Taufolioτaufolio

Privacy Policy

Last updated:

1. Controller and scope

This Privacy Policy explains how Taufolio collects, uses, stores, and otherwise processes personal data when you use the Taufolio website, application, reports, public share links, billing flows, and related support channels.

The controller of your personal data is:

  • Jacek Janczura
  • Adama Mickiewicza 73, 01-625 Warszawa, Poland
  • Email: support@taufolio.com
  • NIP: 5253008276
  • VAT EU: PL5253008276
  • REGON: 528998136

In this Privacy Policy, "Taufolio", "we", "us", and "our" refer to the controller named above.

2. What Taufolio does

Taufolio is a software service that helps users generate AI-assisted equity research materials, including deep research reports, short recap reports, earnings call analysis, translations, and related portfolio and share-link features.

Taufolio provides informational software outputs only. It does not provide investment, financial, legal, or tax advice, and its output may contain inaccuracies, omissions, stale information, or model hallucinations.

3. Personal data we process

Depending on how you use Taufolio, we may process the following categories of personal data:

Account and profile data

  • name
  • email address
  • authentication identifiers
  • avatar or profile information you choose to provide
  • login and account security metadata
  • session identifiers
  • browser and device metadata
  • IP address and related security logs

Workspace and product-usage data

  • workspace membership and role data
  • settings and feature preferences
  • report requests and usage history
  • billing- and credit-related usage records

Portfolio and watchlist data

  • tickers you track
  • holdings and watchlist entries
  • report preferences associated with those tickers

Billing and transaction data

  • subscription plan details
  • billing status
  • invoices and payment-related metadata
  • checkout and top-up records

We do not intentionally store full payment card details ourselves. Payments are processed by external payment providers such as Stripe.

Uploaded content and generated outputs

  • earnings transcripts
  • files or documents you upload
  • report payloads and translations generated for your account or workspace
  • public share-link content you choose to publish

Communications and support data

  • support requests
  • messages you send to us
  • operational emails and service notices

Security, audit, and abuse-prevention data

  • security events
  • administrative logs
  • cost-control and abuse-monitoring signals
  • records needed to investigate misuse, errors, or fraud

4. Sources of personal data

We collect personal data:

  • directly from you
  • from your use of Taufolio
  • from authentication, payment, hosting, AI, market-data, email, and infrastructure providers that help us operate the service

Providing personal data is generally voluntary, but some data is required to create an account, verify identity, or process payments. Without it, we cannot provide those features.

We process personal data for the following purposes and legal bases under the GDPR:

To provide and operate Taufolio

This includes account creation, authentication, report generation, portfolio features, subscriptions, credits, support, and service delivery.

  • Legal basis: performance of a contract or steps taken at your request before entering into a contract

To manage billing, payments, and accounting

This includes subscription management, invoicing, fraud checks, charge handling, and accounting records.

  • Legal basis: performance of a contract and compliance with legal obligations

To secure the service and prevent abuse

This includes authentication security, rate limiting, fraud detection, incident investigation, cost controls, and protection of our systems, users, and business.

  • Legal basis: legitimate interests in securing and operating the service, and where applicable compliance with legal obligations

To improve and maintain the service

This includes debugging, troubleshooting, internal diagnostics, availability management, and operational improvement.

  • Legal basis: legitimate interests in maintaining and improving the service

To communicate with you

This includes transactional emails, account notices, support replies, legal notices, and other service communications.

  • Legal basis: performance of a contract, legitimate interests, and where required by law, your consent

This includes tax, accounting, anti-fraud, consumer-protection, and other legal obligations that apply to our business.

  • Legal basis: compliance with legal obligations

If a particular processing activity requires consent under applicable law, we will rely on consent for that activity.

  • Legal basis: consent

Automated decision-making

We do not use personal data for automated decision-making or profiling that produces legal or similarly significant effects under Article 22 GDPR.

