Privacy Policy

Last updated April 28, 2026 · Compliant with GDPR (EU) and CCPA (California)

In plain English

We collect what's needed to make the product work — email, password (encrypted), and what stocks you look at.
We never sell your data. We never use it for advertising.
Most data stays in the EU (servers in Frankfurt, Germany). A small subset is sent to vetted US providers (Anthropic, OpenAI, Resend) under signed Standard Contractual Clauses.
You can delete your account and your data at any time. Email hello@invest-like.com.

1. Data controller

The data controller responsible for processing personal data on this website is:

Zaid Ghazal
Prinz-Heinrich-Straße 17
24106 Kiel
Germany

Email: hello@invest-like.com
Phone: +49 178 4843395

For all privacy-related questions, exercising your rights, or general inquiries, contact hello@invest-like.com.

2. What data we collect and why

Account data: email (required), name (optional), encrypted password (bcrypt). If you sign in via Google: email, name, profile picture. Lawful basis: contract — Art. 6(1)(b) GDPR. Storage: while account is active, deleted within 30 days of deletion.

Usage data: pages visited, stocks analysed, watchlist contents, filter presets, timestamps. Used to provide features and improve the product. Lawful basis: legitimate interest — Art. 6(1)(f) GDPR. Storage: 12 months, then aggregated.

Technical data: truncated IP, browser, device. Used for security and rate-limiting. Lawful basis: legitimate interest in security — Art. 6(1)(f). Storage: 14 days full IP, 90 days truncated.

Payment data (after July 1, 2026 launch): handled by Stripe. We never see your card number — only token, last 4 digits, billing country. Lawful basis: contract — Art. 6(1)(b). Storage: 10 years (§ 147 AO Germany).

Marketing data (only if you opt in): if you tick "Send me the newsletter" we add your email to our newsletter audience. Lawful basis: consent — Art. 6(1)(a). Storage: until unsubscribe, then deleted within 7 days.

3. How we use your data

We use your data to:

Provide, secure, and improve the Service
Personalise your dashboard, watchlist, and analysis history
Process payments and manage subscriptions (after launch)
Send transactional emails (signup confirmation, account notices)
Send the optional weekly newsletter — only if you opt in
Detect and prevent fraud or abuse
Comply with legal obligations (tax records, legal requests)

4. Hosting and data processors

We use a limited set of vetted providers. Each is a data processor under Art. 28 GDPR. Data Processing Agreements (DPAs) and EU Standard Contractual Clauses (SCCs) are in place.

Vercel Inc. (Covina, CA, USA) — application hosting. Serverless functions are locked to Frankfurt (fra1), so personal data is processed in the EU. Static assets via global CDN contain no personal data. DPA: vercel.com/legal/dpa.

Supabase Inc. (Singapore) — database and authentication. Our instance runs in Frankfurt, Germany (eu-central-1). DPA: supabase.com/legal/dpa.

Anthropic, PBC (San Francisco, CA, USA) — AI analysis (Buffett Brain). By contract, queries are not used to train their models.

OpenAI, L.L.C. (San Francisco, CA, USA) — fallback AI. By contract, queries are not used for training.

Resend, Inc. (San Francisco, CA, USA) — transactional and newsletter email delivery. Operates on AWS SES.

ImprovMX (Berkeley, CA, USA) — inbound email forwarding (e.g. hello@invest-like.com → founder's inbox).

Stripe Inc. (USA) and Stripe Payments Europe Ltd. (Dublin, Ireland) — payment processing after launch. PCI DSS Level 1 certified.

Financial Modeling Prep and Massive Market Data — public market data only. No personal data is shared with these providers.

Vercel Analytics (USA, EU edge) — privacy-first page-view analytics. No cookies, no personal data, IP truncated and hashed. GDPR-compliant by design.

PostHog (EU instance, posthog.com) — product analytics for funnels and session recordings. Activated only if configured. Inputs are masked by default.

Microsoft Clarity (USA, Microsoft Corp.) — heatmaps and session replay. Activated only if configured. PII redacted automatically.

We never sell your personal data and never use it for cross-context behavioural advertising.

5. International data transfers

Most personal data stays in the EU because our database and serverless functions run in Frankfurt, Germany.

A small subset is transferred to US-based processors (Anthropic, OpenAI, Resend, ImprovMX, Microsoft Clarity, Stripe). For these we rely on:

European Commission's Standard Contractual Clauses (SCCs), signed via each provider's DPA
The EU-US Data Privacy Framework (DPF) for certified providers
Data minimisation — we only send what's strictly needed (e.g. ticker + financial metrics for AI, not your name)

6. Cookies (TTDSG § 25)

We use only strictly necessary cookies. Under TTDSG § 25 Abs. 2 Nr. 2 and ePrivacy Directive Art. 5(3), no consent is required for these — so we don't show a cookie banner.

Specifically:

sb-access-token, sb-refresh-token — Supabase authentication, set on login, expire on logout
theme — light/dark preference (local-only, never sent to a server)
locale — language preference (local-only)
We do not use advertising, retargeting, cross-site tracking, fingerprinting, or third-party analytics cookies.

7. How long we keep your data

See section 2 for storage durations per category. Summary:

Account data: while account is active, then deleted within 30 days
Usage data: 12 months, then aggregated/anonymised
Technical / security logs: 14 days (full IP), 90 days (truncated)
Payment / invoice records: 10 years (§ 147 AO Germany)
Newsletter email: until unsubscribe, then deleted within 7 days

8. Your rights under GDPR

If you're in the EU/EEA/UK, you have the right to:

Access the data we hold about you (Art. 15)
Rectify inaccurate data (Art. 16)
Delete your data — "right to be forgotten" (Art. 17)
Restrict processing (Art. 18)
Export your data in machine-readable form (Art. 20)
Object to processing based on legitimate interest (Art. 21)
Withdraw consent at any time, where processing is based on consent (Art. 7(3))
Email hello@invest-like.com to exercise any of these. We respond within 30 days.

9. Right to lodge a complaint (Art. 77 GDPR)

You have the right to lodge a complaint with a data protection supervisory authority. As the data controller is based in Schleswig-Holstein, the competent authority is:

Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD)
Holstenstraße 98
24103 Kiel
Germany

Phone:  +49 431 988-1200
Email:  mail@datenschutzzentrum.de
Web:    https://www.datenschutzzentrum.de

10. Security

TLS 1.3 in transit, AES-256 at rest, bcrypt password hashing, Supabase Row-Level Security, least-privilege access. No system is perfectly secure — use a strong unique password and 2FA.

11. Children

The Service is not directed at children under 16 (EU) or under 13 (US, COPPA). We don't knowingly collect data from children. Email hello@invest-like.com if you believe a child has provided data.

12. California (CCPA / CPRA)

California residents have the rights described in section 8. We don't sell or share personal information for cross-context behavioural advertising. Email hello@invest-like.com to exercise California rights.

13. Changes to this policy

We may update this policy. Material changes will be notified by email or banner. Continued use means acceptance. The "Last updated" date is always current.

14. Contact

Privacy questions: hello@invest-like.com. Postal address: see Impressum.