Privacy commitment
Your portfolio. Encrypted in your browser. Period.
Last updated: 2026-07-04
Most platforms collect your positions and store them in plaintext. Kresmion does not. Your watchlist, your alerts, and your full portfolio are AES-256-GCM encrypted in your browser before any request leaves the device. We store the ciphertext; we do not hold the key. If our database were dumped tomorrow, your positions would still be opaque to whoever read it, including us.
This policy explains everything else: what we collect, why, who touches it, how long we keep it, and the rights you have over it. It applies worldwide. Where your local law grants you rights, we honor them; where it does not, we honor them anyway.
Who we are
Kresmion is the data controller for the personal data described here. The service is operated from France and hosted in the European Union. Contact for anything in this policy: inquiry@kresmion.com. Our postal address is included in every newsletter email and available on request.
What we collect
Account. Your name, username, email address, and a hashed password. That is all we require. We do not ask for phone numbers, postal addresses, employer, or identity documents. If you sign in with Google, we receive your verified email address and name from Google; we never see your Google password.
Encrypted vault data. Portfolio positions, watchlist tickers, and alert configurations are encrypted in your browser with a key derived from your password or PIN. We store only ciphertext and cannot read it.
Direct messages. Messages are encrypted at rest on our servers but are not end-to-end encrypted: Kresmion can read them. This is deliberate. It lets a shared ticker, signal, or chart render as a live sourced object in the conversation, lets the @kresmion assistant deliver your portfolio alerts, and lets us act on abuse reports. Treat messages like a normal chat, not like your portfolio. Do not send secrets, private keys, or passwords.
Newsletter. If you subscribe to the daily brief, we store the email address you give us and a record of your consent (date, page, policy version). We send a confirmation email first and only start sending once you confirm.
Site telemetry. When you visit, we record a random session identifier, the page path, the referrer, your browser's user-agent string, a truncated one-way hash of your IP address, and your country. The country is resolved on our own server from an embedded database (IP Geolocation by DB-IP); your IP address is not sent to anyone. The full IP address is never stored.
Security logs. Sign-in events and security-relevant actions, with IP addresses stored only as salted one-way hashes.
API usage. If you create API keys, we record key usage counts for quota enforcement.
What we do not do
We do not sell your data. We do not share it with advertisers or data brokers. We do not build profiles for brokerages. We do not embed third-party trackers, analytics SDKs, session recording, heatmaps, or marketing pixels. Your portfolio plaintext never leaves your browser.
Why we process data (legal bases)
| Purpose | Data | Legal basis (GDPR) |
|---|---|---|
| Providing your account and the platform | Account data, vault ciphertext, messages | Contract (Art. 6(1)(b)) |
| Sending the newsletter | Email, consent record | Consent (Art. 6(1)(a)), withdrawable any time |
| Security, abuse prevention, rate limiting | Security logs, hashed IPs, telemetry | Legitimate interests (Art. 6(1)(f)) |
| Understanding aggregate site usage | Telemetry (no third-party tools) | Legitimate interests (Art. 6(1)(f)) |
| Legal compliance and records | Minimal records as required | Legal obligation (Art. 6(1)(c)) |
Cookies and local storage
We use no advertising cookies, no cross-site tracking, and no third-party analytics. Because nothing we set requires consent under EU ePrivacy rules, we do not show a cookie banner.
| Name | Type | Purpose | Lifetime |
|---|---|---|---|
| refresh_token | Cookie (httpOnly, secure) | Keeps you signed in | Up to 30 days, cleared on logout |
| NEXT_LOCALE | Cookie | Remembers the language you picked | 1 year, set only if you switch language |
| kresmion.tracker.sid | localStorage | Random visit session id, not derived from your identity | Until your browser clears it |
| Theme, board layout, UI preferences | localStorage | Remembers your display settings | Until your browser clears it |
Who receives data (subprocessors)
| Provider | Location | What they do | Data involved |
|---|---|---|---|
| Hetzner Online GmbH | Germany (EU) | Hosts our servers | All service data, encrypted at rest where applicable |
| Resend | United States | Delivers transactional and newsletter email | Your email address and email content |
| United States | Sign-in, only if you choose Google OAuth | Your Google account email and name |
Our servers are in the European Union. Where a provider processes data outside the EU (email delivery, Google sign-in), the transfer is protected by recognized safeguards such as the EU standard contractual clauses or an adequacy framework. We will update this table before adding any new provider that touches personal data.
How long we keep data
| Data | Retention |
|---|---|
| Account data | Until you delete your account, plus a 30-day cancellable grace period, then permanently purged |
| Encrypted backups | Deleted data rolls out of backup rotation within 30 days |
| Direct messages | Until you or the other participant delete them, or account deletion |
| Newsletter address | Until you unsubscribe; a minimal suppression record prevents accidental re-adds |
| Security and audit logs | Up to 12 months |
| Site telemetry | Up to 24 months |
| Server logs | Up to 90 days |
Account deletion
When you delete your account, you are signed out everywhere immediately and a 30-day grace period starts. Signing back in during those 30 days fully restores the account. After the grace period, all data tied to your account is permanently purged, and associated records are deleted or de-identified by our cascade rules. The only thing we retain is a single anonymous deletion record with no user identifiers, used for capacity planning.
Your rights
You can act on most rights yourself, instantly:
- Access and portability. Download a complete export of your data at any time from Settings, or at /account/export.
- Rectification. Edit your details in Settings.
- Erasure. Delete your account in Settings; the process above applies.
- Withdraw consent. Every newsletter email has a one-click unsubscribe link.
For anything else (objection, restriction, questions about this policy), email inquiry@kresmion.com. We respond within 30 days. If you are in the EU or UK, you also have the right to complain to a supervisory authority; in France that is the CNIL (cnil.fr). We extend these same rights to all users worldwide, whether or not local law requires it.
Security
Client-side AES-256-GCM encryption for portfolio data, TLS for all traffic, encryption at rest for messages, salted one-way hashing for IP addresses, role-separated database access, and recurring security audits. No system is perfectly secure, but our architecture is built so that the most sensitive data is unreadable even to us.
Data breaches
If a breach creates a risk to you, we will notify the competent supervisory authority within 72 hours where required, and affected users without undue delay, with a plain description of what happened and what we are doing about it.
Children
Kresmion is not directed at children and requires users to be at least 18. We do not knowingly collect data from anyone under 18.
Changes to this policy
This privacy commitment is enforced structurally, by the encryption flow, not by policy. Any material change will be announced explicitly in advance, on the site or by email, not buried in an update. The date at the top reflects the latest version.
