the InvestIQ application (the "Service"), in accordance with the EU General Data Protection Regulation (GDPR) and the French Data Protection Act (Loi Informatique et Libertés). The data controller is legal entity name and form — e.g. InvestIQ SAS, registered office address (registration number).

1. Who we are (data controller)

The controller responsible for your personal data is legal entity name, registered office address. For any privacy request you can contact us at contact@getinvestiq.com or via our Contact page. If you have appointed a Data Protection Officer (DPO), add their contact here; otherwise state that no DPO has been appointed.

2. The data we collect

Account data: your email address and authentication credentials (passwords are hashed by our auth provider; we never see them in clear text). If you sign in with Google or Apple, we receive basic profile identifiers from that provider.

Profile and onboarding data: this may include your display name, avatar, interests, and — if you choose to provide it — age, profession, income range, estimated assets, family situation, investment horizon, risk tolerance, preferred sectors, investment goals and broker. Some of this is sensitive financial information; you provide it voluntarily to personalise the Service.

Financial and usage data: portfolios, positions, cash flows, watchlists, alerts, analyses and audits you run (including portfolio files you upload), assistant conversations and messages, saved preferences and persistent assistant "memory".

Billing data: plan, subscription status and a payment-provider customer identifier. Card payments are handled directly by Stripe; we do not store full card numbers.

Communications: messages you send via the contact form and our email correspondence with you.

Technical data: IP address, device/browser information, log and diagnostic data, and limited analytics about how you use the Service.

3. Why we use your data and our legal bases

Performance of a contract (Art. 6(1)(b) GDPR): to create and run your account, provide the analyses and features you request, process subscriptions and payments, and provide support.

Legitimate interests (Art. 6(1)(f)): to secure the Service, prevent fraud and abuse, debug, measure and improve the product, and communicate service-related information. You may object to processing based on legitimate interests (see "Your rights").

Consent (Art. 6(1)(a)): for optional marketing emails and for non-essential cookies/analytics. You can withdraw consent at any time without affecting prior processing.

Legal obligation (Art. 6(1)(c)): to comply with accounting, tax and other legal requirements.

Where you provide sensitive financial details in your investor profile, we rely on your explicit consent and process them only to personalise the Service.

4. AI processing and automated decisions

To generate narratives, comparisons and assistant replies, relevant inputs (such as a ticker, your question, or portfolio context) are sent to third-party AI providers (Anthropic and OpenAI) acting as our processors. We instruct providers not to train their models on your data through our integrations, to the extent offered by their terms.

The scores and signals are automated but are general, informational outputs. The Service does not make decisions that produce legal or similarly significant effects about you within the meaning of Article 22 GDPR; you remain free to act or not on any output.

5. Cookies and analytics

We use strictly necessary cookies/local storage to keep you signed in and remember preferences (such as language). With your consent, we use privacy-friendly analytics (PostHog and Plausible) to understand aggregate usage and improve the Service.

You can manage non-essential cookies through the cookie banner/settings and your browser. If you operate a cookie-consent banner, describe it and link your cookie settings here.

6. Who we share your data with

We do not sell your personal data. We share it only with service providers ("processors") who process it on our behalf under contract, and where required by law. Our main subprocessors are:

  • Supabase — database, authentication and backend hosting;
  • Vercel — website hosting and content delivery;
  • Stripe — payment processing and subscription management;
  • Anthropic and OpenAI — AI/LLM processing for narratives and the assistant;
  • Financial Modeling Prep — market data (provided with limited or no personal data);
  • Upstash — caching (market data; not used to store profile data);
  • Resend — transactional and notification emails;
  • PostHog and Plausible — product analytics;
  • Google and Apple — only if you choose social sign-in.

We may also disclose data to comply with the law, enforce our Terms, or in connection with a merger, acquisition or reorganisation (subject to this Policy).

7. International transfers

Some providers are located outside the EU/EEA (in particular in the United States). Where data is transferred outside the EU/EEA, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses and, where applicable, the EU–U.S. Data Privacy Framework. You can request more information using the contact details above.

8. How long we keep your data

We keep your personal data for as long as your account is active and as needed to provide the Service. After account closure we delete or anonymise your data within a reasonable period, except where we must retain certain records to meet legal obligations (for example, billing and accounting records, typically retained for the legally required period) or to establish, exercise or defend legal claims. Aggregated or anonymised data that no longer identifies you may be kept.

9. Your rights

Under the GDPR you have the right to access, rectify, erase, restrict and object to the processing of your personal data, the right to data portability, and the right to withdraw consent at any time. You also have the right to define directives concerning the fate of your data after your death.

To exercise your rights, contact us at contact@getinvestiq.com. We may need to verify your identity. We respond within the timeframes set by the GDPR (generally one month).

If you believe your rights are not respected, you may lodge a complaint with your supervisory authority — in France, the CNIL (cnil.fr).

10. Security

We implement appropriate technical and organisational measures to protect your data, including encryption in transit, row-level access controls so each user can only access their own data, least-privilege backend access, and restricted administrative access. No method of transmission or storage is completely secure; we cannot guarantee absolute security, but we work to protect your data and to notify you and the authorities of any breach as required by law.

11. Children

The Service is not intended for, and may not be used by, anyone under 18. We do not knowingly collect data from minors. If you believe a minor has provided us data, contact us and we will delete it.

12. Changes to this Policy

We may update this Privacy Policy from time to time. We will post the new version here with an updated date and, for material changes, take reasonable steps to notify you. Continued use after the effective date constitutes acknowledgement of the updated Policy.

13. Contact

For any question about this Policy or your data: contact@getinvestiq.com or via our Contact page.

We use cookies

We use essential cookies to run the site and optional ones to improve it. You can change this anytime.