Privacy Policy
Last updated: 2026-04-11
TL;DR
CompoundVision is a financial calculator application. Our free tier runs entirely in your browser — nothing you enter is transmitted to our servers. Our Pro tier optionally syncs your portfolio across devices via an end-to-end encrypted blob (we cannot read your data). Pro subscriptions are sold by CompoundVision and payments are processed via Stripe. Ads are shown on free pages and managed by Google's Consent Management Platform for EEA/UK/CH/California users.
1. Data Controller
The site compoundvision.app is operated by an independent developer. For any privacy inquiry, GDPR request, or data deletion, email support@compoundvision.app. We respond within 48 hours (typically under 24h for Pro subscribers).
2. Free tier: what data stays on your device
We never collect on our servers (free tier):
- Inputs, outputs, or results from any calculator (compound interest, mortgage, DCA, FIRE, crypto profit, impermanent loss, etc.) — all computed client-side in JavaScript.
- Charts you generate (Chart.js renders them locally from your inputs).
Stored on your device only:
cv-theme— your selected color theme (ocean-blue, warm-amber, etc.).cv-locale— your language preference (en/es).- Your cookie consent choice, stored by Google's CMP.
3. Pro tier: what data we process on servers
When you purchase a Pro license and enable sync, the following occurs. Current pricing is always shown on the Pro page.
- Client-side encryption: your portfolio data (holdings, transactions, expenses, real estate, etc.) is encrypted in your browser with AES-256-GCM using a key derived from your license key via PBKDF2 (310,000 iterations). The server only ever sees an opaque ciphertext blob — we cannot decrypt it.
- Encrypted blob storage: we store the encrypted blob on Cloudflare R2 (object storage). The blob is keyed by SHA-256 of your license key. Only a device with your license key can decrypt it.
- License records: your license key and associated metadata (Stripe customer ID, subscription ID, status, plan, creation date) are stored on Cloudflare KV. This is required to verify your Pro access and honor chargebacks/cancellations.
- License key: stored in
localStorageon your device; verified against our server via the/api/verifyendpoint. - Email (optional): if you opt-in to email recovery during checkout, we store a keyed hash of your email address (HMAC-SHA256 with a server-side secret pepper) on Cloudflare KV, mapped to your license key(s). This is GDPR-compliant pseudonymization: if our KV store is ever accessed without the separate server-side secret, your email cannot be recovered via dictionary attacks or rainbow tables. The plaintext email is used only transiently — at checkout time to deliver your license key, and at recovery time to send your license back to the email you provide — and is never persisted. You can request deletion of this mapping at any time (see Section 8).
- No ads on Pro pages: Pro users don't see ads, and Google AdSense is not loaded on Pro tool pages.
4. Legal basis (GDPR Art. 6)
- Contract (Art. 6(1)(b)): processing necessary to deliver the Pro service (license verification, encrypted sync).
- Consent (Art. 6(1)(a)): advertising cookies on free pages. May be withdrawn at any time.
- Legitimate interest (Art. 6(1)(f)): necessary cookies, fraud prevention, and anonymous performance telemetry.
5. Third-party services
Third-party vendors, including Google, use cookies to serve ads based on a user's prior visits to this website or other websites. Google's use of advertising cookies enables it and its partners to serve ads to users based on their visit to this site and/or other sites on the Internet. Users may opt out of personalized advertising by visiting Google Ads Settings. Alternatively, users can opt out of a third-party vendor's use of cookies for personalized advertising by visiting www.aboutads.info.
Named processors and international transfers
The third parties listed below process limited data on our behalf. All US-based processors are certified under the EU-US Data Privacy Framework (DPF), the lawful transfer mechanism since July 2023. Pro subscriptions on CompoundVision are processed by Stripe; the data flow is described in Section 5.1 above.
| Processor | Purpose | Legal basis | Retention | Transfer |
|---|---|---|---|---|
| Google LLC (Google AdSense, USA) | Display advertising | Consent (GDPR Art. 6(1)(a)) | Up to 13 months (Google default) | DPF |
| Google LLC (Funding Choices CMP, USA) | Cookie consent management (TCF v2.2) | Legal obligation (ePrivacy) | Session | DPF |
| Google LLC (Google Analytics 4, USA) | Aggregate audience measurement (IP-anonymised) | Consent in EU/EEA/UK; legitimate interest elsewhere | 14 months | DPF |
| Cloudflare, Inc. (USA, EU edge) | Hosting, CDN, security, anonymous request metrics | Legitimate interest (GDPR Art. 6(1)(f)) | Aggregate logs, ≤30 days | DPF + EU DPA |
| Formspree.io (USA) | Footer feedback form submissions (only when you submit) | Consent (GDPR Art. 6(1)(a)) | Per Formspree policy | DPF |
| Stripe, Inc. (USA) | Pro subscription payments (CompoundVision only) | Contract performance (GDPR Art. 6(1)(b)) | Per Stripe policy + tax retention obligations | DPF |
Right to object (GDPR Art. 21): you may object to any processing based on legitimate interest at any time by contacting us via the footer form. Right to withdraw consent (GDPR Art. 7(3)): you may withdraw consent at any time via the cookie banner (it reappears when you clear localStorage for this site). Withdrawal does not affect lawfulness of processing prior to withdrawal.
