Privacy Policy

Last updated: 3 December 2025

Your Privacy Matters

This Privacy Policy explains how Vantanomic collects, uses, stores, and protects your personal and financial data in compliance with the EU General Data Protection Regulation (GDPR) and the Irish Data Protection Act 2018.

1. Data Controller

The data controller responsible for your personal data is:

Vantanomic
Email: hello@vantanomic.com

2. Information We Collect

We collect the following categories of personal data:

Account Data

  • Email address - for account creation, authentication, and communication
  • Username - for account identification
  • Password - stored as a secure hash (we cannot see your actual password)
  • Account creation date - for record-keeping

Transaction Data (Financial Data)

  • Investment transactions - buy/sell dates, quantities, prices, ticker symbols, ISINs
  • Asset information - stock/ETF names, domicile, currency
  • Calculated tax data - CGT estimates, FIFO matching results, year summaries
  • CSV import files - temporarily processed, not stored permanently

Technical Data

  • IP address - for security and fraud prevention
  • Browser type and version - for compatibility and troubleshooting
  • Device information - for analytics and performance monitoring
  • Session data - to keep you logged in securely
  • Usage analytics - via Vercel Analytics (anonymized page views, performance metrics)

Data We Do NOT Collect

  • We do NOT collect your bank account details or payment information (service is free)
  • We do NOT use tracking cookies or advertising pixels
  • We do NOT sell or share your data with advertisers
  • We do NOT track you across other websites

3. Legal Basis for Processing

Under GDPR Article 6, we process your personal data based on the following legal grounds:

  • Contractual Necessity (Article 6(1)(b)) - To provide the Service you requested (account creation, tax calculations)
  • Consent (Article 6(1)(a)) - For optional features that may be added in the future
  • Legitimate Interest (Article 6(1)(f)) - For security, fraud prevention, and service improvements
  • Legal Obligation (Article 6(1)(c)) - To comply with Irish/EU laws (e.g., data protection, tax reporting if required)

4. How We Use Your Information

We use your data for the following purposes:

Service Provision

  • Creating and managing your account
  • Processing transaction imports and calculating FIFO tax estimates
  • Displaying your portfolio dashboard and reports
  • Allowing you to export data (CSV downloads)

Communication

  • Sending critical account notifications (e.g., password reset, account deletion confirmation)
  • Responding to your support requests
  • Notifying you of service changes or security updates

Security and Compliance

  • Detecting and preventing fraud, abuse, and unauthorized access
  • Enforcing our Terms of Service
  • Complying with legal obligations and lawful requests from authorities

Service Improvement

  • Analyzing usage patterns to improve performance and user experience (anonymized data only)
  • Identifying and fixing bugs
  • Developing new features based on user needs

5. Data Storage and Security

Where Your Data is Stored

Your data is stored on secure servers within the European Union using:

  • Supabase - PostgreSQL database (EU region)
  • Vercel - Application hosting and deployment (EU edge network)

All data transfers comply with GDPR requirements. We do NOT transfer your personal data outside the EU.

Security Measures

We implement industry-standard security controls:

  • Encryption in transit - All connections use HTTPS/TLS 1.3
  • Encryption at rest - Database is encrypted using AES-256
  • Password hashing - Passwords are hashed using bcrypt (one-way, irreversible)
  • Row-level security - Database policies ensure users can only access their own data
  • Regular security updates - We patch vulnerabilities promptly
  • Access controls - Only authorized personnel can access infrastructure

No System is 100% Secure

Despite our best efforts, no internet transmission or storage system is completely secure. We cannot guarantee absolute security but will notify you promptly in case of any data breach affecting your personal data, as required by GDPR Article 34.

6. Data Sharing and Disclosure

We do NOT sell, rent, or trade your personal data to third parties.

We only share your data in the following limited circumstances:

Service Providers (Data Processors)

We share data with trusted third-party processors who help us operate the Service:

  • Supabase - Database hosting and authentication (GDPR-compliant, EU servers)
  • Vercel - Application hosting and analytics (GDPR-compliant, EU edge network)

These providers are contractually bound to protect your data and may only use it to provide services to us. They cannot use your data for their own purposes.

Legal Obligations

We may disclose your data if required by law:

  • To comply with a court order, subpoena, or legal process
  • To respond to lawful requests from Irish or EU authorities (e.g., Irish Revenue, Data Protection Commission)
  • To protect our rights, property, or safety, or that of our users
  • To prevent fraud, abuse, or illegal activity

Business Transfers

If Vantanomic is acquired, merged, or undergoes a business restructuring, your data may be transferred to the successor entity. We will notify you via email before any such transfer and update this Privacy Policy accordingly.

With Your Consent

We will share your data with third parties only if you explicitly consent (e.g., if you request export to a third-party service).

7. Your Rights Under GDPR

Under the EU General Data Protection Regulation (GDPR), you have the following rights:

Right to Access (Article 15)

You can request a copy of all personal data we hold about you. We will provide this in a structured, machine-readable format (CSV/JSON) within 30 days.

