Privacy Policy
Last updated: March 2026
1. Introduction
This privacy policy explains how ALDR Ltd, trading as “Invormed” (“we”, “us”, “our”), collects, uses, stores, and protects your personal data when you use our portfolio intelligence platform. We are committed to protecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
2. Data Controller
The data controller responsible for your personal data is:
- Company: ALDR Ltd
- ICO Registration: ZB768498
- Contact: archie@invormed.com
3. What Data We Collect
Account Data
When you sign in via Google OAuth (Firebase Authentication), we receive:
- Email address
- Display name
- Profile photo URL
Portfolio Data
Data you enter or import into the platform:
- Investment holdings (ticker, quantity, purchase price)
- Trade history
- Account information (ISA, SIPP, GIA designations)
Usage Data (with consent only)
If you accept analytics cookies, we collect:
- Pages visited and features used
- Session duration and user journeys
- Device type, browser, and operating system
- Screen size and resolution
Technical Data
For error monitoring and platform stability (under legitimate interest):
- Error logs and stack traces
- Browser and device information
- Performance metrics
4. Lawful Basis for Processing
We process your data under the following lawful bases:
- Contract — your account and portfolio data is processed to provide the service you signed up for
- Consent — analytics and marketing cookies are only activated after you explicitly accept via our cookie banner
- Legitimate interest — error monitoring (Sentry) to maintain a stable, secure platform
5. Cookies and Similar Technologies
We use cookies and local storage. Essential cookies (Firebase Auth session, consent preference) are required for the platform to function. Analytics and marketing cookies are only placed with your explicit consent. See our Cookie Policy for full details.
6. Data Processors
We share your data with the following third-party processors:
| Processor | Purpose | Data Shared | Requires Consent |
|---|---|---|---|
| Google (Firebase Auth) | Authentication | Email, name, photo | No (essential) |
| Google (Firestore) | Data storage (europe-west2) | Portfolio data, user profile | No (essential) |
| Vercel | Hosting and deployment | Request logs, IP addresses | No (essential) |
| Stripe | Payment processing | Email, payment details | No (contractual) |
| Sentry | Error monitoring | Error data, device info | No (legitimate interest) |
| Amplitude | Product analytics | Usage events, device info | Yes |
| Google Analytics (GA4) | Traffic analysis | Page views, sessions | Yes |
| Microsoft Clarity | Heatmaps and session replay | Interaction data (all financial data — portfolio values, holdings, account balances — is masked and never captured) | Yes |
7. International Transfers
Some of our processors (Google, Stripe, Vercel, Sentry, Amplitude, Microsoft) are based in the United States. These transfers are protected by:
- EU-US Data Privacy Framework (where applicable)
- Standard Contractual Clauses (SCCs) approved by the ICO
- Processor-specific data protection agreements
Your portfolio data is stored in Google Cloud Firestore in the europe-west2 (London) region.
8. Data Breach Notification
In the event of a personal data breach, we will notify the ICO within 72 hours where feasible and affected users without undue delay, in accordance with Articles 33 and 34 of UK GDPR.
9. Data Security
We protect your data through:
- Encryption in transit (TLS/HTTPS on all connections)
- Encryption at rest (Google Cloud default encryption)
- Firebase Security Rules restricting data access to authenticated users
- No storage of broker login credentials or payment card details
- Security headers and CSRF protection
9. Data Retention
- Account and portfolio data — retained while your account is active. Deleted upon request or account deletion.
- Analytics data — retained per each provider's standard retention policy. Typically 12–26 months.
- Error logs — retained for 90 days (Sentry default).
- Payment records — retained as required by UK tax and accounting law (typically 6 years).
10. Data Portability
You can export all your data in machine-readable JSON format from your account settings at any time.
11. Account Deletion
You can permanently delete your account and all associated data from your account settings. Deletion is immediate and irreversible.
12. Your Rights Under UK GDPR
You have the following rights regarding your personal data:
- Right of access — request a copy of your personal data
- Right to rectification — request correction of inaccurate data
- Right to erasure — request deletion of your data (“right to be forgotten”)
- Right to restrict processing — request that we limit how we use your data
- Right to data portability — receive your data in a structured, machine-readable format
- Right to object — object to processing based on legitimate interest
- Right to withdraw consent — withdraw cookie consent at any time via the cookie banner
To exercise any of these rights, contact archie@invormed.com. We will respond within one month.
If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO): ico.org.uk/make-a-complaint
13. Automated Decision-Making
We do not use automated decision-making or profiling that produces legal or similarly significant effects. Our AI chat feature provides informational responses only and does not make decisions on your behalf.
14. Children
Invormed is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
15. Not Financial Advice
Invormed is a portfolio tracking and intelligence tool. It is not a financial adviser and does not provide investment advice, recommendations, or regulated financial services. Always consult a qualified financial adviser before making investment decisions.
16. Changes to This Policy
We may update this privacy policy from time to time. Material changes will be communicated via email or an in-app notification. The “last updated” date at the top of this page will always reflect the most recent revision.
17. Governing Law
This privacy policy is governed by the laws of England and Wales.
18. Contact
For any privacy-related questions or data requests, contact us at: archie@invormed.com