Privacy Policy

Last updated: February 2026

At WealthFlow ("we", "our", or "the Platform"), operated by Flyxchain, we are committed to protecting your privacy and the security of your personal and financial data. This Privacy Policy comprehensively describes how we collect, use, store, protect, and, where applicable, share your information when you use our wealth management application available at wealthflow.cloud and app.wealthflow.cloud.

By using WealthFlow, you accept the practices described in this Privacy Policy. We recommend reading it carefully together with our Terms of Service, Legal Notice, and Cookie Policy.

1. Data Controller

The data controller for your personal data is:

• Company: Flyxchain
• Contact email: privacy@wealthflow.cloud
• Website: wealthflow.cloud

2. Data We Collect

2.1. Identification and Account Data

When you register and use WealthFlow, we collect:

• Email address: Used as unique account identifier and for communications
• Username/Display name: Optional, to personalize your experience
• Auth0 identifier: Unique token generated by our authentication provider to securely manage your session
• Language and currency preferences: To customize the interface and display values in your preferred currency
• Visual theme preferences: Light/dark mode interface setting

2.2. Financial and Asset Data

To provide our wealth management services, we store the data you voluntarily enter:

• Stock portfolio: Symbols, share quantities, purchase prices, broker, sector, exchange, and notes
• Cryptocurrencies: Symbols, amounts, prices, wallet, exchange, staking information, and APY yields
• Investment funds: ISIN, name, manager, category, units, NAV, TER fees
• Pension plans: Provider, plan number, personal and employer contributions, yearly limits
• Real estate: Property type, investment type, amounts, estimated profitability, IRR
• Other assets: Category, description, purchase and current value, associated income and expenses, location, serial number, insured value
• Loans: Type, lender, amounts, interest rates, terms, linked insurance
• Forex operations: Asset, operation type, profit/loss, dates
• Operations history: All purchases, sales, and movements for each asset type
• Transactions: Dividends, interest, and other investment income
• Financial goals: Configured savings and investment targets
• Tax configuration: Calculation method (FIFO/LIFO), tax lots for capital gains calculation

2.3. Subscription and Payment Data

For users with paid plans:

• Subscription status: Active plan (Free/Pro), expiration date
• Stripe identifiers: Customer ID and Subscription ID to manage your subscription
• Usage counters: Price synchronizations performed for limit control

Important: WealthFlow does NOT store credit card data or payment bank information. All payments are processed securely through Stripe, which complies with PCI-DSS Level 1 standards.

2.4. Usage and Technical Data

We automatically collect:

• Registration date and last login
• Analytics dashboard configuration: Widgets and visualization preferences
• Analysis preferences: Selected benchmark, risk-free rate, estimated monthly expenses, cash position
• Portfolio snapshots: Historical valuations for evolution analysis
• Browsing data: Through Google Analytics (see Cookies section)

2.5. Communications Data

When you contact us:

• Content of messages sent through the contact form
• Support emails

3. Legal Basis for Processing

We process your personal data under the following legal bases pursuant to the General Data Protection Regulation (GDPR):

• Contract performance (Art. 6.1.b GDPR): Necessary to provide you with the WealthFlow services you have contracted
• Consent (Art. 6.1.a GDPR): For the use of analytical cookies and marketing communications (where applicable)
• Legitimate interest (Art. 6.1.f GDPR): To improve our services, prevent fraud, and ensure platform security
• Legal obligation (Art. 6.1.c GDPR): When necessary to comply with applicable legal obligations

4. Purpose of Processing

We use your data to:

• Service provision: Manage your account, process and display your asset information, calculate returns, generate reports and analyses
• Personalization: Adapt the experience to your language, currency, and visualization preferences
• Operational communications: Send you important information about your account, service changes, or security updates
• Technical support: Resolve issues and respond to your inquiries
• Service improvement: Analyze platform usage to detect and fix errors, optimize performance, and develop new features
• Security: Detect and prevent unauthorized access, fraud, or malicious activities
• Legal compliance: Respond to authority requests when legally required

