Privacy policy.

Short version: we store the bare minimum needed to compute your net worth, encrypt sensitive fields at rest, and never sell, share, or rent your data to anyone. No ad networks. No third-party analytics SDKs.

Who's the data controller

Millefold (Paulius Reutas) · Norway / Lithuania. Contact: hello@millefold.com.

Millefold is built and operated as a solo project. Reach the controller directly using the email above. There is currently no designated Data Protection Officer (not required at this scale, but this section will be updated if/when one is appointed).

What we collect

• Account: your email and (if you used Google) the basic Google profile fields — name and avatar URL.
• Portfolio: what you tell us about assets and liabilities — name, category, value, currency, optional notes.
• Snapshots: a daily snapshot of your totals so the history chart works.
• Public profile (only if you turn it on): the world sees your slug, display name, level, optional bio, and avatar. Nothing about your money.
• Imports: broker CSV files are parsed server-side then discarded — never stored on disk.
• Logs: minimal server logs (path, status, duration) kept 14 days for debugging. No body content.

What we encrypt at rest

Sensitive financial fields — asset values, cost basis, liability balances, snapshots — are encrypted at the application layer with AES-256-GCM before reaching the database. Even if our database is breached, your numbers stay ciphertext. Per-user data keys are derived from a master key held in a separate vendor (Cloudflare), so a single-vendor compromise yields nothing useful.

What we don't collect

• No IP-based tracking, no device fingerprinting, no third-party trackers.
• No click / hover / scroll-depth analytics. We don't know which buttons you press.
• No advertising IDs. We don't sell to advertisers — ever.
• One observability tool (PostHog EU) captures server-side exceptions only — no user behavioural tracking.

Legal basis we rely on (GDPR Art. 6)

• Contract (Art. 6(1)(b)) — for the core service (signing you in, storing what you ask us to store, running the features you opted into).
• Legitimate interest (Art. 6(1)(f)) — for security logging, error capture, and minimal anti-abuse signals. Balanced against your privacy.
• Consent (Art. 6(1)(a)) — for newsletter emails and web-push notifications. Withdrawable at any time from the app.

Where it lives + sub-processors

• Supabase — database + auth, EU region (Frankfurt). supabase.com/privacy
• Cloudflare — hosting (Workers) + DNS + CDN. cloudflare.com/privacypolicy
• Brevo — transactional + newsletter email (EU-based, Paris). brevo.com/legal/privacypolicy
• PostHog EU — error tracking only (no behavioural analytics). EU region (Frankfurt). posthog.com/privacy
• Frankfurter — FX rates only. We send the currency code, not your data.
• Stooq · CoinGecko — market prices. We send the public ticker symbol, not your data.
• Google — only if you sign in with Google. Standard OAuth profile read.

International data transfers

Our primary data store and email are EU-resident. Some processors — Cloudflare, Google, PostHog — operate globally and may handle data outside the EEA. Where this happens, transfers rely on the European Commission's Standard Contractual Clauses (SCCs) and the processor's own safeguards. We do not transfer data to jurisdictions without an adequacy decision or SCCs in place.

How long we keep your data

• Account data: while your account is active. Delete the account and every row tied to your user_id is removed from the live database within 24 hours.
• Backups: rolling 7-day point-in-time backups via Supabase. After 7 days, deletion propagates fully.
• Email logs: 90 days for diagnostic email-event logs (delivery success/failure), then auto-deleted.
• Security forensics:90 days for honeypot / scanner-probe logs that don't contain personal data.

Your rights (EU/UK GDPR + equivalents)

• Access & export a JSON of everything we have on you, any time, from Settings.
• Delete your account + all data from Settings. Irreversible.
• Correct anything we have on you by editing it in the app, or by emailing us.
• Object or restrictprocessing done on legitimate-interest basis — email us and we'll review.
• Unsubscribe from newsletters via the link in any email, or by replying STOP. Transactional emails (sign-in links, account deletion confirmations) keep working.
• Complain to a supervisory authority — your national data-protection authority (e.g. Datatilsynet in Norway, VDAI in Lithuania, ICO in the UK, CNIL in France). You do not need to contact us first.

Cookies + storage

We use one technical cookie set by Supabase to keep you signed in. That's it. No tracking cookies, no third-party trackers.

Children

Millefold is intended for adults managing their own finances. We don't knowingly collect data from anyone under 16. If you believe a minor has signed up, email us and we'll delete the account.

Changes

Material changes are announced via email and bumped on the "Last updated" date at the top. For larger changes — a new sub-processor or a changed legal basis — we email accounts at least 14 days before the change takes effect.

Contact

Questions, complaints, takedown requests, data-subject requests: hello@millefold.com.