6. Cookies and similar technologies

Taufolio uses cookies and similar storage technologies that are necessary to operate the service, including for:

  • authentication
  • session continuity
  • security
  • billing-related flows
  • user preferences
  • basic service functionality

Because these technologies are used to deliver and secure the service, blocking them may affect functionality.

In addition, Taufolio uses PostHog for product analytics, session replay (logged-in users only), frontend error tracking, and web-vitals monitoring. PostHog is loaded only after you grant analytics consent through the cookie banner. See section 6a (Product analytics and session replay) for the full disclosure and the Cookie Policy for the specific cookies used and how to withdraw consent.

6a. Product analytics and session replay (PostHog)

To improve Taufolio, diagnose problems, and understand how users interact with the product, Taufolio uses PostHog as its analytics and observability platform. PostHog acts as a data processor on our behalf and processes data in the European Union region (eu.i.posthog.com). PostHog is only activated after you grant analytics consent through the cookie banner; it stays disabled otherwise and you can withdraw consent at any time via "Manage cookies" in the footer.

What PostHog collects

For all consented visitors (anonymous and logged-in):

  • Usage events — clicks and actions you take in the product (for example: opening a report, starting a chat, upgrading a plan).
  • Pageviews and pageleaves — the URLs you visit on the site and in the app, with timestamps.
  • Heatmaps — aggregated click positions on a page (no individual cursor recording for anonymous visitors).
  • Paths — sequences of pages visited within a session, to understand navigation flows.
  • Frontend exceptions — JavaScript errors that occur in your browser, including stack traces and the URL where the error occurred, so we can debug and fix bugs.
  • Web vitals — performance measurements such as Largest Contentful Paint and Cumulative Layout Shift, to monitor page speed.
  • Technical context — browser type and version, operating system, device type, screen size, language, referrer, country (derived from IP at ingestion, the raw IP is not stored long-term), and a random PostHog-issued visitor ID stored in the ph_* cookies described in the Cookie Policy.

For logged-in users only:

  • Session replay — a reconstructed video-like playback of your interactions with the app (mouse movement, clicks, scrolling, typed input in non-sensitive fields). Replay is disabled for anonymous visitors and is masked by default for any input field marked as sensitive (passwords, payment fields). Replay is used to diagnose specific bugs and usability problems for paying or registered users.
  • Identify call — when you log in, we associate your PostHog visitor ID with your account using your email address and name so we can join analytics data to your account when investigating support issues or quality regressions.

Taufolio does not send any Stripe, billing, payment, or subscription data to PostHog. PostHog receives only the product analytics, pageview, heatmap, session-replay, frontend-error, and web-vitals data described above; revenue and subscription reporting is kept in Stripe and our own systems, never in PostHog.

What PostHog does NOT collect

  • Your password, payment card details, or any other secret credential.
  • The body of your portfolio holdings or watchlist beyond the ticker-level pageviews already required to render those pages.
  • AI provider prompts or responses (PostHog is not used as an LLM observability backend for this service).
  • Analytics, session replay, heatmaps, frontend error tracking, and web vitals are processed on the basis of your consent (Article 6(1)(a) GDPR and Article 5(3) of the ePrivacy Directive as implemented in Polish law). They run only while consent is in effect.
  • Operational logs that are strictly necessary to run the service (for example: error logs needed to investigate an incident you reported) may, where applicable, be processed under our legitimate interests (Article 6(1)(f) GDPR), independently of PostHog.

Processor

  • PostHog Inc. (acting as our data processor under a Data Processing Agreement), processing data in the EU region.

How to withdraw

You can withdraw analytics consent at any time:

  • Click "Manage cookies" in the site footer to reopen the consent preferences and toggle the Analytics category off.
  • When you withdraw, Taufolio stops loading PostHog and instructs PostHog to drop any further events from your browser. Events collected before withdrawal remain subject to the retention schedule in section 10.