5. Security Measures and Encryption

Protecting your data is our highest priority. We implement multiple layers of security:

5.1. Encryption in Transit

• TLS 1.3: All communications between your browser and our servers are encrypted using HTTPS with TLS 1.3, the most secure standard currently available
• SSL Certificates: We use valid and up-to-date SSL certificates on all our domains
• HSTS: We implement HTTP Strict Transport Security to prevent downgrade attacks

5.2. Encryption at Rest

• PostgreSQL database: Hosted on Neon.tech with AES-256 encryption at rest
• Mandatory SSL connections: All database connections require SSL/TLS
• Encrypted backups: Automatic backups are stored encrypted

5.3. Authentication and Access Control

• Auth0: We delegate authentication to Auth0, an industry leader compliant with SOC 2 Type II, ISO 27001, ISO 27018, and GDPR
• OAuth 2.0 and OpenID Connect: Industry-standard protocols for secure authentication
• JWT Tokens: Sessions managed through JSON Web Tokens with automatic expiration
• No password storage: Credentials are managed exclusively by Auth0

5.4. Infrastructure Security

• Netlify: Our application is deployed on Netlify, which provides a global CDN with DDoS protection and WAF (Web Application Firewall)
• Serverless functions: Serverless architecture that minimizes the attack surface
• Secure environment variables: API keys and credentials are stored as encrypted environment variables, never in code

5.5. Monitoring and Incident Response

• Error logging: Error logging system to detect anomalies
• System metrics: Continuous monitoring of API calls and response times
• Response plan: Established procedures for breach notification and management

5.6. Protection Against Data Breaches

In case of a security incident affecting third-party services:

• Financial data without PII: Your asset information does not contain actual bank data, account numbers, or access credentials to financial institutions
• Tokens, not passwords: We only use Auth0 identifiers; we do not store passwords
• Protected payment data: Stripe manages all payment information; WealthFlow has no access to card numbers
• Breach notification: In compliance with GDPR, we will notify the supervisory authority within 72 hours and affected users without undue delay in case of a breach posing high risk

6. Service Providers (Data Processors)

To provide our services, we share data with the following providers acting as data processors under strict confidentiality agreements:

6.1. Auth0 (Okta, Inc.)

• Function: Authentication and identity provider
• Shared data: Email, user identifier, session tokens
• Location: United States (with Standard Contractual Clauses for EU-US transfers)
• Compliance: SOC 2 Type II, ISO 27001, ISO 27018, GDPR, Privacy Shield (historical)
• Privacy policy: auth0.com/privacy

6.2. Neon.tech

• Function: Serverless PostgreSQL database provider
• Shared data: All stored application data
• Location: Europe (AWS eu-central-1, Frankfurt)
• Compliance: SOC 2 Type II, GDPR
• Privacy policy: neon.tech/privacy

6.3. Stripe, Inc.

• Function: Payment processing
• Shared data: Email, Stripe customer identifier (card data is managed directly by Stripe)
• Location: United States (with Standard Contractual Clauses)
• Compliance: PCI-DSS Level 1, SOC 1 and SOC 2, GDPR
• Privacy policy: stripe.com/privacy

6.4. Netlify, Inc.

• Function: Application hosting and deployment
• Shared data: Access logs, IP addresses (anonymized)
• Location: Global CDN with nodes in Europe
• Compliance: SOC 2 Type II, GDPR
• Privacy policy: netlify.com/privacy

6.5. EODHD APIs

• Function: Real-time financial market data provider
• Shared data: Queried asset symbols (no personal data)
• Location: Europe
• Privacy policy: eodhd.com/privacy-policy

