Privacy Policy

Deutsche Version

Overview

Parqet Companion is a tool that synchronises trading data from various sources (e.g. Interactive Brokers, Portfolio Performance) with your Parqet account. This privacy policy explains what personal data is processed, on what legal basis, and what rights you have as a data subject.

No analytics or tracking services are used. No data is sold to third parties.

Data We Process

Parqet account data

Your Parqet user ID and installation ID are retrieved from Parqet via OAuth2 at first login and stored in the local database to uniquely identify your account.

Legal basis: Art. 6(1)(b) GDPR (contract performance) — Retention: until account deletion

OAuth tokens (Parqet)

Access and refresh tokens for the Parqet Connect API are stored encrypted (AES-256 / Fernet) in the database. They allow the app to access your Parqet portfolios on your behalf.

Legal basis: Art. 6(1)(b) GDPR — Retention: until logout or account deletion

Session cookie

After login, a signed session cookie is set containing only your internal user ID. It contains no financial data.

Legal basis: Art. 6(1)(b) GDPR — Retention: until browser close or logout

CSRF cookie

A short-lived security cookie (double-submit pattern) protects all forms and API calls against cross-site request forgery attacks.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest: IT security) — Retention: per request

IB FlexQuery credentials Opt-in

If you enable server-side storage for automated IB syncs, your FlexQuery token and query ID are stored encrypted. By default these credentials are kept in your browser only.

Legal basis: Art. 6(1)(a) GDPR (explicit consent) — Retention: until you disable it

Notification channels Opt-in

If you configure Telegram notifications or webhooks, the relevant configuration data (bot token, chat ID or webhook URL) is stored encrypted.

Legal basis: Art. 6(1)(a) GDPR — Retention: until you delete it

Sync history

The timestamp, status, number of transferred activities, and any error messages for each sync run are stored to display your history.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest: debugging and transparency)

Preview data (sync preview)

Before pushing to Parqet, trading activities are temporarily stored in the database for the preview step. They are deleted immediately after the sync completes or when your session expires.

Legal basis: Art. 6(1)(b) GDPR — Retention: short-lived, deleted automatically

Portfolio files and trading data

Uploaded .portfolio files and imported trading data are processed in memory and forwarded to Parqet. They are never stored persistently on the server.

Legal basis: Art. 6(1)(b) GDPR

Third-Party Services

Parqet GmbH

All portfolio operations (OAuth login, reading and writing activities) go through the Parqet Connect API (connect.parqet.com). Parqet processes your data under their own privacy policy. Parqet Companion acts solely within the scope of your explicit OAuth authorisation.

Interactive Brokers

When IB sync is configured, the server fetches trading data via the FlexQuery API. The connection is server-side; your IB credentials are not shared with third parties.

Onvista / BörsenMediaGroup GmbH

To resolve WKN or ticker symbols to ISINs, server-side search requests are sent to the Onvista API (api.onvista.de). Only instrument identifiers are transmitted — no personal data.

jsDelivr & UNPKG (CDN)

Your browser loads JavaScript libraries (htmx, Alpine.js, Chart.js) from cdn.jsdelivr.net and unpkg.com. These services may log technical data such as your IP address.

Hetzner Online GmbH (Hosting)

The server is hosted at Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. Hetzner acts as a data processor under Art. 28 GDPR; infrastructure is located in the EU.

Your Rights

Under the GDPR you have the following rights:

  • Access (Art. 15) — Know what data is stored about you
  • Rectification (Art. 16) — Correct inaccurate data
  • Erasure (Art. 17) — Have your data deleted
  • Restriction (Art. 18) — Restrict processing
  • Data portability (Art. 20) — Export your data
  • Objection (Art. 21) — Object to processing based on legitimate interests
  • Withdrawal of consent (Art. 7(3)) — At any time for voluntarily stored data (IB credentials, notification channels)

You can exercise these rights directly in the app:

  • Access & exportAccount & Data: Download a copy of all data stored about you.
  • ErasureAccount & Data: Delete your account and all stored data in one click.
  • Withdrawal (IB credentials)IB Setup: Disable server-side storage at any time.
  • Withdrawal (notifications)Notifications: Delete channels at any time.

You also have the right to lodge a complaint with your local data protection supervisory authority (Art. 77 GDPR).

Data Security

All sensitive data (OAuth tokens, IB credentials, notification configurations) is stored encrypted with AES-256 (Fernet). The connection to the server is TLS-encrypted. Session cookies are signed and set with the SameSite=Lax and Secure flags.

Last updated: March 24, 2026