7. When we share personal data

We may share personal data where necessary with service providers and partners that help us operate Taufolio, including categories such as:

  • authentication providers, including Clerk
  • payment providers, including Stripe
  • database and infrastructure providers, including Supabase
  • hosting, storage, and delivery providers
  • email and notification providers
  • product analytics, session replay, error tracking, and web vitals providers, currently PostHog (EU region) — see section 6a
  • AI and model providers used to generate, translate, or process report content (currently OpenRouter, Google Cloud Vertex AI, OpenAI, AWS Bedrock, and Microsoft Azure, and additional providers we may add or remove from time to time). These providers act as processors and are subject to confidentiality obligations. Where supported by the relevant provider and configured by Taufolio, we use enterprise/API settings designed to prevent customer content from being used to train provider models. Importantly, Taufolio sends only public information about the analyzed companies and instruments to AI providers — see section 8 (Scope of AI processing) for details.
  • market-data and financial-information providers
  • professional advisers, auditors, insurers, and legal counsel

We may also disclose personal data:

  • if required by law, court order, or competent authority
  • to establish, exercise, or defend legal claims
  • in connection with a business reorganization, transfer, or sale

We do not sell your personal data in the ordinary meaning of that term.

8. Scope of AI processing

Taufolio's AI providers (currently OpenRouter, Google Cloud Vertex AI, OpenAI, AWS Bedrock, and Microsoft Azure) process only public information about the companies and instruments being analyzed, such as filings, transcripts, market data, and similar public sources.

The following categories of personal data are not transmitted to AI providers:

  • account and profile data
  • authentication, session, and device-related data
  • workspace and product-usage data
  • portfolio holdings and watchlist entries
  • billing and transaction data
  • communications and support data
  • security, audit, and abuse-prevention data

Portfolio, watchlist, and holdings features are used only to organize and route research outputs locally within Taufolio. Because no personal financial circumstances are sent to the AI engine, AI outputs are not produced on the basis of your personal situation and do not constitute investment advice or a personal recommendation under applicable law.

If we ever change this scope (for example, by introducing a feature that intentionally sends personal data to an AI provider), we will update this Privacy Policy and, where required, obtain your consent or otherwise establish a lawful basis before doing so.

9. International data transfers

Some of our service providers may process personal data outside the European Economic Area.

Where personal data is transferred outside the EEA (e.g. to US-based AI or infrastructure providers), we aim to use an appropriate lawful transfer mechanism and suitable safeguards, such as:

  • EU adequacy decisions (such as the EU-US Data Privacy Framework)
  • standard contractual clauses
  • supplementary contractual, technical, or organizational measures where appropriate

10. How long we keep personal data

We keep personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, including:

  • to provide the service
  • to maintain account history and purchased entitlements
  • to satisfy legal, tax, accounting, or reporting obligations
  • to resolve disputes
  • to enforce our agreements
  • to investigate misuse, fraud, or security incidents

Specific retention periods

The following categories are retained on fixed schedules enforced by automated jobs or by our contractual obligations:

  • Raw earnings-call transcripts and uploaded transcript files: deleted from storage 90 days after creation by an automated retention job. The extracted text used to generate reports may be kept for as long as the resulting report is retained, so we do not need to keep the raw file.
  • Upload audit events (records of when and by whom a transcript or file was uploaded): deleted 90 days after creation by the same automated retention job.
  • Account and workspace data (profile, membership, settings): kept for the life of the account and for a reasonable period after account closure to complete deletion, resolve disputes, and meet legal obligations.
  • Generated reports and portfolio data: kept while your account or the relevant workspace remains active, or until you delete the item, whichever is sooner. On account closure, they are removed subject to any legal hold.
  • Billing, invoicing, and accounting records: kept for the period required by applicable tax and accounting law (which in Poland is typically 5 years from the end of the relevant accounting year).
  • Security, audit, and abuse-prevention logs: kept only for as long as necessary to investigate and respond to incidents and misuse, and for related legal or regulatory purposes.

