InvestmentBag
Get started

Privacy Policy

Last updated: June 5, 2026

This Privacy Policy explains what data InvestmentBag Holdings Ltd(“we”, “us”, “our”) collects when you use InvestmentBag (the “Service”), including our website and mobile applications, how we use it, and who we share it with. We built the Service for education and entertainment, and we aim to collect only what we need to run it well.

1. Data we collect

We collect the following, depending on how you use the Service:

  • Account data — your email address and, if you sign in with Google, your name and basic Google profile details.
  • Portfolio data you enter — your trades, holdings, cash entries, and portfolios.
  • Files you upload for AI import — broker exports, CSVs, pasted text, or screenshots you give to Ibby to process.
  • AI conversations — the questions you ask Ibby and the answers generated for you.
  • Payment data — when you buy credits, your payment is handled by Stripe. We receive limited details such as the status of the transaction, not your full card number.
  • Usage and technical data — basic logs, device/browser information, and error reports used to keep the Service working.

2. How we use your data

  • To provide the Service — track your portfolio, calculate gains and losses, and show your cash;
  • To power AI features — import your trades and answer your questions through Ibby;
  • To process credit purchases and prevent abuse;
  • To send you important account and transactional emails;
  • To monitor, debug, secure, and improve the Service.

We do not sell your data, and we do not share your trade history with anyone except the service providers below who help us run InvestmentBag.

3. AI processing

When you use Ibby, the relevant parts of your data — such as the file you upload or the question you ask, along with the portfolio figures needed to answer it — are sent to our AI providers (OpenAI and Anthropic) to generate a result. We send only what is needed for the feature you are using. These providers process the data only to return a response and, under our agreements with them, do not use it to train their models.

4. Service providers (sub-processors)

We rely on trusted third parties to operate the Service. Each receives only the data needed for its role:

  • Supabase — database and account storage.
  • Vercel — application hosting and delivery.
  • Google — optional sign-in (OAuth).
  • Stripe — payment processing for credit purchases.
  • OpenAI and Anthropic— AI that powers Ibby’s imports and answers.
  • Twelve Data — market price data.
  • Resend — transactional email delivery.
  • Sentry — error monitoring and diagnostics.

5. Cookies and similar technologies

We use only essential cookies and similar technologies that are necessary to sign you in, keep your session secure, and remember basic preferences. We do not use advertising cookies, and we do not sell your data or use it for cross-site tracking.

6. Data retention

We keep your data for as long as your account is active or as needed to provide the Service, comply with our legal obligations, resolve disputes, and enforce our agreements. When you delete your account, we delete or anonymise your personal data within 30 days, except where we must retain certain records longer to meet legal or tax obligations (for example, payment records).

7. Security

We use technical and organisational measures to protect your data, including encrypted connections and access controls. No method of transmission or storage is completely secure, so we cannot guarantee absolute security.

8. Your rights

Depending on where you live, you have rights over your personal data — including the right to access, correct, export, delete, or object to or restrict certain processing, and to withdraw consent where we rely on it. You can manage much of your data directly in the app, and you can contact us to exercise any of these rights. If you believe we have not handled your data properly, you may also complain to your local data protection authority.

9. International transfers

The service providers above may process your data in countries other than your own, including the United States. Where personal data is transferred across borders, we rely on appropriate safeguards — such as Standard Contractual Clauses or a provider’s adequacy certification — to keep it protected.

10. Children

InvestmentBag is not directed to children, and we do not knowingly collect personal data from anyone under the age required to use the Service. If you believe a child has provided us data, please contact us so we can remove it.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will revise the “Last updated” date above and, for material changes, take reasonable steps to let you know.

12. Contact

Questions or privacy requests? Email us at [email protected].