← Back to home

Data Privacy Policy

Last updated: June 20, 2026

We – ratiofolio – want to inform you about how we process your personal data in accordance with the General Data Protection Regulation ("GDPR").

Our privacy policy is modular. It consists of general information for all processing of personal data (I.) and specific information whose content relates only to the processing situation specified there (II. ff.).

I. General Information

1. Data Controller

The controller within the meaning of the GDPR and other national data protection laws is:
Raphael Becker (ratiofolio)
[Street Address]
[City, Postal Code, Germany]
Note: ratiofolio is currently operated as a private beta project by an individual and is not yet a registered company.
Email: privacy@ratiofolio.io

2. Legal Basis for Processing

We process some of your personal data based on the following legal grounds:

  • Consent: Insofar as we obtain the consent of the data subject for specific purposes, Art. 6 (1) (a) GDPR serves as the legal basis.
  • Fulfillment of Contractual Obligations: Insofar as processing is necessary for the performance of a contract to which you are a party, Art. 6 (1) (b) GDPR serves as the legal basis. This also applies to processing operations required to carry out pre-contractual measures.
  • Legal Obligations: Insofar as processing is necessary to fulfill a legal obligation to which we are subject, Art. 6 (1) (c) GDPR is the legal basis.
  • Legitimate Interests: Insofar as processing is necessary to safeguard our legitimate interests or those of a third party, and your interests, fundamental rights, and freedoms do not outweigh the former interest, Art. 6 (1) (f) GDPR serves as the legal basis.

3. Storage Duration and Deletion

The personal data will be deleted or blocked as soon as no purpose provides a legal basis for the processing anymore.

4. Recipients of Personal Data

Internally, only those departments and individuals who need your data to fulfill our processing purposes have access to it. We use processors and service providers bound by strict data processing agreements.

5. Data Subject Rights

If your personal data is processed, you are a data subject within the meaning of the GDPR, and you have the following rights against us:

  • Right of Access (Art. 15 GDPR): You have the right to request information about the personal data processed by us.
  • Right to Rectification (Art. 16 GDPR): You have the right to demand immediate correction of inaccurate personal data.
  • Right to Restriction of Processing (Art. 18 GDPR): You have the right to request the restriction of processing.
  • Right to Erasure (Art. 17 GDPR): You have the right to request the deletion of your data.
  • Right to Data Portability (Art. 20 GDPR): You have the right to receive your data in a structured, commonly used, and machine-readable format.
  • Right to Object (Art. 21 GDPR): You have the right to object to processing based on legitimate interests.
  • Right to Withdraw Consent (Art. 7 (3) GDPR): You can withdraw your consent at any time.
  • Right to Lodge a Complaint (Art. 77 GDPR): You have the right to complain to a supervisory authority.

6. Technical and Organizational Measures (TOMs)

In accordance with Art. 32 GDPR, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing highly personal financial data. These measures include:

  • Encryption: All personal and financial data is encrypted in transit using TLS 1.2+ and at rest using AES-256 encryption.
  • Access Controls: We employ strict Row Level Security (RLS) policies within our database to ensure absolute data isolation between users. Access to infrastructure is secured via multi-factor authentication (MFA).
  • Pseudonymization: Active separation of directly identifiable data (like names and emails) from sensitive financial activity logs.

II. Website Visitors

1. Website Hosting & Log Files

Our website and services are hosted on self-managed infrastructure provided by Hetzner Online GmbH. When you visit our website, we automatically collect data and information from your device (log files), including your IP address, browser type, OS, and timestamp. This data is necessary to correctly deliver the contents of our website and ensure IT security (Art. 6 (1) (f) GDPR).

2. Essential Cookies

We use technically necessary cookies to maintain session states and authentication. These cookies are not used to track your behavior across other websites.

III. Registered Users

1. Registration and Profile

To use our services, prior registration is required. We process your name and email address. The purpose of the processing is the provision of our contractually owed services (Art. 6 (1) (b) GDPR). We never sell your personal data.

During internal processing, your financial and portfolio data is pseudonymized to protect your identity while allowing the platform to function. For public features like community comparisons, insights, and market analysis, we use strictly anonymized and aggregated data, ensuring no individual portfolios or highly unique asset allocations can be re-identified.

2. Data Processors & Data Residency (Supabase)

To provide our services, including authentication and database storage, we use Supabase, Inc. as our processor. To ensure strict data residency, our Supabase project and the associated database are hosted on servers located within the European Economic Area (EEA), specifically in Frankfurt, Germany (eu-central-1). Furthermore, we have concluded a Data Processing Agreement (DPA) containing Standard Contractual Clauses (SCCs) to ensure full GDPR compliance.

3. Payment Providers

As ratiofolio is currently in closed beta, all services are provided free of charge, and payment integrations are currently mocked. In the future, we will use payment service providers such as Stripe and PayPal. Once integrated, payments will be processed directly via these providers, and we will not store your full credit card or banking details.

IV. Broker Synchronization

Interactive Brokers (IBKR) Integration

We offer an automated import and sync feature via the Interactive Brokers (IBKR) Flex Queries API. If you choose to use this feature:

  • You provide an API Token and Query ID which are stored securely using industry-standard encryption (AES-256 for credentials at rest, and TLS for all data in transit).
  • These credentials only allow read-only access to trade statements. We cannot initiate trades, withdraw funds, or modify your brokerage account.
  • The imported data (symbols, execution prices, dates) is used exclusively to populate your trading journal and calculate your portfolio performance.

Liability Disclaimer: Users provide third-party brokerage credentials at their own risk. While we implement strict security measures to protect your credentials, ratiofolio is not liable for data discrepancies, service outages, or account issues originating from Interactive Brokers or any other third-party brokerage.

Other broker sync features will follow in the future under the same strict read-only and encrypted data policies.

V. Communication

If you contact us via email, or join our waitlist, your email address and any provided personal data will be processed solely to handle your inquiry or notify you about beta access (Art. 6 (1) (f) or Art. 6 (1) (b) GDPR).