Privacy Policy

1. Introduction

Welcome to SavvyPortfolio. This Privacy Policy explains how SavvyPortfolio Pty Ltd (ABN to be registered) ("we", "us", "our", or "SavvyPortfolio") collects, uses, discloses, and protects your personal information when you use our web application and related services.

SavvyPortfolio is an Australian share portfolio tracking application that helps investors manage their ASX holdings, calculate Capital Gains Tax (CGT), track franking credits, and generate ATO-ready tax reports.

We are committed to protecting your privacy and handling your personal information in accordance with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). This policy describes our practices regarding the collection, use, and disclosure of your information and the choices you have associated with that information.

By using SavvyPortfolio, you consent to the collection and use of your information as described in this Privacy Policy. If you do not agree with this policy, please do not use our services.

2. Definitions

In this Privacy Policy, the following terms have the meanings set out below:

• "Personal Information" means information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not. This definition is consistent with the Privacy Act 1988 (Cth).
• "Sensitive Information" means personal information about an individual's racial or ethnic origin, political opinions, religious beliefs, trade union membership, sexual orientation, criminal record, health information, genetic information, or biometric information. We do not intentionally collect sensitive information.
• "Service" or "Services" means the SavvyPortfolio web application, including all features, functionalities, and related services we provide.
• "Portfolio Data" means information relating to your investment portfolio, including but not limited to transactions, holdings, dividends, cost bases, capital gains, capital losses, and franking credits.
• "Account" means the user account you create to access our Services.
• "Device" means any device that can access the Service, such as a computer, mobile phone, or tablet.
• "Cookies" means small data files stored on your Device by your web browser.
• "Third-Party Service Providers" means companies or individuals engaged by us to facilitate our Service, provide the Service on our behalf, perform Service-related services, or assist us in analysing how our Service is used.

3. Information We Collect

We collect several types of information to provide and improve our Service to you:

3.1 Account Information

When you create an account with SavvyPortfolio, we collect:

• Email address
• Full name (optional)
• Password (stored in encrypted form)
• Profile picture (if provided via OAuth)
• Account preferences and settings

3.2 Portfolio Data

To provide our portfolio tracking and CGT calculation services, we collect:

• Transaction history (buy/sell orders, dates, quantities, prices)
• Holdings information (stocks owned, quantities, cost bases)
• Dividend records (payment dates, amounts, franking percentages)
• Portfolio names and organisation preferences
• Transaction notes or labels you add

3.3 Financial Calculation Data

Our Service calculates and stores:

• Cost bases for CGT purposes
• Realised capital gains and losses
• Unrealised gains and losses
• CGT discount eligibility calculations
• Franking credit calculations
• Tax report data for ATO purposes

3.4 Usage Data

We automatically collect certain information when you use our Service:

• Pages and features you access
• Time and date of your visits
• Time spent on pages
• Actions taken within the application
• Error logs and performance data
• Referral source (how you found us)

3.5 Device Information

We may collect information about the device you use to access our Service:

• Device type (desktop, mobile, tablet)
• Operating system and version
• Browser type and version
• Screen resolution
• IP address
• General geographic location (city/country level, derived from IP)
• Language preferences

3.6 Information We Do NOT Collect

To protect your privacy and security, we explicitly do not collect:

• Bank account details or credentials - We never ask for or store your bank login information
• Brokerage account passwords - We do not connect directly to CommSec or other brokers; you upload transaction data via CSV files
• Credit card or payment details - If we offer paid services, payment processing is handled entirely by Stripe; we never see or store your full card numbers
• Tax File Numbers (TFN) - We do not require or store your TFN
• Government ID documents - We do not require identity verification documents
• Sensitive information - As defined under the Privacy Act, including health, racial, political, or religious information

4. How We Collect Information

4.1 Information You Provide Directly

We collect information that you voluntarily provide to us:

• Account Registration: When you sign up for an account, you provide your email address and create a password
• CSV File Uploads: When you upload transaction history from CommSec or other brokers, we process this data to populate your portfolio
• Manual Data Entry: When you manually add transactions, holdings, or dividends to your portfolio
• Profile Updates: When you update your account settings or preferences
• Support Requests: When you contact us for customer support, you may provide additional information about your issue
• Feedback and Surveys: When you respond to surveys or provide feedback about our Service

4.2 Information Collected Automatically

We automatically collect certain information when you use our Service:

• Cookies and Similar Technologies: We use cookies and similar tracking technologies to track activity on our Service and store certain information. See Section 9 for more details.
• Log Data: Our servers automatically record information when you access our Service, including your IP address, browser type, pages visited, and timestamps.
• Analytics: We use analytics services to collect and analyse usage patterns to improve our Service.

