We use cookies and Google Analytics to improve our website and analyze usage. Privacy Policy

|

Privacy Policy (GDPR)

Last updated: February 2026

Data Protection in accordance with GDPR

1. Data Controller

Alec Roussos

Klarweg 27

85399 Hallbergmoos

Germany

E-mail: datenschutz@manalyx.com

2. Data Collected

a) Basic data

Name, e-mail address, username, optional profile picture

b) Asset data

  • Wallets (cryptocurrencies)
  • Bank transactions (import only, PDFs are not stored)
  • Stock/ETF positions
  • Real estate data
  • Vehicles
  • Watches

c) Connection data

API keys for exchanges, authentication data stored in Supabase

3. Google Sign-In (OAuth 2.0)

When you sign in with Google, the following data is accessed via Google OAuth 2.0:

  • Name, e-mail address, and profile picture (scopes: userinfo.email, userinfo.profile, openid)
  • Purpose: Account creation and authentication only
  • Legal basis: Art. 6(1)(b) GDPR (performance of a contract)
  • Storage: In our Supabase database; not shared with third parties

We do not access Google Drive, Gmail, Google Calendar, Contacts, or any other Google services.

You can revoke access at any time via your Google Account settings.

4. Legal Bases

  • Performance of a contract (Art. 6(1)(b) GDPR) – providing the service
  • Consent (Art. 6(1)(a) GDPR) – analytics, advertising cookies
  • Legitimate interest (Art. 6(1)(f) GDPR) – security, fraud prevention

5. Data Sharing

  • Supabase Inc. – authentication and database services (EU servers, Frankfurt)
  • Stripe Inc. – payment processing for premium subscriptions
  • Google Ireland Limited – authentication (OAuth 2.0: name, e-mail, profile picture only), web analytics (Google Analytics 4, pseudonymized, consent-based only), conversion tracking (pseudonymized, consent-based only)
  • Resend Inc. – transactional e-mail delivery
  • Price APIs (CoinGecko, Gold-API, etc.) – price data only, no personal data transmitted
  • No disclosure to other third parties without consent

6. Web Analytics (Google Analytics 4)

  • Provider: Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland
  • Service: Google Analytics 4 via Google Tag Manager
  • Legal basis: Art. 6(1)(a) GDPR – consent only (cookie banner)
  • No personal data is transmitted: IP addresses are anonymized by Google Analytics 4 by default
  • Data collected: Page views, session duration, referral source, device type, browser type, screen resolution, approximate geographic location (country/region level)
  • Purpose: Statistical analysis of website usage to improve the service
  • Consent Mode v2: We use Google Consent Mode v2 (Advanced). All consent parameters (analytics_storage, ad_storage, ad_user_data, ad_personalization) default to denied. Only after explicit consent via the cookie banner are they set to granted.
  • Data processing agreement (DPA) with Google in place per Art. 28 GDPR
  • Storage duration: 14 months
  • Not loaded in PWA/standalone mode (automatically opted out)
  • Opt-out: Decline in cookie banner, revoke by clearing cookies, or use the Google Analytics Opt-Out Browser Add-On

Google's privacy policy: https://policies.google.com/privacy

7. Google Ads Conversion Tracking

  • Upon account registration, a conversion event is sent to Google Ads (only if cookie consent was given)
  • No personal data beyond a pseudonymized event identifier is transmitted
  • Legal basis: Art. 6(1)(a) GDPR – consent
  • Purpose: Measuring the effectiveness of advertising campaigns

8. Data Retention

  • For as long as the account is active
  • After account deletion: immediate deletion of all personal data, unless statutory retention obligations apply

9. User Rights

You have the following rights regarding your personal data:

  • Right of access
  • Rectification
  • Erasure
  • Restriction of processing
  • Data portability
  • Objection

Withdrawal of consent is possible at any time. You also have the right to lodge a complaint with the competent supervisory authority (e.g., Bavarian State Office for Data Protection Supervision).

10. Data Security

  • SSL/TLS encryption for all data transfers
  • AES-256 encryption for API keys
  • Two-factor authentication available
  • Regular security audits

11. Cookies & Local Storage

  • Technically necessary cookies (authentication session)
  • LocalStorage for user settings and consent preferences
  • Google Analytics cookies (_ga, _ga_*) – only set after explicit consent via cookie banner
  • No analytics tracking in the installed PWA/app version (automatically opted out)

12. Third-Country Transfers

  • Google: Data may be processed in the USA. Basis: EU-U.S. Data Privacy Framework (DPF); Google LLC is certified.
  • Supabase: Servers in the EU (Frankfurt). For any US processing, standard contractual clauses (SCCs) apply.
  • Stripe: Certified under the EU-U.S. Data Privacy Framework.
  • Resend: Standard contractual clauses (SCCs) apply.

13. Contact

For questions about data protection, please contact:datenschutz@manalyx.com