DeskFiStart free

Privacy Policy

Last updated: May 2026

1. Who We Are

DeskFi is operated by MB Vizika(company code: 304067031, VAT: LT100015098712) ("we", "us", "our"). We operate the portfolio research and analytics platform at deskfi.app. MB Vizika is the data controller responsible for your personal data.

For any privacy-related questions or requests, contact us at support@deskfi.app.

2. Information We Collect

We collect and process the following categories of personal data:

Information you provide directly:

  • Account information: Name, email address, and password (stored as a bcrypt hash) when you create an account
  • Profile data: Investment preferences, risk tolerance, goals, budget settings, themes, and experience level from onboarding
  • Broker API credentials (Trading 212 API key or IBKR Flex Token): Encrypted with AES-256-GCM and stored if you choose to connect your brokerage
  • WhatsApp number: If you opt in to WhatsApp notifications
  • User content: Trade journal entries, desk notes, watchlist configurations, and research queries
  • Payment information: Processed by Stripe; we store only your Stripe customer ID and subscription ID, not card details

Information collected automatically:

  • Portfolio data: Holdings, positions, cost basis, dividends, and performance data synced from your connected broker (Trading 212 or Interactive Brokers) via your API credentials
  • Usage data: Feature usage counts and AI analysis requests (stored in our UsageLog for rate limiting)
  • Analytics data: Page views, session duration, and interaction patterns via Google Analytics (only with your consent)
  • Technical data: IP address, browser type, and device information from server logs

3. Legal Basis for Processing (GDPR)

We process your personal data on the following legal bases:

  • Contract performance: Processing necessary to provide the Service you signed up for (account data, portfolio sync, AI analysis)
  • Consent: Analytics cookies, WhatsApp notifications, and marketing communications (you can withdraw consent at any time)
  • Legitimate interests: Service improvement, security monitoring, and fraud prevention
  • Legal obligation: Where we are required to retain data by law

4. How We Use Your Data

Your data is used for the following purposes:

  • Providing and personalising the Service (dashboard, analytics, AI research)
  • Generating AI-powered analysis based on your portfolio and investor profile
  • Processing payments and managing subscriptions
  • Sending transactional emails (verification, password reset, important notices)
  • Sending WhatsApp notifications and AI research messages (if opted in)
  • Enforcing usage limits and rate limiting
  • Improving the Service based on aggregated, anonymised usage patterns
  • Preventing abuse and maintaining security

We do not sell, rent, or share your personal data or portfolio information with third parties for marketing or advertising purposes.

5. AI Processing

The Service uses AI language models to generate research commentary and analysis. When you use AI-powered features, the following data may be sent to our AI provider:

  • Your portfolio holdings and performance data
  • Your investor profile (goals, risk tolerance, themes)
  • Your research queries and prompts
  • Relevant market context and financial data from third-party sources

Our AI provider is Anthropic(Claude API). Per Anthropic's data policies, data sent via their API is not used to train their models. AI processing occurs in real-time and outputs are not stored by Anthropic beyond their standard API log retention period.

We store AI-generated outputs (such as desk notes, weekly briefs, and analysis results) in our database as part of your account data.

6. Third-Party Services and Data Sharing

We share data with the following third-party processors, limited to what is necessary for each service:

  • Anthropic (Claude API) - AI analysis generation. Receives portfolio data and profile for context. Privacy Policy
  • Stripe - Payment processing. Receives email and payment details. We never see or store your full card number. Privacy Policy
  • Vercel - Application hosting and edge functions. Processes all requests. Privacy Policy
  • Turso (LibSQL) - Database hosting. Stores all account and portfolio data. Privacy Policy
  • Resend - Transactional email delivery. Receives email addresses and message content. Privacy Policy
  • Twilio - WhatsApp messaging. Receives phone numbers and message content (if you opt in). Privacy Policy
  • Finnhub - Market data and financial metrics. Does not receive your personal data; we query public financial data. Terms
  • Google Analytics - Website analytics (only with your cookie consent). Receives anonymised usage data. Privacy Policy
  • Upstash (Redis) - Rate limiting. Stores temporary, anonymised request counts. Privacy Policy

