PopaDex Privacy Policy | PopaDex
Privacy First · Swiss Privacy

Privacy Policy

Effective: 15 January 2026 Version: 3.0

Privacy Summary

  • We never sell your data — Your financial information is yours alone
  • End-to-end encryption — 256-bit AES encryption protects all data
  • Read-only bank access — We can view accounts but never make transactions
  • GDPR & UK GDPR compliant — Full data subject rights honoured
  • Delete anytime — Export your data or request complete deletion

1. Introduction

PopaDex ("we," "us," or "our") is a sole trader business operating from Switzerland, committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our wealth management platform at popadex.com and our mobile applications.

We operate from Switzerland and adhere to Swiss privacy standards. For users in the European Economic Area (EEA) and United Kingdom, we also comply with the General Data Protection Regulation (GDPR) and UK GDPR respectively.

Questions? Contact us at [email protected]

2. Data Controller

PopaDex

Sole Trader · Operating from Switzerland
Email: [email protected]
Website: popadex.com

3. Information We Collect

3.1 Information You Provide

Category Data Types Purpose
Account Data Email, password (hashed), name, country Account creation, authentication, communications
Financial Data Manually entered accounts, balances, assets, liabilities Net worth calculation, financial tracking
Connected Bank Data Account names, balances, transactions (via Plaid/GoCardless) Automated account aggregation
Preferences Currency, language, notification settings Personalisation
Support Data Messages, feedback, support requests Customer service, product improvement

3.2 Automatically Collected Data

  • Device Information: Browser type, operating system, device identifiers
  • Usage Data: Features used, pages visited, time spent
  • Log Data: IP address, access times, error logs
  • Cookies: Session tokens, preferences (see Section 8)

3.3 Data We Do NOT Collect

  • Bank login credentials (handled by Plaid/GoCardless)
  • Social security numbers or government IDs
  • Credit card numbers (payments via Stripe)
  • Data from minors under 16

4. Legal Basis for Processing (GDPR)

We process your data based on the following legal grounds:

Contract Performance (Art. 6(1)(b) GDPR)

To provide our wealth management services as agreed

Consent (Art. 6(1)(a) GDPR)

For marketing communications and optional features

Legitimate Interests (Art. 6(1)(f) GDPR)

For security, fraud prevention, and product improvement

Legal Obligation (Art. 6(1)(c) GDPR)

To comply with applicable laws and regulations

5. How We Use Your Data

We Use Data To:

  • • Provide wealth tracking services
  • • Aggregate and display your accounts
  • • Calculate net worth and FIRE projections
  • • Send important service updates
  • • Improve our product and fix bugs
  • • Prevent fraud and security threats
  • • Comply with legal obligations

We Never:

  • • Sell your personal data
  • • Share data with advertisers
  • • Use data for AI training without consent
  • • Access your bank accounts to transact
  • • Share detailed finances with third parties
  • • Store data longer than necessary

6. Data Sharing & Third Parties

We share data only with essential service providers under strict contracts:

Provider Purpose Data Shared
Plaid (US) Bank connections Authorisation tokens only
GoCardless (EU) Bank connections Authorisation tokens only
Stripe Payment processing Billing email, payment method
AWS (Frankfurt) Cloud hosting Encrypted data storage
Google Analytics Website analytics Anonymised usage data

All providers are bound by Data Processing Agreements (DPAs) and use Standard Contractual Clauses (SCCs) for international transfers where applicable.

7. International Data Transfers

Your data is primarily stored in the EU (AWS Frankfurt). When transfers outside the EEA are necessary, we ensure protection through:

  • EU-US Data Privacy Framework (for US providers)
  • Standard Contractual Clauses (SCCs)
  • UK International Data Transfer Agreement (IDTA) for UK transfers
  • Swiss-US Privacy Shield principles

8. Cookies & Tracking

Essential Cookies

Required for the service to function:

  • Session authentication
  • Security tokens (CSRF protection)
  • User preferences (language, currency)

Analytics Cookies (Optional)

Help us improve the service:

  • Google Analytics (anonymised IP)
  • Performance monitoring

You can manage cookie preferences in your browser settings or use our cookie consent banner.

9. Data Security

We implement industry-leading security measures:

Encryption

  • • AES-256 encryption at rest
  • • TLS 1.3 in transit
  • • Argon2id password hashing

Access Controls

  • • Two-factor authentication
  • • Role-based access (staff)
  • • Regular security audits

Infrastructure

  • • SOC 2 compliant hosting
  • • Automated backups
  • • DDoS protection

Monitoring

  • • 24/7 threat detection
  • • Intrusion prevention
  • • Anomaly alerts

10. Data Retention

Data Type Retention Period
Active account data Duration of account + 30 days
Deleted account data 30 days (recovery period), then purged
Transaction history Duration of account
Billing records 7 years (legal requirement)
Security logs 90 days
Support correspondence 3 years or until resolved

11. Your Rights

Under GDPR, UK GDPR, and other applicable laws, you have the right to:

1.

Access

Request a copy of all personal data we hold about you

2.

Rectification

Correct inaccurate or incomplete data

3.

Erasure ("Right to be Forgotten")

Request deletion of your data (subject to legal obligations)

4.

Restriction

Limit how we process your data

5.

Portability

Export your data in a machine-readable format (JSON, CSV)

6.

Object

Object to processing based on legitimate interests

7.

Withdraw Consent

Withdraw consent for optional processing at any time

How to Exercise Your Rights

  • In-app: Settings → Privacy → Data Management
  • Email: [email protected]
  • Response time: Within 30 days

12. Children's Privacy

PopaDex is not intended for users under 16 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us immediately at [email protected] and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy periodically. We will notify you of material changes via:

  • Email notification (for significant changes)
  • In-app notification
  • Updated "Effective" date at the top of this page

14. Contact & Complaints

Contact Us

Privacy Enquiries
Email: [email protected]
Response: Within 5 business days

Supervisory Authority

You have the right to lodge a complaint with:
• Your local data protection authority
• UK ICO (United Kingdom)