wlthy

Legal

Privacy Policy

Effective from May 8, 2026 · Last updated May 8, 2026

1. Who we are

The wlthy service (the "Service") is operated from Malta ("we", "us", "our").

Data controller
wlthy · Malta
Privacy contact: [email protected]

This Policy explains how we collect, use, share, and protect personal data when you visit wlthy.io (and any associated subdomain), create an account, or use the Service.

2. What we collect

We collect only the data we need to deliver the Service.

  • Account information — your name, email address, and hashed password. If you enable two-factor authentication, we also store the secret needed to verify your codes (we never see the codes themselves).
  • Portfolio data — the assets, debts, scheduled flows, partners, and notes you choose to track in the Service. This is your data, not ours; we hold it on your behalf.
  • Billing data — when you subscribe, Stripe processes your payment and shares with us only the data we need to keep your account active (subscription status, plan, billing period). We never see or store your full card number.
  • Technical data — IP address, user agent, request timestamps, and crash diagnostics. Used for security, fraud prevention, and reliability — never sold.
  • Audit log — every meaningful change in your account (asset created, partner invited, subscription updated) is recorded so you can review the history. This log is append-only and scoped to your account.
  • Acquisition attribution — when you first land on wlthy.io, we capture the campaign parameters in the URL (utm_source, utm_medium, utm_campaign, utm_term, utm_content, Google Ads gclid) plus the page you landed on. These are non-personal marketing tags, stored in your browser’s localStorage as a single first-party entry (wlthy_attribution_v1) and shipped to our backend at signup so we know which campaign brought you in. We never share this with the source advertiser; it is used only internally to measure which campaigns produce real customers. No cookies are written. You can clear it at any time by deleting site data in your browser.

3. How we use it

  • To provide, secure, and improve the Service.
  • To bill you and reconcile subscription state with our payment processor.
  • To send transactional emails (verification, password reset, partner invitation, billing receipts). We do not send marketing without explicit, separate consent.
  • To detect, prevent, and respond to abuse and fraud.
  • To comply with our legal obligations.
  • What we never do: sell your personal data, share portfolio holdings with third parties for advertising, or train AI models on your data without explicit opt-in.

4. Legal basis (GDPR)

We rely on the following lawful bases under the EU General Data Protection Regulation:

  • Performance of a contract (Art. 6(1)(b)) for account creation, service delivery, and billing.
  • Legitimate interests (Art. 6(1)(f)) for security monitoring, fraud detection, and product improvement — balanced against your rights and freedoms.
  • Consent (Art. 6(1)(a)) for any optional features such as marketing emails or third-party AI agent access via our MCP API.
  • Legal obligation (Art. 6(1)(c)) for tax, anti-money-laundering, and other statutory record-keeping.

5. Sharing & processors

We share data only with sub-processors that help us run the Service, all bound by data processing agreements:

  • Stripe Payments Europe Ltd. — payment processing & subscription management.
  • Hetzner Online GmbH (Germany) — server hosting, primary data location for the production database.
  • Cloudflare, Inc. — DNS & DDoS mitigation. No user content traverses Cloudflare unencrypted.
  • Resend (Resend, Inc., USA; EU sending region) — transactional email delivery. Only the recipient address + email body are shared at send time. The mail domain (wlthy.one) is separate from the web domain (wlthy.io) by design so reputation on either can be rotated without touching the other.
  • Sentry — crash diagnostics, with PII scrubbing.
  • PostHog (EU) — product + revenue analytics. Hosted on eu.i.posthog.com; data never leaves the European Union. Two flows reach PostHog: (a) opt-in client-side events when you accept the analytics consent (described under §10 below), and (b) server-side revenue events (trial started, paid upgrade, subscription churned) fired from our Stripe webhook handler regardless of consent state — those three events are the load-bearing signal for our billing analytics and we treat them as legitimate-interest processing under GDPR Art. 6(1)(f). No portfolio holdings or asset values reach PostHog under either flow.

We do not share your data with advertisers, data brokers, or social networks.

6. International transfers

Your data is hosted in the European Union (Germany). When a sub- processor operates outside the EEA (e.g. Stripe's US affiliates), we rely on the European Commission's Standard Contractual Clauses or equivalent safeguards. Copies of those agreements are available on request.

7. Data retention

We retain your data for as long as your account is active. After you delete the account:

  • 30-day cooldown: data is soft-deleted and recoverable. You can cancel deletion any time during this window.
  • After 30 days: personal data is permanently erased from our production database and primary backups within 90 days, except where law requires longer retention (typically billing records — held for the period mandated by the Income Tax Act of Malta).
  • Audit log: retained for 12 months from the date of each event for security forensics, then irreversibly anonymised.

