Privacy Policy
Last updated: March 2026 · Version 3.0
1. Data Controller (Verwerkingsverantwoordelijke)
WealthPlannr B.V., registered in Amsterdam, the Netherlands (KvK: pending).
Contact: privacy@wealthplannr.nl
2. Purpose of Data Processing (Doeleinden)
Data is collected solely for generating your tax evidence reports, portfolio simulations, and financial planning outputs. We process data on the legal basis of contractual necessity (Art. 6(1)(b) GDPR) and, for analytics, legitimate interest (Art. 6(1)(f) GDPR).
3. Data Categories
| Category | Examples | Retention |
|---|---|---|
| Account data | Email, name, user ID | Until account deletion |
| Financial inputs | Asset values, dividends, debts | Until account deletion |
| AI-processed documents | Brokerage PDFs, CSVs | Zero retention (see §4) |
| Payment data | Stripe customer ID | Per Stripe retention policy |
| Technical logs | IP address, user agent | 30 days |
4. Zero-Retention AI Processing (Transient Processing)
Your financial documents are analyzed in memory by the AI to extract data and are immediately discarded. We do not store uploaded PDFs, CSVs, or their extracted text on any server or database.
- Documents are sent to the AI model via a secure API call and processed in memory only.
- Extracted structured data (JSON) is returned to your browser and exists only in your session.
- We do not use your financial data to train our AI models or the models of our sub-processors (Anthropic).
- Anthropic's commercial API terms guarantee that input data is not used for model training.
5. Sub-processors (Onderaannemers)
| Sub-processor | Purpose | Region |
|---|---|---|
| Supabase (AWS) | Database, authentication | EU-West (Frankfurt) |
| Anthropic | AI inference (document extraction) | US (no data retention) |
| Vercel | Application hosting | EU (Amsterdam) |
| Stripe | Payment processing | EU (Dublin) |
6. Data Residency
All personal account data (User ID, email, financial inputs) is stored on EU-based servers (Supabase Frankfurt region). AI inference calls to Anthropic use their commercial API which guarantees zero data retention and no model training on input data.
7. Your Rights (Uw Rechten)
Under the GDPR/AVG, you have the right to:
- Access (Inzage): Request a copy of all personal data we hold.
- Rectification (Correctie): Correct inaccurate personal data.
- Erasure (Vergetelheid): Delete your entire account and all stored data with one click in Settings. This triggers an immediate purge of all stored values (“Right to be Forgotten”).
- Portability (Overdraagbaarheid): Export your data in a machine-readable format (CSV).
- Objection (Bezwaar): Object to processing based on legitimate interest.
- Complaint: File a complaint with the Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).
To exercise any right, email privacy@wealthplannr.nl. We respond within 30 days.
8. Security Measures
- All data encrypted at rest (AES-256) and in transit (TLS 1.3).
- Row-Level Security (RLS) ensures tenant isolation in the database.
- API keys are stored server-side only and never exposed to the client.
- Supabase authentication with bcrypt password hashing.
9. Cookies
| Cookie | Purpose | Type |
|---|---|---|
| wp_state_v5 | App state (localStorage) | Functional |
| sb-*-auth-token | Supabase session | Functional |
| stripe_mid | Stripe fraud prevention | Necessary |
We do not use advertising or tracking cookies.
10. Data Breach Notification
In the event of a personal data breach, WealthPlannr will notify the Autoriteit Persoonsgegevens within 72 hours and affected users without undue delay, in accordance with Art. 33-34 GDPR.
11. Wwft Position
WealthPlannr is not a financial services firm within the meaning of the Wwft (Wet ter voorkoming van witwassen en financieren van terrorisme). We do not provide financial advice, manage assets, or facilitate transactions.