Privacy Policy
Effective date: 15 June 2026
1. Who We Are
HWSW (“we”, “us”, “our”) operates the HWSW investment club platform and the Portledger personal portfolio tracker (together, “the Platform”). We are the data controller for the personal data described in this policy.
Contact us at hello@hwsw.app for any privacy-related queries.
2. What Data We Collect
2.1 Account data
When you register, we collect your name and email address. If you enable two-factor authentication we store a TOTP secret. We do not store passwords in plain text — all passwords are hashed.
2.2 Financial and portfolio data
To provide the service you choose to enter investment transactions, security holdings, capital contributions, bank account balances, and related financial records. This data is stored on your behalf and is used only to operate the Platform for you.
2.3 Imported documents and emails
If you use the statement import or email ingestion features, broker statements and transaction emails are processed to extract trade data. Email content and attachments are temporarily stored to complete parsing and are then retained only in extracted form (structured transaction records). Raw email bodies are deleted after processing unless you explicitly save them as documents.
2.4 Digital wallet addresses
If you connect a blockchain wallet, we store the public wallet address. We do not have access to private keys or seed phrases.
2.5 Usage and technical data
We collect standard server logs (IP address, browser type, pages visited, timestamps) to maintain security and diagnose issues. We do not use third-party analytics trackers.
2.6 Push notification tokens
If you opt in to browser push notifications, we store the push subscription endpoint issued by your browser. You can revoke this at any time in Settings.
2.7 Billing data
Subscription and payment processing is handled by Stripe. We store your Stripe customer ID and subscription status. We do not store card numbers or banking details.
3. How We Use Your Data
- Providing the service — powering your portfolio, calculating NAV, generating tax reports, sending monthly reports.
- Authentication and security — verifying your identity at login, enforcing two-factor authentication, detecting suspicious activity.
- AI-assisted features — transaction data and portfolio snapshots are sent to Google (Gemini API) for report generation, portfolio insights, and document parsing. Private equity and fund documents are additionally processed by Anthropic (Claude API). These providers act as data processors on our behalf and are contractually prohibited from using your data to train their models.
- Transactional email — sending invitations, monthly reports, and account notifications via Resend.
- Billing — managing your subscription via Stripe.
- Legal compliance — retaining records where required by applicable law.
We do not sell your data, share it with advertisers, or use it for any purpose unrelated to operating the Platform.
4. Legal Basis for Processing (UK GDPR)
We rely on the following legal bases:
- Contract — processing necessary to deliver the service you signed up for (account data, portfolio data, billing).
- Legitimate interests — security logging, fraud prevention, and product improvement.
- Consent — push notifications and any optional features where we ask for your permission.
- Legal obligation — where we are required to retain or disclose data by law.
5. Third-Party Sub-Processors
We share data with the following sub-processors, all bound by data processing agreements:
| Provider | Purpose | Location |
|---|---|---|
| Neon (PostgreSQL) | Primary database hosting | EU / US |
| Vercel | Application hosting and edge network | EU / US |
| Stripe | Subscription billing and payment processing | US (SCCs) |
| Resend | Transactional email delivery | US (SCCs) |
| Google (Gemini) | AI report generation, portfolio insights, email and document parsing | US (SCCs) |
| Anthropic (Claude) | AI parsing of private equity and fund documents | US (SCCs) |
| CoinGecko | Digital asset price data (public API, no PII sent) | SG |
SCCs = Standard Contractual Clauses under UK GDPR / EU GDPR for transfers to third countries.
6. Data Retention
We retain your account and portfolio data for as long as your account is active. If you close your account, we delete your personal data within 30 days, except where we are required to retain it for longer by law (e.g. financial records for tax or audit purposes, which may be retained for up to 7 years).
Server access logs are retained for 90 days. Email content processed through the inbox feature is deleted within 7 days of processing unless explicitly saved.
7. Cookies
We use only essential session cookies required to keep you logged in ( next-auth.session-token, g-fund). We do not use advertising cookies or any third-party tracking cookies. You cannot opt out of session cookies without losing the ability to use the Platform.
8. Your Rights
Under UK GDPR you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure — request deletion of your data (“right to be forgotten”).
- Portability — receive your data in a structured, machine-readable format.
- Restriction — ask us to limit processing in certain circumstances.
- Objection — object to processing based on legitimate interests.
- Withdraw consent — where processing is based on consent, withdraw it at any time.
To exercise any of these rights, email us at hello@hwsw.app. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO).
9. Security
All data is encrypted in transit (TLS 1.2+) and at rest. Access to production data is restricted to authorised personnel only. We use JWT-based sessions with short expiry windows. Two-factor authentication (TOTP) is available and encouraged for all accounts.
If you discover a security vulnerability, please report it responsibly to hello@hwsw.app before any public disclosure.
10. Children
The Platform is not directed at anyone under 18. We do not knowingly collect personal data from minors. If you believe a minor has registered, please contact us and we will delete their account promptly.
11. Changes to This Policy
We may update this policy from time to time. Where changes are material, we will notify you by email or via an in-app notice at least 14 days before they take effect. The effective date at the top of this page always reflects the current version.
12. Contact
Questions or requests regarding this policy: hello@hwsw.app
See also our Terms of Service.