Privacy Policy

1. Who We Are

Simple Investor is operated by CleanWhale Sp. z o.o., a limited liability company registered in Poland:

• Registered address: ul. Złota 59, 00-120 Warszawa, Poland
• Email: privacy@simpleinvestorapp.com

We are the data controller for personal data processed through the Simple Investor iOS application and this website (collectively, the "Service").

2. What Data We Collect

2.1 Account Data

When you create an account, we collect:

• Email address
• Password (stored as a bcrypt hash — we never store your plaintext password)
• Display name (optional)

2.2 Portfolio Data

To provide the core service, we store the portfolio data you enter:

• Asset tickers and names (e.g., BTC, ETH)
• Quantity of each asset you hold
• Purchase price and date
• Alerts and notification preferences you configure

We do not connect to your brokerage or exchange accounts. All portfolio data is entered manually by you.

2.3 Usage Data

We automatically collect limited technical data when you use the app:

• App version and iOS version
• Device model (e.g., "iPhone 15") — not your device identifier
• Crash reports and performance diagnostics (via Apple's built-in tools)
• Feature usage events (e.g., "opened Simulator screen") to improve the product
• Session timestamps and general geographic region (country level)

We do not use persistent device identifiers (IDFA). We do not build advertising profiles.

2.4 Push Notification Tokens

If you enable push notifications, Apple provides us with an APNs device token. This token is used solely to deliver alerts you have configured. It is not shared with third parties for marketing.

2.5 Support Communications

If you contact us by email, we retain the content of the correspondence to resolve your inquiry.

3. Legal Basis for Processing (GDPR)

We process your data under the following legal bases:

• Performance of a contract (Art. 6(1)(b) GDPR): Account data and portfolio data are processed to provide the Service you signed up for.
• Legitimate interests (Art. 6(1)(f) GDPR): Usage analytics to improve the app, fraud prevention, and security.
• Consent (Art. 6(1)(a) GDPR): Push notifications — you may withdraw consent at any time in your device settings.
• Legal obligation (Art. 6(1)(c) GDPR): Where we must retain data to comply with Polish or EU law.

4. How We Use Your Data

• Authenticate you and maintain your account
• Display your portfolio with real-time market prices
• Generate AI-powered insights and alerts based on your holdings
• Send push notifications for price alerts you have set up
• Diagnose bugs and improve app performance
• Respond to support requests
• Comply with applicable law

We do not use your data for targeted advertising. We do not sell your data to third parties.

5. Third-Party Services

We use the following sub-processors to operate the Service:

• Apple Inc. — App Store distribution, push notifications (APNs), TestFlight. Apple's privacy policy: apple.com/legal/privacy
• Market data providers — We fetch real-time cryptocurrency and stock prices from third-party APIs. These requests are made server-side; your portfolio holdings are not transmitted to price providers.
• Cloud infrastructure provider — Our backend and database run on servers located in the European Union (Frankfurt, Germany). All data is encrypted at rest and in transit.
• AI inference provider — For generating market insights, anonymized market data (not your personal portfolio) is sent to an AI service. We do not send your account email or personally identifiable information to AI providers.

6. Data Retention

• Active account data: Retained for as long as your account is active.
• Deleted account: Upon account deletion, all personal data is permanently erased within 30 days. Aggregated, anonymized analytics data (containing no personal identifiers) may be retained longer for product improvement.
• Support emails: Retained for 2 years after the ticket is closed.
• Crash logs: Retained for 90 days.
• Legal obligations: Financial records required by Polish accounting law are kept for 5 years.

7. Your Rights Under GDPR

As a data subject you have the following rights:

• Right of access (Art. 15): Request a copy of the personal data we hold about you.
• Right to rectification (Art. 16): Correct inaccurate data directly in the app (Profile → Edit) or by contacting us.
• Right to erasure (Art. 17): Delete your account and all associated data. See our Account Deletion page.
• Right to restriction (Art. 18): Request that we limit processing of your data while a dispute is resolved.
• Right to data portability (Art. 20): Request your data in a machine-readable format.
• Right to object (Art. 21): Object to processing based on legitimate interests.
• Right to withdraw consent: Disable push notifications in iOS Settings → Notifications → Simple Investor at any time.

To exercise any of these rights, contact us at privacy@simpleinvestorapp.com. We will respond within 30 days. You also have the right to lodge a complaint with the Polish supervisory authority: Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warszawa, uodo.gov.pl.

8. Data Security

We implement appropriate technical and organizational measures to protect your data:

• All data transmitted between the app and our servers is encrypted using TLS 1.2+
• Data at rest is encrypted using AES-256
• Passwords are hashed using bcrypt with a work factor of 12
• Access to production systems is restricted to authorized personnel and requires multi-factor authentication
• Regular security audits and penetration testing

9. Children's Privacy

The Service is not directed at children under 13 (or 16 in the EU/EEA where applicable). We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, please contact us immediately at privacy@simpleinvestorapp.com and we will delete it promptly.

10. International Transfers

Your data is stored on servers located in the European Union and is not transferred outside the EEA, except where sub-processors operate globally (e.g., Apple). Any such transfers are governed by Standard Contractual Clauses (SCCs) as approved by the European Commission.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you via a push notification or email at least 14 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent version. Your continued use of the Service after changes take effect constitutes your acceptance of the updated policy.

12. Contact

For any privacy-related questions or to exercise your rights: