Privacy Policy

1. Information We Collect

At BlabMoney, we collect information in various ways to provide you with the best possible service:

Personal Information

• Full name and username
• Email address for account creation and communication
• Encrypted passwords using bcrypt hashing
• Profile pictures from OAuth providers (Google, LinkedIn)

Financial Portfolio Data

• Portfolio composition, asset allocations, and investment preferences
• Risk tolerance settings and investment objectives
• Asset search history and selection preferences
• Portfolio performance metrics and analytics

Technical and Usage Data

• Unique session identifiers for analytics tracking
• Page views and navigation patterns within the application
• Marketing campaign parameters (stored for 24 hours)
• Browser type, device information, and technical specifications
• IP addresses for security and fraud prevention
• Login records (date, time, authentication method) for security and fraud prevention
• Activity signals (last time you used the application) to monitor actual service usage

AI Chat and Interaction Data

• Chat conversations with our AI assistant for portfolio advice
• AI-generated alternatives and financial insights
• User feedback on AI responses (positive/negative ratings)
• Usage patterns of AI-generated alternatives

2. How We Use Your Information

We use the collected information for the following purposes:

• Providing and maintaining our portfolio management services
• Personalizing AI chat responses and financial alternatives
• Analyzing portfolio performance and generating reports
• Tracking application performance and user engagement (with consent)
• Improving user experience and application functionality
• Maintaining security and preventing fraud
• Complying with legal obligations and regulatory requirements
• Providing customer support and responding to inquiries

3. Information Sharing

We do not sell, rent, or trade your personal information to third parties. We may share information in the following circumstances:

Third-Party Service Providers

• MongoDB Atlas: Database hosting and data storage services
• Azure OpenAI: AI chat functionality and natural language processing
• Financial Data Providers: Market data and financial information providers
• Email Service (Resend): Email delivery for notifications and account management

Legal Requirements

• When required by law or by competent authorities
• To comply with legal processes, court orders, or government requests
• In case of merger, acquisition, or sale of assets
• When you have given explicit consent for specific sharing

4. Cookies and Tracking Technologies

We use various types of cookies and similar technologies to enhance your experience:

Essential Cookies

• next-auth.session-token: Maintains your authenticated session (secure, httpOnly)
• next-auth.csrf-token: Prevents cross-site request forgery attacks
• next-auth.callback-url: Handles OAuth authentication redirects

Functional Cookies

• preferredCurrency: Stores your preferred currency setting
• blabmoney_cookie_consent: Remembers your cookie consent preferences (90-day expiry)
• blabmoney_activity_signal: Records activity signals every 4 hours to monitor actual service usage (technical cookie, no consent required)

Analytics Cookies (Consent Required)

• blabmoney_session_id: Unique session identifier for our custom analytics system
• blabmoney_utm_params: Marketing campaign tracking parameters (24-hour expiry)

5. Data Security

We implement appropriate technical and organizational measures to protect your personal information:

• End-to-end encryption for data transmission and storage
• Strict access controls and authentication requirements
• HTTPS-only communication and secure cookie policies
• Regular security audits and vulnerability assessments
• Password hashing using industry-standard bcrypt algorithm
• Secure cookie settings with httpOnly and sameSite protection

6. Your Rights Under GDPR

As a data subject, you have the following rights:

• Right of Access: Request access to your personal data and information about processing
• Right to Rectification: Request correction of inaccurate or incomplete personal data
• Right to Erasure: Request deletion of your personal data under certain circumstances
• Right to Data Portability: Receive your personal data in a structured, machine-readable format
• Right to Restriction: Request restriction of processing under certain circumstances
• Right to Object: Object to processing based on legitimate interests or direct marketing
• Right to Withdraw Consent: Withdraw consent for analytics cookies and optional data processing

7. How to Exercise Your Rights

To exercise any of your GDPR rights (access, rectification, erasure, portability, etc.), please follow these steps:

Contact Our Privacy Team

Send an email to:

Required Information

To process your request efficiently, please include:

• Your registered email address
• Type of request (access, deletion, portability, etc.)
• Proof of identity (for security purposes)
• Any relevant details or specific data categories

Response Timeline

• We will confirm receipt of your request within 3 business days
• We will respond to your request within 30 calendar days
• In complex cases, we may extend this to 90 days with prior notification

Cost

• All GDPR requests are processed free of charge
• Excessive or repeated requests may incur administrative fees

Identity Verification

To protect your privacy, we may ask you to verify your identity before processing requests. This may include confirming account details or providing identification documents.

8. Data Retention

• User Account Data: Retained until account deletion or 5 years of inactivity
• Analytics Data: Retained for 3 years for long-term trend analysis
• Chat Conversations: Retained until account deletion as an integral part of the service
• Cookie Consent Records: 90 days from last interaction or until consent withdrawal
• UTM Campaign Data: 24 hours in sessionStorage, aggregated reporting for 1 year
• Login Records: Retained for 2 years for security audits and fraud investigation

9. Our Custom Analytics System

BlabMoney uses a privacy-focused custom analytics system:

• Custom-built analytics instead of Google Analytics or third-party trackers
• Analytics only active when you consent to analytics cookies
• Session-based tracking with unique identifiers
• Event tracking for user interactions and application usage
• No data shared with external analytics providers

10. International Data Transfers

Your data may be transferred to and processed in countries outside the EEA:

• MongoDB Atlas: Data stored in EU regions with adequate protection
• Azure OpenAI: Processing in EU regions under Microsoft's Data Protection Addendum
• Transfers only to countries with EU adequacy decisions or appropriate safeguards
• Standard Contractual Clauses and certification schemes ensure protection

11. Changes to This Policy

We may update this privacy policy occasionally to reflect changes in our practices or applicable regulations. Significant changes will be notified through our website and by updating the 'last updated' date.

12. Contact Information

If you have questions about this privacy policy or wish to exercise your data rights, please contact us: