Privacy Policy

Folzio resolves the ETFs and mutual funds in your portfolio into the underlying companies you actually hold. This Privacy Policy explains what information we collect when you use Folzio (the “Service”), how we use and protect it, who we share it with, and the choices and rights you have. By using Folzio you agree to the practices described here.

Information we collect

Account information

• Email address — used to identify your account, send transactional email, and let you sign in.
• Name — your first and last name, if you choose to provide them (optional).
• Password — stored only as an argon2id hash. We never store, log, or have access to your plaintext password.
• Sign in with Apple — if you use it, we receive an opaque Apple user identifier and, if you choose to share it, your email address (which may be an Apple private-relay address). We do not receive your Apple password.

Portfolio and holdings data

• Portfolios you create — the names you give them and the holdings you enter: ticker symbols and share quantities.
• Imported holdings — data you import by pasting/uploading a CSV export from your broker, or by uploading screenshots of your brokerage app.

We use this data solely to compute and display your true underlying exposure to you. Folzio does not connect to your brokerage account — you enter or import holdings yourself.

Screenshots you upload

If you import holdings by uploading screenshots, the images are sent to Anthropic’s Claude API to extract the ticker symbols and share counts shown in them. The extracted rows are displayed back to you for review. We do not retain the original uploaded images on our servers after your import session — only the holdings you confirm are saved to your portfolio. Per its commercial API terms, Anthropic does not use data submitted through its API to train its models.

Waitlist and invites

If you join our waitlist, we store the email address — and optional name — you provide so we can send you an invite. If you sign up with an invite code, we record that the code was used.

Technical and usage information

• Session metadata — when you sign in, we store your IP address and browser user-agent string alongside the session so you can stay signed in and so we can detect and investigate abuse.
• Server logs — standard application logs (e.g. request paths, status codes, timestamps) generated by our infrastructure.
• Error diagnostics — if the Service hits an error, technical details about it — the error message and stack trace, the request method and route, a request identifier, and, if you are signed in, your account identifier — are sent to our error-monitoring provider (Rollbar) so we can diagnose and fix it. We deliberately do not include your IP address, cookies, authentication tokens, query-string values, or the contents of your portfolio in these reports.

Cookies

Folzio uses only the essential cookies needed to keep you signed in (web_access and web_refresh). They are HttpOnly, sent over HTTPS in production, and scoped to Folzio. We do not use advertising cookies, third-party tracking cookies, or analytics that profile you across other websites.

How we use your information

• To provide the Service — store your portfolios and resolve them into underlying-company exposure.
• To create and secure your account and keep you signed in.
• To send transactional email — email verification, password resets, and waitlist invites. We do not send marketing email without your consent.
• To look up current market prices for the tickers in your portfolios (see “Market data” below).
• To protect the Service — detect, prevent, and investigate fraud, abuse, and security incidents.
• To keep the Service reliable — monitor for, diagnose, and fix errors and other technical problems.
• To comply with legal obligations.

Market data and ticker lookups

To classify securities and show prices and fund holdings, we query third-party market-data sources such as Financial Modeling Prep, SEC EDGAR, OpenFIGI, and public exchange symbol lists. These lookups send only ticker symbols — never your identity, your account, or the fact that a given ticker belongs to you. Prices we display may be delayed (typically by at least 15 minutes) to comply with exchange redistribution rules.

Service providers we share data with

We share personal information only with the service providers that help us run Folzio, and only as needed for them to perform their function:

• Resend — delivers our transactional email; receives the recipient’s email address and message content.
• Anthropic — processes screenshots you upload to extract holdings (see above); receives the image content.
• Apple — if you use Sign in with Apple, to authenticate you.
• Fly.io — our cloud hosting provider, where the application and database run.
• Rollbar — our error-monitoring provider; receives the technical error reports described under “Error diagnostics” above (error message and stack trace, the request route, and your account identifier when you are signed in) so we can detect and fix problems. It does not receive your IP address, login credentials, or portfolio contents.

We may also disclose information if required by law, to enforce our terms, or to protect the rights, safety, and property of Folzio, our users, or others. If Folzio is involved in a merger, acquisition, or asset sale, your information may be transferred — we will notify you of any such change.

What we don’t do

• We do not sell your personal information.
• We do not share it for cross-context behavioral advertising.
• We do not use your portfolio data for any purpose other than providing the Service to you.

Data retention

We keep your account and portfolio data for as long as your account is active. When you delete your account (or ask us to delete your data), we delete your account, portfolios, and holdings; residual copies may persist in encrypted backups for a limited period before being overwritten. Email-verification and password-reset tokens are short-lived and stored only as hashes. Sessions expire automatically and can be revoked at any time by signing out or changing your password. Error-diagnostic reports sent to Rollbar are retained for up to 180 days (Rollbar’s default retention period) and then deleted automatically.

Data security

We protect your information with industry-standard measures: passwords are hashed with argon2id, session and reset tokens are stored only as hashes, traffic is served over HTTPS, and session cookies are HttpOnly and Secure. No method of transmission or storage is completely secure, so we cannot guarantee absolute security.

Your choices and rights

Regardless of where you live, you can:

• Access and review your account and portfolio data from within the app.
• Correct your information by editing it in the app.
• Delete your holdings, portfolios, or your entire account.
• Export a copy of your data, or withdraw consent, by contacting us.

To exercise any of these, email us at privacy@folzio.com.

Your rights in the EEA, UK, and Switzerland (GDPR)

If you are in the European Economic Area, the United Kingdom, or Switzerland, Folzio is the data controller for your personal data. We process it on these legal bases:

• Performance of a contract — to provide the Service you signed up for (your account, portfolios, and exposure analysis).
• Legitimate interests — to secure the Service, prevent abuse, diagnose and fix errors, and operate our business, balanced against your rights.
• Consent — where we ask for it, such as joining the waitlist; you may withdraw consent at any time.
• Legal obligation — where we must process data to comply with the law.

You have the right to access, rectify, erase, restrict, or object to the processing of your personal data, the right to data portability, and the right not to be subject to decisions based solely on automated processing. You also have the right to lodge a complaint with your local supervisory authority.

California privacy rights (CCPA/CPRA)

If you are a California resident, you have the right to know what personal information we collect and how we use it, to request access to or deletion of that information, to correct inaccurate information, and to not be discriminated against for exercising these rights. In the past 12 months we have collected the categories of information described in “Information we collect” above, for the purposes in “How we use your information.”

We do not sell your personal information, and we do not share it for cross-context behavioral advertising as those terms are defined under California law. To exercise your rights, email privacy@folzio.com; we will verify your request using your account email.

International data transfers

Folzio is operated from, and stores data in, the United States. If you access the Service from outside the U.S., your information will be transferred to and processed in the U.S. — including by our U.S.-based service providers such as Rollbar, Inc. (error monitoring). Where required, we rely on appropriate safeguards (such as the European Commission’s Standard Contractual Clauses) for such transfers.

Children’s privacy

Folzio is not directed to children, and we do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with personal information, please contact us and we will delete it.

Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date above, and for material changes we will provide a more prominent notice. Your continued use of the Service after a change takes effect means you accept the updated policy.

Contact us

Questions about this policy or your data? Email us at privacy@folzio.com.