Privacy Policy

Kobah is a portfolio tracker. You type in what you own, we store it in a database in Frankfurt, and we show it back to you in a currency of your choice. We don't connect to your bank. We don't sell your data. We don't run ads. The longer version below explains exactly what we do collect, who else touches it on the way, and how to get rid of it.

Kobah is operated by an individual founder. For data-protection questions, including GDPR, UK GDPR, UAE PDPL, and CCPA/CPRA rights requests, contact privacy@kobah.app. We aim to acknowledge inquiries within 5 working days, and we will provide our full controller identity and postal address on request. Full details will be published in this policy before public app-store launch.

Kobah's processing of EU and UK users' personal data is currently occasional, small-scale, and does not involve special categories of data or processing likely to result in a high risk to data subjects. On that basis we rely on the limited-scope exemption in Article 27(2) of the EU GDPR (and the equivalent provision under the UK GDPR) and have not appointed a representative in the EU or the UK. We reassess this position as the service grows and will appoint representatives if and when the exemption no longer applies.

For users in the United Arab Emirates, our processing is also governed by UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL). Under PDPL you have rights to access, correct, erase, restrict, object to, and port your personal data — substantially equivalent to the GDPR rights described below. To exercise any of these rights, email privacy@kobah.app.

We try to collect as little as we can get away with. Concretely, three buckets:

Account data

When you sign in with Google, we receive your email address, name, profile picture, and a Google account ID. When you sign in by email code, we receive only your email address. We use this to identify your account and to address you in the app.

Portfolio data

Whatever you type in: ticker symbols, quantities, purchase prices, transaction dates, cash account balances, currency preferences, and free-text notes. This is stored in our Postgres database (Neon, Frankfurt region) and is what makes the app useful to you.

Technical data

IP address and basic browser headers — used by Cloudflare to rate-limit abusive traffic and by Vercel to serve the app. We use Vercel Web Analytics for aggregate page-view counts, which does not use cookies, does not set any persistent identifier, and does not collect anything that would let us recognise you across sessions or sites. We do not run advertising or third-party tracking pixels.

• Bank account credentials, transaction history, or balances. Kobah has no bank-linking integration. We never see this data because it never reaches us.
• Location data beyond IP-level country inference for fraud prevention.
• Browsing history outside Kobah.
• Contact lists, calendars, or any other data from third-party accounts.

We process your account and portfolio data on the basis of contract — you've asked us to keep track of your portfolio and we can't do that without storing it. We process technical data on the basis of legitimate interest in keeping the service available and abuse-free. We do not rely on consent for anything outside optional features (e.g. marketing email, which we do not currently send).

We do not engage in automated decision-making or profiling that produces legal or similarly significant effects on you, as defined under GDPR Article 22.

Running a modern web app requires a small number of infrastructure providers. Each of these has signed a Data Processing Agreement and processes data on our behalf:

• Neon (US company, data hosted in Frankfurt, Germany) — primary database. Stores your account row and your portfolio data.
• Vercel (US company, edge network global) — application hosting. Sees your IP address and request metadata when you load the app.
• Cloudflare (US company, edge network global, R2 backups in EU jurisdiction) — DNS, rate limiting, and encrypted nightly backups of the database.
• Google (only if you sign in with Google) — handles the OAuth handshake. Google sees that you're using Kobah; Kobah receives only the basic profile fields listed above. Your interaction with Google is also governed by Google's own privacy policy.
• Resend (US company, email infrastructure in Ireland) — sends the 6-digit sign-in code to your email address. Sees your email address and the code, nothing else.

We do not share your data with anyone else. No advertisers, no data brokers, no "partners." If we add a new subprocessor, we'll update this list at least 14 days before they begin processing your data, giving you time to object or close your account.

Your account row and portfolio data are stored in Frankfurt, Germany. Backups are encrypted and stored in Cloudflare R2 within the European Union. Some of our infrastructure providers (Neon, Vercel, Cloudflare, Resend) are US-incorporated companies; transfers of EU personal data to the US are made under the European Commission's Standard Contractual Clauses (Decision 2021/914), and transfers of UK personal data are made under the UK International Data Transfer Addendum to those Clauses. Where a provider is certified under the EU–US Data Privacy Framework, that certification serves as the primary transfer mechanism.

Account and portfolio data: as long as your account is active. If you delete your account from Settings, we hard-delete the row and all associated portfolio data within 30 days, with the exception of database backups (kept up to 30 days) and audit logs required for security investigations (kept up to 90 days). Technical logs at Cloudflare and Vercel are retained per their own policies, typically 30 days.

Under GDPR, UK GDPR, and UAE PDPL (and equivalent laws in other jurisdictions), you have the right to:

• Access — get a copy of your data. Settings → Export data does this for you instantly.
• Rectify — fix anything that's wrong. The app itself is the rectification tool — edit any holding directly.
• Erase — delete your data. Settings → Delete account does this. There is no recovery.
• Port — get your data in a machine-readable format. The export above is JSON.
• Restrict or object — pause or limit how we process your data. Email us.
• Complain — to a supervisory authority. EU users can complain to any EU data-protection authority; we do not have a designated lead. UK users can complain to the ICO. UAE users can complain to the UAE Data Office.

To exercise any of these rights, email privacy@kobah.app. We aim to acknowledge within 5 working days and to complete most requests within one month, as required by GDPR Article 12(3). For complex or numerous requests we may extend this by up to two further months and will explain why.

If you are a California resident, you have the same access, correction, deletion, and portability rights described above. We collect the categories of personal information already listed (identifiers, account credentials, financial information you choose to enter, and internet/network activity in the form of IP-derived metadata). We do not sell your personal information and we do not share it for cross-context behavioural advertising. We do not knowingly collect sensitive personal information beyond what you voluntarily enter. To exercise your CCPA/CPRA rights, email privacy@kobah.app; we will not discriminate against you for doing so.

We set a session cookie when you sign in. That's the only cookie. Vercel Web Analytics, which we use for aggregate page-view counts, identifies visitors via a daily-rotated hash of the request — it does not use cookies. We do not run advertising or third-party tracking cookies. There is no cookie banner because there is nothing to consent to: the session cookie is strictly necessary for the app to function, and analytics is cookieless.

Data is encrypted in transit (TLS) and at rest via Neon's standard encryption. We use Postgres Row-Level Security to enforce that one user can't read another user's data, even if a query forgets a WHERE clause. We deliberately do not end-to-end encrypt your portfolio data — doing so would break server-side aggregation, snapshot history, and password-reset recovery. This is the standard trade-off for portfolio trackers and personal-finance dashboards. The threat model we protect against is account compromise and database breach, not a nation-state actor with custodial server access. If we discover a security incident affecting your data, we'll notify the relevant supervisory authority within 72 hours of discovery where required by GDPR Article 33, and we'll notify you without undue delay if the breach is likely to result in a high risk to your rights and freedoms, as required by GDPR Article 34.

Kobah is not intended for users under 16. We do not knowingly collect data from children. If you believe a child has created an account, email us and we'll delete it.

If we change this policy in a material way, we'll email you before the change takes effect. Non-material changes (typo fixes, clarifications) we'll just publish — the "last updated" date at the top tells you when. The previous version is available on request.

Email privacy@kobah.app for any privacy question, including GDPR, UK GDPR, UAE PDPL, and CCPA/CPRA rights requests. We try to reply within 5 working days.