Other categories are retained only for as long as reasonably necessary for the purposes described above, taking into account applicable legal, tax, accounting, and security obligations.

Taufolio allows users to publish certain report outputs via public share links. If you choose to publish a report through a public share link, the content of that shared report may become accessible to anyone who has the link.

Please do not publish confidential, sensitive, or personal data through public share links unless you are comfortable making that content available in that way.

12. Your GDPR rights

Subject to applicable law and any relevant limitations, you have the following rights in relation to your personal data:

  • Right of access (Article 15 GDPR): obtain confirmation of whether we process personal data about you and, if so, a copy of that data and related information.
  • Right to rectification (Article 16 GDPR): request that we correct inaccurate personal data or complete incomplete data.
  • Right to erasure / "right to be forgotten" (Article 17 GDPR): request that we delete personal data in the cases set out in the GDPR.
  • Right to restriction of processing (Article 18 GDPR): request that we limit how we process your data in certain circumstances.
  • Right to data portability (Article 20 GDPR): receive personal data you provided to us in a structured, commonly used, machine-readable format, and transmit it to another controller where technically feasible.
  • Right to object (Article 21 GDPR): object to processing based on our legitimate interests, including profiling, where applicable.
  • Right to withdraw consent (Article 7(3) GDPR): where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of processing before withdrawal.
  • Right to lodge a complaint with a supervisory authority (Article 77 GDPR): file a complaint with your local data protection authority.

To exercise any of these rights, contact us at support@taufolio.com. We may need to verify your identity before acting on a request, and we will respond within the time period required by applicable law.

If you are in Poland, you may also lodge a complaint with the President of the Personal Data Protection Office (Prezes Urzedu Ochrony Danych Osobowych, UODO). Official contact information is available from UODO at https://uodo.gov.pl/.

13. Data security

We use reasonable technical and organizational measures designed to protect personal data against unauthorized access, disclosure, alteration, or destruction.

However, no method of storage, transmission, or security control is completely secure. For that reason, we cannot guarantee absolute security.

14. Children's data

Taufolio is not intended for children, and we do not knowingly provide the service to children who are not legally capable of entering into the relevant contract under applicable law.

15. Third-party services and external websites

Taufolio may link to third-party websites, documents, market-data sources, or tools. We are not responsible for the privacy practices of those third parties.

15a. Affiliate / promo-code attribution

If you sign up to Taufolio after clicking a partner referral link or entering a promo code from one of our affiliate partners (see the Affiliate Program Terms), we record the promo code that was applied so we can pay the partner the agreed commission. Affiliate partners do not receive any personal data about referred users — they see only aggregate counts (e.g. number of signups, number of paid conversions, total commissionable revenue generated by their code) via their partner dashboard. The promo code itself is associated with your subscription record for the duration of the commission relationship and is retained as part of our billing records under section 11 (Data retention).

16. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes to the service, applicable law, or our processing practices. When we do, we will update the "Last updated" date on this page and may provide additional notice where appropriate.

17. Contact

If you have questions about this Privacy Policy or our processing of personal data, contact:

  • Email: support@taufolio.com
  • Postal address: Jacek Janczura, Adama Mickiewicza 73, 01-625 Warszawa, Poland
Taufolioτaufolio

A company research hub for individual investors. Track companies, get automated portfolio reviews, and read cited reports grounded in filings, annual reports, and earnings calls.

Legal

© 2026 Taufolio. All rights reserved.

Twitter

This report was generated or assisted by AI and may contain errors, omissions, outdated information, or unsupported conclusions. Reports, ratings, and any buy/sell/hold or bullish/bearish markers are research stance indicators only — they do not constitute investment advice, a personal recommendation, or an inducement to transact. You are solely responsible for verifying all information against primary sources before relying on it.