4.3 Information from Third Parties

We may receive information from third-party sources:

• OAuth Providers: If you sign in using Google, Apple, or other OAuth providers, we receive your name, email address, and profile picture (if available) as authorised by your OAuth provider settings.
• Market Data Providers: We obtain ASX stock prices and market data from third-party data providers to display current portfolio values and calculate gains/losses.

5. Purpose of Collection

We collect and use your personal information for the following purposes:

5.1 Providing Our Services

• Create and manage your user account
• Track your share portfolio holdings and transactions
• Calculate realised and unrealised capital gains and losses
• Apply CGT discount rules for holdings held more than 12 months
• Track dividend income and franking credits
• Generate ATO-ready tax reports
• Enable multi-portfolio management
• Sync your data across devices (if you opt in to cloud sync)

5.2 Service Improvement

• Analyse usage patterns to improve user experience
• Identify and fix bugs and technical issues
• Develop new features based on user needs
• Optimise Service performance
• Conduct research and analysis

5.3 Communication

• Send you important Service notifications (e.g., security alerts, policy changes)
• Respond to your inquiries and support requests
• Send product updates and new feature announcements (if you opt in)
• Provide tax-time reminders and helpful tips (if you opt in)

5.4 Security and Compliance

• Protect against unauthorised access to your account
• Detect and prevent fraud, abuse, or illegal activity
• Comply with legal obligations
• Enforce our Terms of Service

5.5 Business Operations

• Process payments and subscriptions (via Stripe)
• Maintain accurate business records
• Conduct internal auditing and analysis

6. Legal Basis for Processing

Under the Australian Privacy Principles, we collect and process your personal information based on the following legal grounds:

6.1 Consent

By creating an account and using our Service, you consent to the collection and use of your information as described in this Privacy Policy. For certain activities, such as marketing communications, we obtain your explicit opt-in consent.

6.2 Contractual Necessity

We process your information where it is necessary to perform our contract with you (i.e., our Terms of Service). This includes providing the core functionality of portfolio tracking, CGT calculations, and report generation.

6.3 Legitimate Interests

We may process your information based on our legitimate business interests, such as:

• Improving and optimising our Service
• Ensuring the security of our Service and users
• Analysing usage to inform business decisions
• Providing customer support

We balance our legitimate interests against your privacy rights and only process information where our interests do not override your fundamental rights and freedoms.

6.4 Legal Compliance

We may process your information where required to comply with applicable laws, regulations, legal processes, or government requests.

7. Data Storage and Security

7.1 Local Storage (Primary)

By default, your portfolio data is stored locally on your device using your browser's localStorage functionality. This means:

• Your data remains on your device and is not transmitted to our servers unless you enable cloud sync
• Data is accessible only from the browser and device where it was created
• Clearing your browser data will delete your locally stored portfolio data
• We recommend enabling cloud sync or regularly exporting your data for backup

7.2 Cloud Storage (Optional)

If you create an account and enable cloud synchronisation, your data is stored in our cloud infrastructure powered by Supabase:

• Supabase provides enterprise-grade PostgreSQL database hosting
• Data is replicated across multiple availability zones for reliability
• Automatic backups are performed regularly
• Your data can be accessed from any device where you log in

7.3 Data Center Locations

Our cloud infrastructure is hosted on Supabase, which utilises AWS (Amazon Web Services) data centers. While we endeavour to store data in the Asia-Pacific region where possible, data may be processed in data centers located in:

• Australia (Sydney region, where available)
• Singapore
• United States (for certain backup and processing operations)

See Section 13 for information about international data transfers.

7.4 Encryption

We employ industry-standard encryption to protect your data:

• In Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher (SSL/TLS encryption)
• At Rest: Data stored in our cloud databases is encrypted using AES-256 encryption
• Passwords: User passwords are hashed using bcrypt with salt, meaning we cannot see or retrieve your password

7.5 Security Measures

We implement comprehensive security measures to protect your information:

• Secure authentication via Supabase Auth with support for multi-factor authentication (MFA)
• Regular security audits and vulnerability assessments
• Access controls limiting employee access to personal information on a need-to-know basis
• Monitoring systems to detect and respond to security incidents
• Secure development practices following OWASP guidelines
• Regular software updates and security patches
• Row Level Security (RLS) policies ensuring users can only access their own data

While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security but are committed to maintaining appropriate safeguards.