8. Security

We apply defense-in-depth measures appropriate to a financial application:

  • TLS 1.3 in transit (HSTS preloaded).
  • AES-256 encryption at rest for the production database.
  • Argon2id password hashing with per-user salt, optional TOTP two-factor authentication.
  • Append-only audit log scoped per account.
  • Principle of least privilege: support staff cannot view portfolio data without an explicit user-initiated audit ticket.
  • Daily encrypted off-site backups; quarterly restore drills.
  • Public security disclosure address: [email protected]. PGP key on request.

9. Your rights (GDPR)

As a data subject under the GDPR you have the right to:

  • Access the personal data we hold about you.
  • Rectification of inaccurate or incomplete data.
  • Erasure ("right to be forgotten") — Settings › Security › Delete account triggers this in-product.
  • Restriction of processing in specific circumstances.
  • Portability — export your portfolio as CSV any time from Settings › Data.
  • Objection to processing based on legitimate interests.
  • Withdraw any consent you previously gave, without affecting the lawfulness of prior processing.
  • Lodge a complaint with your local supervisory authority — for users in Malta, the Office of the Information and Data Protection Commissioner (IDPC).

Email [email protected] to exercise any of these rights. We respond within 30 days.

10. Cookies and similar technologies

wlthy uses cookies and similar browser technologies in three categories. Two of them are optional and off by default — you choose what runs.

Necessary

Required to deliver the Service: keeping you signed in, remembering your interface preferences, protecting against fraud, and routing requests. The Service does not function without these. They are not used for advertising or cross-site tracking, and there is no opt-out.

Also in this category is a single first-party localStorage entry (wlthy_attribution_v1) that records which campaign first sent you to wlthy.io (see §2 “Acquisition attribution”). It contains no personal data — just the marketing tags from the URL of your first visit — and is read once at signup to attribute the conversion. We treat this as necessary because it is the only way to measure whether our marketing spend produces real customers; it does not load any third-party code and does not enable cross-site tracking.

Analytics (opt-in)

When you opt in, we use PostHog in your browser to understand which features people use, where they get stuck, and what is broken. PostHog is hosted in the European Union, IP addresses are anonymized, and the configuration captures only the specific events we explicitly send — there is no automatic page-by-page or click-by-click recording. We do not share analytics data with any advertising network. A second, server-side flow to the same PostHog project fires three revenue events (trial started, paid upgrade, subscription churned) from our Stripe webhook regardless of this consent state; it carries the campaign tags from your first visit plus the plan and amount — never your email, name, or portfolio. See §5 for the legal basis.

Marketing (opt-in)

We use Google Tag Manager as our tag delivery surface for the conversion measurement pixels we run with advertising platforms (currently Google Ads; potentially Meta and LinkedIn in the future). The Tag Manager container loads on every visit so it can serve a few non-personal functions (e.g. standardised conversion modeling that requires no storage), but the individual marketing and advertising tags inside the container are gated by Google’s Consent Mode v2: unless you opt in to the Marketing category, ``ad_storage``, ``ad_user_data``, ``ad_personalization`` and ``analytics_storage`` all stay set to ``denied`` and no advertising pixel writes a cookie or sends a personal identifier. Opting in upgrades those signals to ``granted`` and the configured tags fire.

When the configured tags fire after opt-in, they send the following to Google Ads: the campaign tags from your first visit (UTM parameters and the Google click identifier, if any), the plan you chose, its price in EUR, and an anonymous identifier tied to the cookie Google sets on your browser. We additionally enable Google’s Enhanced Conversions feature on the Trial Started conversion: when you complete the signup form, the Google tag reads your email address from the form, hashes it on your device using SHA-256 (a one-way function — the original email cannot be recovered), and sends only that hash to Google Ads. Google uses the hash to match the conversion to the same hashed email Google holds for a logged-in Google user, so attribution remains accurate even when third-party cookies are blocked. We never send your name, your portfolio values, your asset list, or any other financial detail through this layer; the plaintext email never leaves your browser. You can turn this off at any time by declining the Marketing category in Settings → Privacy— consent is required and the tag stays disabled until you give it.

Your control

On your first visit, you will see a consent banner with three choices: accept all, decline all, or customize. You can change your choices at any time from Settings → Privacy. Declining analytics or marketing cookies does not restrict your use of the Service in any way. We record your choices (timestamp and selection) so we can honor them on future visits.

What we do not use

We do not use Facebook Pixel, Hotjar, session recording, or fingerprinting tools. Analytics and marketing cookies, when enabled, are limited strictly to the purposes described above.

11. Children

The Service is not directed at people under 18. We do not knowingly collect data from minors. If you believe a minor has registered, email us and we will delete the account.

12. Changes to this policy

When we make material changes we email registered users at least 30 days before the change takes effect, and we publish the prior version alongside the new one for your reference.

13. Contact

Privacy questions: [email protected].
wlthy is operated from Malta.

See also our Terms of Service.