6.6. OpenAI

• Function: Portfolio analysis using artificial intelligence (AI Agent feature)
• Shared data: Aggregated portfolio data for analysis (no direct personal identifying data)
• Location: United States
• Compliance: SOC 2 Type II
• Privacy policy: openai.com/privacy
• Note: This feature is optional and only processes data when explicitly activated by the user

6.7. Google Analytics (Google LLC)

• Function: Website usage analysis
• Shared data: Anonymized browsing data, cookies
• Location: United States (with Standard Contractual Clauses)
• Compliance: EU-US Data Privacy Framework, GDPR
• Privacy policy: policies.google.com/privacy
• More information: See our Cookie Policy

6.8. Web3Forms

• Function: Contact form processing
• Shared data: Data entered in contact forms
• Privacy policy: web3forms.com/privacy

7. International Data Transfers

Some of our providers are located outside the European Economic Area. To ensure the protection of your data in compliance with GDPR, we apply the following safeguards:

• Standard Contractual Clauses (SCCs): Contracts approved by the European Commission for transfers to countries without adequacy decisions
• EU-US Data Privacy Framework: For US providers adhering to the EU-US privacy framework
• Complementary technical measures: Additional encryption and pseudonymization where technically feasible

You may request additional information about the specific safeguards applied by writing to privacy@wealthflow.cloud.

8. Data Retention

We retain your personal data for the time necessary to fulfill the described purposes:

• Account and asset data: While your account is active
• After account deletion: We delete your data within a maximum of 30 days, unless there is a legal obligation for retention
• Billing data: 5 years in accordance with Spanish tax regulations
• Security logs: Maximum 12 months for security and fraud prevention purposes
• Backups: Backups are purged according to the provider's retention policy (maximum 30 days)

9. Your Rights

Under the GDPR, you have the following rights:

9.1. Right of Access

You may request confirmation of whether we process your data and obtain a copy thereof.

9.2. Right to Rectification

You may request correction of inaccurate data or completion of incomplete data. You can also modify most of your data directly from your account settings.

9.3. Right to Erasure ("Right to be Forgotten")

You may request deletion of your personal data when it is no longer necessary for the purposes for which it was collected, you withdraw your consent, you object to processing, or the data has been processed unlawfully.

9.4. Right to Object

You may object to the processing of your data in certain circumstances, especially when processing is based on legitimate interest.

9.5. Right to Restriction of Processing

You may request restriction of processing while the accuracy of data or legitimacy of processing is verified.

9.6. Right to Data Portability

You may request to receive your data in a structured, commonly used, machine-readable format and transmit it to another controller. We are working on a data export feature to facilitate this right.

9.7. Right to Withdraw Consent

When processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

9.8. Right Not to be Subject to Automated Decisions

WealthFlow does not make decisions based solely on automated processing that produce significant legal effects.

How to Exercise Your Rights

You may exercise these rights:

• By sending an email to privacy@wealthflow.cloud
• Through the contact form

We will respond to your request within a maximum of 30 days. We may request additional information to verify your identity.

Right to Lodge a Complaint

If you believe that the processing of your data violates regulations, you may file a complaint with your local supervisory authority. For Spain: Agencia Española de Protección de Datos (AEPD): www.aepd.es

10. Minors

WealthFlow is not intended for users under 18 years of age. We do not knowingly collect personal information from minors. If you are a parent or guardian and believe your child has provided us with personal data, contact us to request its deletion.

11. Cookies and Tracking Technologies

We use cookies and similar technologies. For detailed information about what cookies we use, their purpose, and how to manage them, please see our Cookie Policy.

12. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of significant changes through:

• Prominent notice in the application
• Email to the address associated with your account (for material changes)
• Updating the "Last updated" date on this page

We recommend reviewing this policy periodically.

13. Contact

For any questions related to this Privacy Policy or the processing of your personal data:

• Email: privacy@wealthflow.cloud
• Form: wealthflow.cloud/contact

We are committed to responding to your inquiries as quickly as possible and always within legally established timeframes.