8. Data Sharing and Disclosure

We value your privacy and are committed to limiting how your information is shared. We may share your information only in the following circumstances:

8.1 Third-Party Service Providers

We engage trusted third-party companies to perform services on our behalf. These providers have access only to the information necessary to perform their specific functions and are obligated to protect your information:

• Supabase: Database hosting, user authentication, and cloud storage services
• Vercel: Web application hosting and content delivery
• Analytics providers: Anonymised usage analytics to improve our Service (e.g., Vercel Analytics, Google Analytics)
• Market data providers: ASX stock price and market data feeds
• Stripe: Payment processing (if applicable for premium features)
• Email service providers: For sending transactional emails and notifications

8.2 Legal Requirements

We may disclose your information if required to do so by law or in response to valid legal requests, including:

• Court orders or subpoenas
• Government or regulatory agency requests
• Requests from the Australian Taxation Office (ATO) with proper legal authority
• Law enforcement requests where legally compelled
• To protect against legal liability

Where permitted by law, we will notify you of such requests before disclosing your information.

8.3 Business Transfers

If SavvyPortfolio is involved in a merger, acquisition, sale of assets, or bankruptcy, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our Service of any change in ownership or uses of your personal information.

8.4 With Your Consent

We may share your information with third parties when you have given us explicit consent to do so.

8.5 Aggregated or Anonymised Data

We may share aggregated or anonymised information that cannot reasonably be used to identify you. For example, we may share statistics about platform usage or general investment trends without revealing individual user data.

8.6 What We Do NOT Do

9. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to track activity on our Service and improve your user experience.

9.1 What Are Cookies?

Cookies are small text files that are stored on your device when you visit a website. They help websites remember information about your visit, which can make your next visit easier and the site more useful to you.

9.2 Types of Cookies We Use

Essential Cookies (Required)

These cookies are necessary for the website to function properly and cannot be disabled:

• Authentication cookies: To keep you logged in and maintain your session
• Security cookies: To protect against cross-site request forgery and other security threats
• Preference cookies: To remember your settings such as dark mode, currency display preferences, and portfolio views

Analytics Cookies (Optional)

These cookies help us understand how visitors interact with our Service:

• Usage analytics: To track which features are most used and identify areas for improvement
• Performance cookies: To measure page load times and identify performance issues
• Error tracking: To detect and diagnose errors that users encounter

9.3 How to Control Cookies

You can control and manage cookies in several ways:

• Browser Settings: Most browsers allow you to refuse cookies or alert you when cookies are being sent. Check your browser's help menu for instructions.
• Cookie Preferences: When you first visit our Service, you may be presented with a cookie consent banner allowing you to accept or decline non-essential cookies.
• Opt-out Tools: You can use tools like the Google Analytics Opt-out Browser Add-on to prevent analytics tracking.

Please note that disabling certain cookies may affect the functionality of our Service. Essential cookies cannot be disabled without significantly impacting your ability to use SavvyPortfolio.

9.4 Do Not Track

Some browsers have a "Do Not Track" feature that signals to websites that you do not want your online activity tracked. We currently respond to Do Not Track signals by disabling non-essential analytics cookies when this setting is detected.

10. Data Retention

10.1 How Long We Keep Your Data

We retain your personal information for as long as necessary to fulfil the purposes for which it was collected, including:

• Active Accounts: Your account and portfolio data is retained for as long as your account remains active
• Inactive Accounts: If your account is inactive for an extended period (12 months or more), we may send you a reminder and eventually archive or delete your data if you do not respond
• Local Storage: Data stored in your browser's localStorage persists until you clear your browser data or uninstall the application

10.2 Deletion Upon Account Closure

When you request account deletion:

• Your account information and portfolio data will be permanently deleted from our active systems within 30 days
• You will receive confirmation once deletion is complete
• We recommend exporting your data before requesting deletion

10.3 Backup Retention

Your data may persist in our backup systems for a limited period after deletion:

• Database backups are retained for up to 90 days for disaster recovery purposes
• After this period, your data will be permanently removed from all backup systems

10.4 Legal Retention Requirements

In some cases, we may retain certain information for longer periods as required by law, such as for tax, accounting, or legal compliance purposes. For example, we may retain transaction records to comply with ATO record-keeping requirements if you have used our Service to generate tax reports.

