Privacy Policy
1. Who We Are
Traveltech Consulting ΕΕ, trading as "Panfolio" ("we", "us", "our"), is the data controller responsible for your personal data processed through the Panfolio service at tracker.panfolio.app.
| Detail | Information |
|---|---|
| Company type | Ετερρόρρυθμη Εταιρία (ΕΕ) — Greek Limited Partnership |
| ΓΕΜΗ Registration | 162222203000 |
| Tax Number (ΑΦΜ) | EL801725430 |
| Registered address | DIMITRIOU GOUNARI 96, 15125, MAROUSI, Greece |
| Privacy contact | info@traveltech.gr |
| Legal contact | info@traveltech.gr |
| Supervisory authority | ΑΠΔΠΧ — www.dpa.gr |
2. Data We Collect
We collect the following categories of personal data:
- Account Data: your name, email address, and profile picture when you register via Google Sign-In; or your email address and password if you register directly.
- Portfolio Data: investment holdings, transaction records, asset names, ticker symbols, quantities, prices, dates, and portfolio names that you manually enter into the Service.
- Financial Activity Metadata: records of actions taken within the Service (e.g., adding a transaction, creating a portfolio) used for fraud prevention and service delivery. This does not include access to your actual bank or brokerage accounts.
- Technical Data: IP address, browser type and version, device type and operating system, time zone, and cookies. See Section 7 (Cookies).
- Usage Data: information about how you use the Service — pages visited, features accessed, session duration, and navigation paths. Collected via Google Analytics with your consent (see Section 7).
- Payment Data (Pro subscribers only): billing name, billing address, and last four digits of your payment card. Full card details are processed exclusively by Stripe, Inc. and are never stored on our servers.
- Communications: any personal data contained in support emails, feedback, or other messages you send us.
3. How We Use Your Data
The table below sets out the purposes for which we process your personal data, the legal basis under GDPR, and how long we retain it.
| Purpose | Legal Basis | GDPR Article | Retention |
|---|---|---|---|
| Create and manage your account | Contract | 6(1)(b) | Until deletion + 30 days |
| Provide and operate the Service | Contract | 6(1)(b) | Until deletion + 30 days |
| Process Pro subscription payments | Contract + Legal Obligation | 6(1)(b)(c) | 7 years (Greek accounting law) |
| Send transactional emails (receipts, account alerts) | Contract | 6(1)(b) | Until account deletion |
| Analyze product usage and improve the Service | Legitimate Interest* | 6(1)(f) | 26 months (anonymized after) |
| Prevent fraud, abuse, and unauthorized access | Legitimate Interest* | 6(1)(f) | 12 months from activity |
| Comply with legal obligations (tax, court orders) | Legal Obligation | 6(1)(c) | As required by law |
| Send marketing/newsletter communications | Consent | 6(1)(a) | Until you withdraw consent |
* Legitimate Interest: Our legitimate interest in analyzing product usage is to understand how the Service is used and to improve it for all users. You have the right to object to this processing (see Section 6).
4. Third-Party Processors
We share personal data with the following service providers ("processors") who process data on our behalf under written Data Processing Agreements:
| Processor | Role & Transfer Mechanism |
|---|---|
| Supabase, Inc. (USA) | Database hosting, authentication, and backend API. Data stored in EU-region data centers where available. Transfer mechanism: Standard Contractual Clauses (SCCs). DPA: supabase.com/privacy |
| Google LLC (USA) | (a) Google Sign-In for authentication; (b) Google Analytics for product analytics (consent-based). Transfer: EU-US Data Privacy Framework + SCCs. DPA: business.safety.google |
| Stripe, Inc. (USA) | Pro subscription payment processing. Subject to PCI-DSS. Transfer: EU-US Data Privacy Framework + SCCs. Privacy: stripe.com/privacy |
| Resend / Plus Five Five, Inc. (USA) | Transactional email delivery (receipts, notifications). Transfer: EU-US Data Privacy Framework + SCCs. DPA: resend.com/legal/dpa |
We may also share personal data with: (a) competent courts and authorities where required by law; (b) our professional advisors (lawyers, accountants) under confidentiality obligations.
5. International Transfers
Some of our processors are based outside the European Economic Area (EEA). Where personal data is transferred outside the EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, reliance on the EU-US Data Privacy Framework.
You may request a copy of the applicable transfer safeguards by contacting privacy@traveltech.gr.
6. Your Rights Under GDPR
As an EU/EEA resident, you have the following rights regarding your personal data:
| Right | What It Means |
|---|---|
| Access (Art. 15) | Request a copy of all personal data we hold about you. |
| Rectification (Art. 16) | Correct any inaccurate or incomplete personal data. |
| Erasure (Art. 17) | Request deletion of your account and personal data. Note: certain data may be retained for legal obligation purposes (e.g., payment records for 7 years). |
| Restriction (Art. 18) | Request that we limit processing in certain circumstances (e.g., while you contest accuracy). |
| Data Portability (Art. 20) | Receive your personal and portfolio data in a structured, machine-readable format (CSV or JSON export available via Account Settings). |
| Object (Art. 21) | Object to processing based on our legitimate interest. We will cease unless we demonstrate compelling legitimate grounds. |
| Withdraw Consent | Withdraw any consent at any time. This does not affect the lawfulness of processing carried out before withdrawal. |
7. Cookies
Cookies are small text files placed on your device. We use:
- Strictly Necessary Cookies: Required for login, session management, and security (CSRF protection). These cookies are exempt from consent requirements and cannot be disabled without affecting the Service.
- Analytics Cookies (Google Analytics): Cookies
_ga,_gid, and_gatare placed only after you grant consent via our cookie consent banner. You may withdraw consent at any time via the "Cookie Preferences" link in the footer of our website.
Full details of all cookies we use — including names, purposes, and expiry dates — are published in our Cookie Policy.
8. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Encryption in transit (HTTPS/TLS) on all connections
- Encryption at rest (Supabase managed encryption)
- Access controls with role-based permissions
- Row-Level Security (RLS) ensuring each user can only access their own data
However, no transmission over the internet is completely secure. You use the Service at your own risk and should use a strong, unique password for your account.
9. Children's Privacy
Panfolio is intended for users aged 18 and over. We do not knowingly collect personal data from persons under 18. If you believe a minor has registered, please contact privacy@traveltech.gr and we will delete the account promptly.
10. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or via a prominent in-app notice at least 30 days before the change takes effect. The current version, with its effective date, is always available at panfolio.app/privacy.
11. Right to Lodge a Complaint
You have the right to lodge a complaint with the Hellenic Data Protection Authority (ΑΠΔΠΧ) if you believe we have not handled your data in accordance with GDPR. We would always appreciate the opportunity to resolve any concerns directly first — please contact privacy@traveltech.gr.
| Authority | Contact |
|---|---|
| ΑΠΔΠΧ — Hellenic DPA | www.dpa.gr |
| Address | Λεωφόρος Κηφισίας 1-3, 115 23 Αθήνα |
| Phone | +30 210 6475600 |
| Email (for complaints) | complaints@dpa.gr |