How to exercise: Contact hello@vantanomic.com

Right to Rectification (Article 16)

You can correct inaccurate or incomplete data directly in your Account Settings or by contacting us.

Right to Erasure / "Right to be Forgotten" (Article 17)

You can delete your account and all associated data at any time via Account Settings → Danger Zone → Delete Account.

Upon deletion:

  • All personal data (email, username, transactions) is permanently deleted within 30 days
  • We may retain anonymized analytics data that cannot be linked back to you
  • We may retain data if legally required (e.g., tax records, fraud prevention)

Right to Data Portability (Article 20)

You can export your data in CSV format via the Dashboard or Transactions page.

Right to Object (Article 21)

You can object to processing based on legitimate interest (e.g., analytics). We will stop processing unless we have compelling legal grounds.

Right to Restrict Processing (Article 18)

You can request we temporarily restrict processing (e.g., while we verify accuracy of disputed data).

Right to Withdraw Consent (Article 7)

Where processing is based on consent (e.g., optional features we may add in the future), you can withdraw consent at any time without affecting the lawfulness of prior processing.

Right to Complain

If you believe we have violated your privacy rights, you have the right to lodge a complaint with:

Irish Data Protection Commission (DPC)
21 Fitzwilliam Square South
Dublin 2, D02 RD28, Ireland
Phone: +353 (0)761 104 800
Website: www.dataprotection.ie

8. Data Retention

We retain your personal data only as long as necessary for the purposes outlined in this Privacy Policy:

Active Accounts

  • Data is retained while your account is active and for as long as you continue to use the Service

Account Deletion

  • Personal data (email, username, transactions) is permanently deleted within 30 days of account deletion
  • Anonymized analytics data (no personal identifiers) may be retained indefinitely for statistical purposes

Legal Obligations

  • We may retain data longer if required by Irish/EU law (e.g., tax records, fraud investigations)
  • We will inform you if legal retention applies to your data

9. Cookies and Tracking

Essential Cookies (Required)

We use essential cookies to:

  • Keep you logged in securely (session cookies)
  • Remember your preferences (e.g., dark mode)
  • Prevent CSRF attacks and ensure security

These cookies are necessary for the Service to function and cannot be disabled.

Analytics (Cookieless)

We use Vercel Analytics, which is completely cookieless. It does not use any cookies or store any data on your device. Instead, it collects aggregated, anonymous data with no personal identifiers:

  • Page views and navigation patterns
  • Country/region (no precise location)
  • Browser and device type (aggregated)
  • Referrer information

Vercel Analytics cannot track individual users, cannot cross-reference data across websites, and automatically discards visitor sessions after 24 hours. No consent banner is required because no cookies or personal data are collected.

What We Do NOT Use

  • No advertising cookies or pixels
  • No cross-site tracking or social media trackers
  • No third-party marketing cookies

10. Children's Privacy

Vantanomic is not intended for individuals under 18 years old. We do not knowingly collect data from children.

If you are under 18, you may not use the Service. If we discover that a child has provided personal data, we will delete it immediately.

11. International Data Transfers

All your data is stored and processed within the European Union.

We do NOT transfer your personal data to countries outside the EU/EEA. If this changes in the future, we will:

  • Notify you in advance
  • Use Standard Contractual Clauses (SCCs) approved by the European Commission
  • Ensure adequate data protection safeguards
  • Obtain your consent where required

12. Automated Decision-Making

We do NOT use automated decision-making or profiling that produces legal effects or significantly affects you.

The tax calculations are purely algorithmic (FIFO matching) and informational. They do not constitute automated decisions under GDPR Article 22.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

  • Changes to our Service or business practices
  • New legal requirements or regulations
  • User feedback or security improvements

When we make material changes, we will:

  • Update the "Last updated" date at the top of this page
  • Notify you via email (for significant changes)
  • Display a prominent notice in the Service

Continued use of the Service after changes means you accept the updated Privacy Policy.

14. Data Breach Notification

In the unlikely event of a data breach affecting your personal data, we will:

  • Notify the Irish Data Protection Commission within 72 hours (as required by GDPR Article 33)
  • Notify you directly via email without undue delay (as required by GDPR Article 34)
  • Provide details about the nature of the breach, data affected, and remedial actions taken
  • Offer guidance on steps you can take to protect yourself

15. Contact Us / Data Protection Inquiries

For any questions about this Privacy Policy, to exercise your GDPR rights, or to raise a data protection concern, please contact us:

Privacy Officer
Vantanomic
Email: hello@vantanomic.com

We will respond to your request within 30 days as required by GDPR Article 12.

16. Legal Framework

This Privacy Policy is governed by and complies with:

  • EU General Data Protection Regulation (GDPR) - Regulation (EU) 2016/679
  • Irish Data Protection Act 2018
  • ePrivacy Directive - Directive 2002/58/EC (as amended)
  • Irish ePrivacy Regulations 2011 (S.I. No. 336/2011)
Privacy Policy - Vantanomic