7. Cookies and Tracking

We use the following types of cookies:

Essential cookies (always active):

  • Session cookie: Maintains your login state (NextAuth session token)
  • CSRF token: Protects against cross-site request forgery
  • Cookie consent: Remembers your cookie preference (stored in localStorage)

Analytics cookies (consent required):

  • Google Analytics (_ga, _ga_*): Measures page views, session duration, and feature usage to help us improve the Service

Analytics cookies are only loaded after you click "Accept All" on the cookie consent banner. If you choose "Essential Only", no analytics scripts are loaded. You can change your preference at any time by clearing your browser's localStorage or using your browser's cookie settings.

We do not use advertising cookies, retargeting pixels, or social media tracking scripts.

8. Data Storage and Security

We implement the following security measures:

  • All data transmitted over HTTPS (TLS 1.3)
  • Passwords hashed with bcrypt (never stored in plain text)
  • Broker API credentials encrypted with AES-256-GCM at rest
  • Database hosted on Turso with authenticated, encrypted connections
  • Rate limiting to prevent brute-force and abuse
  • Cascade deletion ensures all user data is removed when account is deleted

While we implement industry-standard security measures, no system is 100% secure. We cannot guarantee absolute security of your data.

9. Data Retention

  • Active accounts: Data is retained for the lifetime of your account
  • Deleted accounts: Personal data and portfolio information are deleted within 30 days of account deletion. Associated AI-generated content (desk notes, briefs) is deleted immediately via cascade
  • Backups: May contain deleted data for up to 90 days before being overwritten
  • Stripe records: Payment history is retained by Stripe per their policies; we delete our reference to your Stripe customer upon account deletion
  • Server logs: Retained for up to 30 days for security and debugging purposes
  • Analytics data: Google Analytics retains data per your GA4 settings (default 14 months)

10. International Data Transfers

Your data may be processed outside the UK/EEA by our third-party providers (notably Anthropic, Vercel, and Stripe, which operate primarily in the United States). Where data is transferred outside the UK/EEA, we rely on:

  • Standard Contractual Clauses (SCCs) adopted by the relevant providers
  • The provider's participation in recognised data protection frameworks
  • Adequacy decisions where applicable

11. Your Rights (UK GDPR)

Under UK data protection law, you have the following rights:

  • Right of access: Request a copy of all personal data we hold about you
  • Right to rectification: Request correction of inaccurate or incomplete data
  • Right to erasure: Request deletion of your personal data ("right to be forgotten")
  • Right to restrict processing: Request that we limit how we use your data
  • Right to data portability: Receive your data in a structured, machine-readable format
  • Right to object: Object to processing based on legitimate interests
  • Right to withdraw consent: Withdraw consent for analytics cookies or WhatsApp notifications at any time

Every non-transactional email we send includes an unsubscribe link. Click it to stop receiving these emails immediately. This does not affect transactional emails such as account verification, password resets, and security notices, which are necessary for your account.

To exercise any of these rights, you can:

  • Use the Export Data feature in Settings (for data portability)
  • Use the Delete Account feature in Settings (for erasure)
  • Email us at support@deskfi.app for any other requests

We will respond to data rights requests within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

12. Children's Privacy

The Service is not intended for anyone under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a person under 18, we will delete that data promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will indicate the date of the most recent update at the top of this page. For material changes that affect how we process your data, we will notify you by email or through a prominent notice in the Service before the changes take effect. Continued use of the Service after changes constitutes acceptance.

14. Contact

DeskFi is operated by MB Vizika (company code: 304067031, VAT: LT100015098712). For questions about this Privacy Policy, to exercise your data rights, or to raise a concern about how we handle your data, contact us at:

Email: support@deskfi.app

HomeTerms of Service