🔒 Privacy Policy

1. Introduction

This Privacy Policy describes how DCA Portfolio Calculator – dcaportfol.io ("we", "our", "us", or "the Service") collects, uses, stores, and protects your information when you use our free web application at dcaportfol.io.

Our Commitment: We are committed to transparency and privacy. This policy explains exactly what data we collect, where it's stored, how it's used, and your rights regarding your data.

2. Data Collection and Storage

2.1 Two Storage Modes

Our service offers two distinct storage modes with different privacy implications:

🔹 Local Storage Mode (Default - No Account Required)

• What is stored: Your portfolio data (positions, asset selections, portfolio groups, calculations) is stored exclusively in your browser's local storage.
• Where it's stored: On your device only, in your browser's localStorage.
• Data collected: NONE - We do not collect, transmit, or access any of your data when using local storage mode.
• Privacy level: Maximum privacy - your data never leaves your device.
• Data persistence: Data persists until you clear your browser's local storage or use the "Reset All Data" button.

🔹 Cloud Storage Mode (Optional - Requires Account)

If you choose to create an account for cloud storage, the following applies:

• Account Information Collected:
  • Email address (used as your account identifier)
  • Password (stored as a hashed value using bcrypt - we never see your actual password)
  • Account creation timestamp
  • Last login timestamp
• Portfolio Data Stored in Cloud:
  • Your portfolio positions (entry prices, margins, leverage, quantities)
  • Asset selections and portfolio groups
  • Portfolio names and configurations
  • Calculation preferences
• Where it's stored: On our servers in a PostgreSQL database (Vercel Postgres). Your data is stored persistently and securely in a managed database service.
• Database provider: Vercel Postgres (managed PostgreSQL database service)
• Purpose: To enable cross-device access to your portfolio data with persistent storage that survives server restarts and deployments
• Data encryption:
  • Passwords are hashed using bcrypt (industry-standard hashing algorithm)
  • Data transmission uses HTTPS/TLS encryption
  • Database connections use SSL encryption
  • Data at rest is stored in a secure, managed database

2.2 What We DO NOT Collect

• ❌ Personal identification information (name, address, phone number)
• ❌ Financial account information
• ❌ IP addresses (we don't log or store them)
• ❌ Browser fingerprinting or device identifiers
• ❌ Usage analytics or tracking data
• ❌ Cookies for tracking purposes
• ❌ Location data
• ❌ Any data you don't explicitly provide

3. How We Use Your Data

3.1 Local Storage Mode

• Data is used only in your browser to perform calculations and display your portfolio
• No data is transmitted to our servers
• No data is shared with third parties

3.2 Cloud Storage Mode

• Email address: Used to identify your account and send you important service notifications (if any)
• Password hash: Used to authenticate your login attempts
• Portfolio data: Stored to enable you to access your portfolios from any device
• We DO NOT:
  • Use your data for advertising or marketing
  • Share your data with third parties
  • Sell your data to anyone
  • Use your data for analytics or tracking
  • Access your portfolio data except to provide the service

4. Data Storage Locations and Security

4.1 Local Storage

• Location: Your device's browser localStorage
• Security: Protected by your browser's security model
• Access: Only accessible by the website that created it (dcaportfol.io)
• Backup: You are responsible for backing up your local data if needed

4.2 Cloud Storage

• Location: PostgreSQL database hosted on Vercel Postgres (managed database service)
• Database Type: PostgreSQL (industry-standard relational database)
• Database Provider: Vercel Postgres (managed service with automatic backups and scaling)
• Data Persistence: Your data is stored persistently in the database and survives server restarts, redeployments, and infrastructure changes
• Security measures:
  • Passwords are hashed using bcrypt (industry-standard hashing algorithm)
  • Data transmission encrypted via HTTPS/TLS
  • Database connections use SSL/TLS encryption
  • Authentication tokens (JWT) expire after 30 days
  • No plain-text passwords are stored
  • Database access is restricted and secured
  • Data at rest is stored in a secure, managed database environment
• Data retention: Your data is retained in the database until you delete your account or request data deletion
• Backup: Vercel Postgres provides automatic backups. We maintain backups for service reliability, and you can export your data anytime
• Data Structure:
  • User accounts stored in users table
  • Portfolio data stored as JSONB in portfolios table
  • Data is indexed for fast retrieval
  • Foreign key constraints ensure data integrity

5. Third-Party Services

5.1 Services We Use

• Chart.js (CDN): Used for data visualization. Loaded from cdn.jsdelivr.net. Does not collect personal information.
• CoinGecko API (Optional): Used only when you click "Fetch Current Prices" to get real-time cryptocurrency prices. We do not send your portfolio data to CoinGecko - only asset symbols are queried.
• Alpha Vantage API (Optional): Used only when you fetch current prices for stocks. We do not send your portfolio data to Alpha Vantage - only stock symbols are queried.
• Hosting Provider (Vercel): Our website is hosted on Vercel. They may collect standard server logs (IP addresses, request timestamps) as part of their service. We do not use this data.
• Database Provider (Vercel Postgres): Our database is hosted on Vercel Postgres, a managed PostgreSQL service. Vercel may collect connection logs and performance metrics as part of their service. We do not use this data for tracking users.
• Google Tag Manager: We use Google Tag Manager for website analytics. This service may collect anonymized usage data. See Google's privacy policy for details. You can opt-out using browser privacy settings.