11. Your Rights Under Australian Privacy Law

The Australian Privacy Principles (APPs) give you certain rights regarding your personal information. We are committed to upholding these rights.

11.1 Right to Access Your Data (APP 12)

You have the right to request access to the personal information we hold about you. Upon request, we will:

• Confirm whether we hold personal information about you
• Provide you with access to that information
• Provide information about how your data has been used and disclosed

We will respond to access requests within 30 days. In most cases, there is no charge for accessing your information, but we may charge a reasonable fee for repeated or complex requests.

You can also access much of your data directly through the SavvyPortfolio application using the data export feature.

11.2 Right to Correct Your Data (APP 13)

You have the right to request correction of personal information that is inaccurate, out-of-date, incomplete, irrelevant, or misleading. You can:

• Update your account information directly through your profile settings
• Edit or delete transactions and portfolio data within the application
• Contact us to request correction of any other personal information

We will respond to correction requests within 30 days and notify you of the outcome.

11.3 Right to Complain

If you believe we have breached the Australian Privacy Principles or mishandled your personal information, you have the right to lodge a complaint. See Section 15 for our complaints process.

11.4 Additional Rights

In addition to the rights under the APPs, we provide you with:

• Right to Deletion: You can request deletion of your account and personal information at any time
• Right to Data Portability: You can export your portfolio data in a machine-readable format (CSV, JSON)
• Right to Withdraw Consent: Where we process your information based on consent, you can withdraw that consent at any time
• Right to Opt-Out: You can opt out of marketing communications at any time by clicking the unsubscribe link in any email or updating your preferences

11.5 How to Exercise Your Rights

To exercise any of your rights, please contact us at support@savvystartagency.com.au. We may need to verify your identity before processing your request to protect your privacy and security.

12. Children's Privacy

SavvyPortfolio is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18 years of age.

If you are a parent or guardian and believe your child has provided us with personal information without your consent, please contact us at support@savvystartagency.com.au. We will take steps to remove that information from our systems.

If you are under 18 and wish to use a portfolio tracking service, we recommend having a parent or guardian create and manage the account on your behalf.

13. International Data Transfers

While SavvyPortfolio is an Australian service designed for Australian investors, some of your personal information may be transferred to, and processed in, countries outside of Australia.

13.1 Where Your Data May Be Processed

Our third-party service providers may process your data in various locations:

• Supabase: Hosted on AWS infrastructure, primarily in the Asia-Pacific region (Singapore) or United States
• Vercel: Global edge network with servers in multiple countries, including Australia, Singapore, and the United States
• Analytics services: May process data in the United States or European Union

13.2 Safeguards for International Transfers

When your data is transferred overseas, we take reasonable steps to ensure it remains protected in accordance with APP 8. Our safeguards include:

• Selecting service providers with strong privacy and security practices
• Contractual obligations requiring recipients to protect your information
• Use of encryption for data in transit and at rest
• Preferring service providers in countries with comparable privacy laws
• Regular review of our service providers' privacy practices

By using our Service, you acknowledge and consent to the transfer of your information to countries outside Australia as described above.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

14.1 How We Notify You of Changes

• Material Changes: For significant changes that affect how we collect, use, or share your information, we will notify you via email (if you have an account) and display a prominent notice on our website at least 30 days before the changes take effect
• Minor Changes: For minor updates (such as clarifications or formatting changes), we will update the "Last updated" date at the top of this policy
• Version History: We maintain a version history of significant policy changes, which is available upon request

14.2 Your Continued Use

Your continued use of our Service after any changes to this Privacy Policy constitutes your acceptance of the updated policy. If you do not agree with the changes, you should discontinue use of the Service and may request deletion of your account.

14.3 Review the Policy

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. The current version will always be available on our website.

15. Contact Us and Complaints

15.1 Privacy Officer Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact our Privacy Officer:

15.2 How to Make a Complaint

If you believe we have breached your privacy or mishandled your personal information, you can lodge a complaint with us:

1. Contact us first: Send your complaint in writing to support@savvystartagency.com.au with the subject line "Privacy Complaint"
2. Provide details: Include a clear description of your concern, relevant dates, and how you would like the issue resolved
3. We will investigate: We will acknowledge your complaint within 7 days and provide a response within 30 days
4. Resolution: We will work with you to resolve the issue and take appropriate corrective action if needed

15.3 Escalation to the OAIC

If you are not satisfied with our response to your complaint, or if you prefer not to contact us directly, you have the right to lodge a complaint with the Office of the Australian Information Commissioner (OAIC):