Back to home

Privacy Policy

Last updated: February 8, 2026

1. Data Controller

The data controller responsible for processing your personal data is:

  • Company: Arfin
  • Email: contact@arfin.app
  • Website: https://arfin.app

2. Data We Collect

We collect and process the following categories of personal data:

2.1 Account Data

When you create an account, we collect your email address, name (if provided), and authentication credentials. If you sign in via Google or Apple, we receive your name and email from those providers.

2.2 Financial Data

To provide portfolio tracking services, we store information you enter about your investment accounts, holdings (securities, ETFs, crypto), transactions (buys, sells, dividends, deposits, withdrawals), and related financial data. This data is provided voluntarily by you and is not shared with third parties.

2.3 Usage Data

We may collect basic usage information such as pages visited, features used, and error logs to improve the service. We do not use third-party analytics or tracking tools at this time.

2.4 Bank Connection Data

If you connect a bank account via our integration partner (FinAPI), we access your account balances, transactions, and securities in read-only mode. We do not store your bank credentials. Bank connections are handled securely by FinAPI GmbH under PSD2 regulations.

3. Legal Basis for Processing

We process your data under the following legal bases as defined in the EU General Data Protection Regulation (GDPR) and the Spanish Organic Law 3/2018 on Protection of Personal Data (LOPDGDD):

  • Contract performance (Art. 6(1)(b) GDPR): Processing necessary to provide the services you signed up for.
  • Legitimate interest (Art. 6(1)(f) GDPR): Improving our service, preventing fraud, and ensuring security.
  • Consent (Art. 6(1)(a) GDPR): Where applicable, such as for optional communications.

4. Data Storage & Security

Your data is stored on servers provided by Supabase (backed by AWS) within the European Union. All data is encrypted in transit (TLS) and at rest. Access to your financial data is protected by Row-Level Security (RLS) policies, ensuring only you can access your own data.

5. Data Sharing

We do not sell, rent, or trade your personal data. We share data only with:

  • Supabase Inc. — Database and authentication infrastructure (EU-hosted).
  • Resend Inc. — Transactional email delivery (welcome emails, password resets).
  • FinAPI GmbH — Bank account connection services (only if you choose to connect a bank).
  • Vercel Inc. — Website hosting.

All processors are bound by data processing agreements compliant with GDPR Article 28.

6. Data Retention

We retain your data for as long as your account is active. If you delete your account, all personal and financial data is permanently deleted within 30 days. We may retain anonymized, aggregated data for statistical purposes.

7. Your Rights

Under GDPR and LOPDGDD, you have the following rights:

  • Access — Request a copy of your personal data.
  • Rectification — Correct inaccurate or incomplete data.
  • Erasure — Request deletion of your data ("right to be forgotten").
  • Restriction — Request limited processing of your data.
  • Portability — Receive your data in a structured, machine-readable format.
  • Objection — Object to processing based on legitimate interest.
  • Withdraw consent — Where processing is based on consent, withdraw at any time.

To exercise any of these rights, contact us at contact@arfin.app.

8. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD):

  • Agencia Española de Protección de Datos (AEPD)
  • Website: www.aepd.es
  • C/ Jorge Juan, 6 — 28001 Madrid, Spain

9. Cookies

Arfin uses only essential cookies required for the service to function (authentication session, sidebar state preference). We do not use advertising, analytics, or third-party tracking cookies. Since these cookies are strictly necessary, consent is not required under Article 22.2 of Spanish LSSI.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or an in-app notice. The "Last updated" date at the top reflects the most recent revision.

11. Contact

For any questions about this Privacy Policy or your data, contact us at contact@arfin.app.

Terms of ServiceLegal Notice