5.2 Services We DO NOT Use

• ❌ Google Analytics (we use Google Tag Manager for basic website analytics only)
• ❌ Advertising networks
• ❌ Social media tracking pixels
• ❌ User behavior tracking tools (beyond basic website analytics)
• ❌ Email marketing services
• ❌ Data brokers or data selling services

6. Cookies and Local Storage

6.1 Cookies

We do not use cookies for tracking or analytics. If we use any cookies in the future, they will be essential for service functionality only (e.g., session management).

6.2 Browser Local Storage

• What we store: Your portfolio data, preferences, and (if logged in) authentication tokens
• Purpose: To persist your data between browser sessions
• How to clear: Use the "Reset All Data" button or clear your browser's local storage
• Storage keys used:
  • dca_portfolios - Your portfolio data
  • dca_portfolio_groups - Portfolio group configurations
  • user_token - Authentication token (if logged in)
  • user_email - Your email (if logged in)
  • storage_mode - Current storage mode preference

7. Your Rights and Control

7.1 Local Storage Mode

• ✅ Full control: You can clear all data anytime using the "Reset All Data" button
• ✅ No account needed: Use the service without providing any information
• ✅ Data export: Your data is in your browser - you can access it via browser developer tools

7.2 Cloud Storage Mode

If you have an account, you have the following rights:

• ✅ Right to Access: You can access all your data by logging into your account
• ✅ Right to Deletion: You can delete your account and all associated data by contacting us
• ✅ Right to Data Portability: You can export your portfolio data (contact us for assistance)
• ✅ Right to Correction: You can update your email or portfolio data anytime
• ✅ Right to Withdraw Consent: You can delete your account and switch to local storage mode
• ✅ Right to Object: You can stop using cloud storage and use local storage instead

7.3 How to Exercise Your Rights

• Delete Account: Contact us at tooslforbusiness333@gmail.com with "Delete Account" in the subject line
• Export Data: Contact us to request a copy of your data
• Update Information: Log into your account and update your information directly
• Switch to Local Storage: Simply log out - your data will be cleared from the cloud session

8. Data Sharing and Disclosure

We do not share, sell, or disclose your data to third parties, except:

• When required by law or legal process
• To protect our rights or prevent fraud
• With your explicit consent

We will never:

• ❌ Sell your data
• ❌ Share your data for marketing purposes
• ❌ Use your data for advertising
• ❌ Share your data with data brokers

9. Data Retention

9.1 Local Storage

Data persists until you clear it or clear your browser's storage. We have no control over or access to this data.

9.2 Cloud Storage

• Active accounts: Data is retained in the PostgreSQL database as long as your account is active
• Deleted accounts: Data is deleted from the database within 30 days of account deletion request
• Inactive accounts: We may delete accounts that have been inactive for more than 2 years
• Database backups: Vercel Postgres maintains automatic backups. Deleted data may exist in backups for up to 7 days before being permanently removed
• Data persistence: Unlike temporary file storage, database storage ensures your data persists across all server restarts, redeployments, and infrastructure changes

10. Security Measures

• ✅ Password Security: Passwords are hashed using bcrypt with salt
• ✅ Encryption: All data transmission uses HTTPS/TLS encryption
• ✅ Database Security: PostgreSQL database with SSL/TLS encrypted connections
• ✅ Database Access: Restricted database access with connection pooling and secure credentials
• ✅ Authentication: JWT tokens with expiration (30 days)
• ✅ No Plain-Text Storage: Passwords are never stored in plain text
• ✅ Secure Headers: We implement security headers to protect against common attacks
• ✅ Managed Database: Vercel Postgres provides enterprise-grade security, automatic updates, and monitoring
• ✅ Data Integrity: Database constraints and foreign keys ensure data consistency and prevent corruption

Note: While we implement security best practices, no system is 100% secure. Use strong, unique passwords.

11. Children's Privacy

Our service is accessible to users of all ages. We do not knowingly collect personal information from children under 13 (or applicable age in your jurisdiction). If you are a parent or guardian and believe your child has provided us with personal information, please contact us to have it removed.

12. International Data Transfers

Our servers may be located in different countries. By using our service, you consent to the transfer of your data to these locations. We ensure appropriate safeguards are in place to protect your data.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will:

• Update the "Last updated" date at the top of this page
• Notify users of significant changes via email (if you have an account)
• Post a notice on our website for major changes

Your continued use of the service after changes constitutes acceptance of the updated policy.

14. GDPR Compliance (European Users)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):

• Right to access your personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restrict processing
• Right to data portability
• Right to object to processing
• Right to withdraw consent

To exercise these rights, contact us at tooslforbusiness333@gmail.com.

15. California Privacy Rights (CCPA)

If you are a California resident, you have the right to:

• Know what personal information is collected
• Know if your personal information is sold or disclosed
• Opt-out of the sale of personal information (we don't sell data)
• Access your personal information
• Request deletion of your personal information
• Non-discrimination for exercising your privacy rights

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your data, please contact us:

• Email: tooslforbusiness333@gmail.com
• Subject Line: Please include "Privacy Policy" or "Data Request" in your subject line
• Response Time: We aim to respond within 7 business days

17. Transparency Summary