5.1 Stripe (payment processing, Pro only)
Pro subscriptions are sold by CompoundVision (operated by Marco B., Spain) and payments are processed via Stripe (Stripe Payments Europe Ltd., Dublin, Ireland for EU customers; Stripe, Inc., San Francisco, USA otherwise). Stripe is our payment processor. Your payment card details never touch our servers: Stripe handles all cardholder data PCI-DSS compliant. From Stripe we receive your Stripe customer ID, subscription ID, plan, status, and (via the metadata you opt into) your email address for license delivery and recovery. Stripe itself retains the cardholder name, billing address, payment method details, and transaction data per their privacy policy.
5.1b Resend (email delivery, Pro only)
If you opt-in to email recovery, transactional emails (license key delivery, recovery emails) are sent via Resend. Resend is our data processor for email delivery; we have a Data Processing Agreement with them. Emails are sent from noreply@compoundvision.app and contain your license key. Resend logs delivery metadata (to/from/subject/timestamp/status) per their retention policy.
5.2 Google AdSense (free pages only)
Ads are served by Google AdSense (publisher ID ca-pub-8761907366448308) ONLY on free-tier pages. Google sets cookies such as __gads, __gpi, IDE to measure ad performance and, with your consent, personalize ads.
- Google Privacy Policy
- How Google uses ad cookies
- Control personalized ads
- Your Online Choices (EU opt-out)
5.3 Google Funding Choices (CMP)
We use Google's certified Consent Management Platform to collect and manage ad consent as required by GDPR, the ePrivacy Directive, and CCPA. The CMP is shown only to users in regulated regions.
5.4 Financial data APIs
To display crypto, stock, and currency prices, we proxy requests to the following public APIs:
- CoinGecko — crypto prices (no personal data sent)
- Financial Modeling Prep (FMP) — stock/ETF data (no personal data sent)
- Frankfurter — forex rates (no personal data sent)
5.5 Cloudflare
Site hosted on Cloudflare Pages. Encrypted Pro portfolio blobs are stored on Cloudflare R2 (object storage). License records are stored on Cloudflare KV. Cloudflare Insights collects anonymous aggregate metrics. Cloudflare is our hosting and storage processor. See Cloudflare's privacy policy.
5.6 Formspree (feedback form)
Feedback form is powered by Formspree. Only the text you type is transmitted.
6. International transfers
Stripe, Google, Cloudflare, Formspree and the financial data APIs are US-based (or have US infrastructure) with global operations. Data may be transferred to and processed in the United States under the EU-US Data Privacy Framework and/or Standard Contractual Clauses (SCCs).
7. Retention
- Free tier: no personal data stored on servers.
- Pro encrypted blobs (R2): retained while your license is active and for 90 days after subscription cancellation (grace period for renewal), then purged. You may request earlier deletion at any time.
- License records (KV): the license key, Stripe customer ID, subscription ID, plan, and status are kept for the duration of your subscription. After cancellation, we retain a minimal record (Stripe customer ID, subscription ID, cancellation timestamp) for up to 7 years as required by Spanish tax and accounting law (invoice audit trail).
- Recovery email (if opted in): stored as a keyed HMAC-SHA256 hash (not plaintext) in KV while at least one of your licenses is active. Deleted upon GDPR erasure request or when all your licenses are permanently cancelled.
- Stripe transaction records: retained by Stripe per their policy (typically 7 years for payment processing and compliance).
- Resend email delivery logs: retained by Resend per their policy (typically 30 days).
8. Your rights (GDPR Art. 15-22, 77)
If you are an EEA/UK resident (GDPR), you have the right to:
- Access, rectify, erase your personal data (Art. 15-17)
- Restrict or object to processing (Art. 18, 21)
- Data portability (Art. 20) — Pro users can export their decrypted portfolio from within the app at any time
- Withdraw consent (Art. 7(3)) via the "Cookies" link in the footer
- Lodge a complaint with your supervisory authority (Art. 77). For Spain: AEPD
To exercise rights that require action from us (erasure of Pro account, access to license records), email support@compoundvision.app. We respond within 48 hours and complete most requests within 7 days; the GDPR Art. 12(3) maximum is 30 days.
9. California residents (CCPA/CPRA)
We do not "sell" or "share" personal information. Google's CMP handles the CCPA signal for California users. Exercise your rights via the "Cookies" link in the footer.
10. Children's privacy
This service is not directed at children under 13 (COPPA) or 16 (GDPR Art. 8). We do not knowingly collect data from minors. Pro purchases require an age of majority.
11. Not financial advice
CompoundVision is a calculation tool only. Nothing displayed constitutes financial, investment, tax, or legal advice. Always consult a qualified professional before making financial decisions.
12. Changes to this policy
We may update this policy as the service evolves or as legal requirements change. Material changes will be announced via a notice at the top of this page for 30 days.
13. Contact
For privacy-related inquiries, GDPR requests (access, rectification, erasure, portability), or general questions about this policy, email support@compoundvision.app.
Response times:
- General inquiries: under 48 hours
- Pro subscribers: priority, typically under 24 hours
- GDPR rights requests: within 30 days maximum (Art. 12(3)), usually much faster
You can also use the feedback form in the footer of any page for non-urgent matters.