Privacy Policy
Your data is yours. We built ZYXmon so that we cannot read your portfolio — by design, not by promise.
What Data We Collect
ZYXmon collects only the data you explicitly provide:
- Authentication: Email address and Google OAuth token (if using Google Sign-In). We never store your Google password.
- Portfolio data: Positions (symbols, shares, average prices), transactions, watchlist entries, alert preferences.
- Application settings: Language, theme, tax rates, and analysis preferences — stored in your browser's localStorage.
We do not collect: browsing habits, device fingerprints, location data, or any information beyond what you directly enter. IP addresses are processed transiently for rate limiting and abuse prevention but are not stored or used for tracking.
Legal Basis for Processing (GDPR Art. 6)
We process your data under the following legal bases:
- Contract performance (Art. 6(1)(b)): Processing your portfolio data, transactions, and account information is necessary to provide the Service you signed up for.
- Legitimate interest (Art. 6(1)(f)): Security measures (rate limiting, abuse prevention, server logs) to protect the Service and its users.
- Consent (Art. 6(1)(a)): Google OAuth authentication — you explicitly choose to sign in with Google and authorize the data transfer.
How Your Data Is Encrypted
Your portfolio data is protected by a multi-layer encryption architecture. Even our team cannot access your holdings.
Encryption flow:
Your password → Argon2id (key derivation) → KEK (Key Encryption Key)
KEK → AES-256-GCM → DEK (Data Encryption Key)
DEK → SQLCipher → encrypted database file
- Per-tenant isolation: Each user's portfolio is stored in a separate encrypted SQLite database file. There is no shared table where your positions could leak.
- AES-256-GCM: Industry-standard authenticated encryption used by banks and governments. Tamper-proof — any modification to the encrypted file is detected.
- Argon2id: The winning algorithm of the Password Hashing Competition. Resistant to GPU and ASIC brute-force attacks.
- Encryption key isolation: When password-based encryption is enabled, your password derives the encryption key locally. We cannot decrypt your data because we do not hold the keys. With Google OAuth (passwordless) login, encryption keys are derived server-side and protected by access controls, but are not zero-knowledge.
What Is Shared vs. What Is Private
ZYXmon separates data into two categories:
Private (encrypted per-user)
- • Portfolio positions & shares
- • Transaction history
- • Watchlist & alerts
- • Investment theses & notes
Shared (anonymous, benefits all)
- • Stock fundamentals & prices
- • Technical analysis & fair value
- • Dividend safety scores
- • Exchange rates
Shared data is stock-level analysis that benefits the community. When any user adds a stock, the analysis is computed once and cached for everyone. No user is ever identified in shared data — it contains only market information, never portfolio compositions.
Third-Party Services & International Transfers
ZYXmon fetches market data from:
- Market data providers — stock prices, fundamentals, dividends, earnings. Only ticker symbols are sent (no personal data).
- Exchange rate providers — EUR-based exchange rates (European Central Bank data). No personal data is sent.
- Google OAuth — authentication only. We receive your name and email; Google does not receive your portfolio data.
Google OAuth involves data transfer to Google servers, which may include servers outside the EEA. Google operates under Standard Contractual Clauses (SCCs) approved by the European Commission for international data transfers. No personal data beyond authentication is shared with any third party.
We do not share, sell, rent, or transfer your personal data to any other third party.
Cookies, Tracking & Local Storage
ZYXmon uses zero tracking.
- No HTTP cookies.
- No analytics trackers (no Google Analytics, no Mixpanel, no Hotjar).
- No advertising networks or ad pixels.
- No third-party scripts that track behavior.
- No cross-site tracking or fingerprinting.
The Service uses browser localStorage to store strictly necessary data for functionality:
| Key | Purpose | Type |
|---|---|---|
| zyxmon_token | Authentication (JWT) | Strictly necessary |
| zyxmon_settings | Tax rates, goals, display preferences | Strictly necessary |
| theme | Dark/light mode | Strictly necessary |
| perspectives-config | Analysis display settings | Strictly necessary |
All stored data is strictly necessary for the Service to function and is exempt from consent requirements under the ePrivacy Directive (Art. 5(3)). No consent banner is needed because no optional or tracking storage is used. Data is stored only in your browser and is never sent to external services.
Automated Decision-Making (GDPR Art. 22)
ZYXmon uses automated algorithms and AI models to generate stock analysis, including technical indicators, fair value estimates, dividend safety scores, and investment context narratives. These outputs are informational only and do not constitute decisions that produce legal or similarly significant effects on you.
AI-generated content is labeled as such throughout the Service. All algorithmic outputs should be treated as one input among many in your own research process.
Your Rights (GDPR)
Under EU General Data Protection Regulation, you have the right to:
- Access: View all your data through the application at any time. Every data point we store about you is visible in your portfolio, transactions, and settings.
- Export: Download your complete portfolio data as CSV or Excel via Settings → Export Portfolio. The export includes all positions, transactions, and dividends in a standard, machine-readable format.
- Rectification: Edit any incorrect data directly through the application (positions, transactions, notes).
- Deletion: Use “Delete All Data” in Settings to permanently erase all portfolio data. For full account deletion, contact us at legal@zyxmon.com — we will delete your encrypted database file and all associated records within 30 days.
- Portability: CSV/Excel export provides your data in standard formats that can be imported into other tools.
- Lodge a complaint: You have the right to lodge a complaint with the Spanish Data Protection Authority (AEPD — Agencia Española de Protección de Datos) at www.aepd.es, or with your local supervisory authority if you are in another EU member state.
Data Retention & Deletion
- Your data is retained for as long as your account exists.
- Inactive accounts with no login for 24 months may be scheduled for deletion after email notification.
- Upon account deletion, your encrypted database file is permanently destroyed. This action is irreversible — because we cannot decrypt your data, we cannot recover it.
- Shared stock analysis data (anonymous, not tied to any user) is retained indefinitely to benefit the community.
- Server logs containing request metadata are rotated and deleted after 30 days.
Security Measures
- Encryption at rest: Per-tenant AES-256-GCM via SQLCipher.
- Encryption in transit: All traffic served over HTTPS (TLS 1.3) via Caddy with automatic Let's Encrypt certificates.
- Authentication: JWT tokens with secure secret keys. Google OAuth 2.0 for passwordless login.
- Rate limiting: API rate limits prevent abuse and brute-force attacks.
- Security headers: HSTS, X-Content-Type-Options, X-Frame-Options, Content-Security-Policy configured via reverse proxy.
- No plain-text secrets: All sensitive configuration (JWT keys, API keys, database passwords) loaded from environment variables, never committed to code.
Data Protection Officer
Given the nature and scale of our data processing, the appointment of a Data Protection Officer is not required under GDPR Art. 37. For all data protection inquiries, contact us at legal@zyxmon.com. We respond to all privacy requests within 30 days.
Last updated: February 2026. Version 1.1. This policy is reviewed periodically and updated as needed. Material changes will be communicated to registered users.