Privacy commitment

Your portfolio. Encrypted in your browser. Period.

Last updated: 2026-07-04

Most platforms collect your positions and store them in plaintext. Kresmion does not. Your watchlist, your alerts, and your full portfolio are AES-256-GCM encrypted in your browser before any request leaves the device. We store the ciphertext; we do not hold the key. If our database were dumped tomorrow, your positions would still be opaque to whoever read it, including us.

This policy explains everything else: what we collect, why, who touches it, how long we keep it, and the rights you have over it. It applies worldwide. Where your local law grants you rights, we honor them; where it does not, we honor them anyway.

Who we are

Kresmion is the data controller for the personal data described here. The service is operated from France and hosted in the European Union. Contact for anything in this policy: inquiry@kresmion.com. Our postal address is included in every newsletter email and available on request.

What we collect

Account. Your name, username, email address, and a hashed password. That is all we require. We do not ask for phone numbers, postal addresses, employer, or identity documents. If you sign in with Google, we receive your verified email address and name from Google; we never see your Google password.

Encrypted vault data. Portfolio positions, watchlist tickers, and alert configurations are encrypted in your browser with a key derived from your password or PIN. We store only ciphertext and cannot read it.

Direct messages. Messages are encrypted at rest on our servers but are not end-to-end encrypted: Kresmion can read them. This is deliberate. It lets a shared ticker, signal, or chart render as a live sourced object in the conversation, lets the @kresmion assistant deliver your portfolio alerts, and lets us act on abuse reports. Treat messages like a normal chat, not like your portfolio. Do not send secrets, private keys, or passwords.

Newsletter. If you subscribe to the daily brief, we store the email address you give us and a record of your consent (date, page, policy version). We send a confirmation email first and only start sending once you confirm.

Site telemetry. When you visit, we record a random session identifier, the page path, the referrer, your browser's user-agent string, a truncated one-way hash of your IP address, and your country. The country is resolved on our own server from an embedded database (IP Geolocation by DB-IP); your IP address is not sent to anyone. The full IP address is never stored.

Security logs. Sign-in events and security-relevant actions, with IP addresses stored only as salted one-way hashes.

API usage. If you create API keys, we record key usage counts for quota enforcement.

What we do not do

We do not sell your data. We do not share it with advertisers or data brokers. We do not build profiles for brokerages. We do not embed third-party trackers, analytics SDKs, session recording, heatmaps, or marketing pixels. Your portfolio plaintext never leaves your browser.

Why we process data (legal bases)

PurposeDataLegal basis (GDPR)
Providing your account and the platformAccount data, vault ciphertext, messagesContract (Art. 6(1)(b))
Sending the newsletterEmail, consent recordConsent (Art. 6(1)(a)), withdrawable any time
Security, abuse prevention, rate limitingSecurity logs, hashed IPs, telemetryLegitimate interests (Art. 6(1)(f))
Understanding aggregate site usageTelemetry (no third-party tools)Legitimate interests (Art. 6(1)(f))
Legal compliance and recordsMinimal records as requiredLegal obligation (Art. 6(1)(c))

Cookies and local storage

We use no advertising cookies, no cross-site tracking, and no third-party analytics. Because nothing we set requires consent under EU ePrivacy rules, we do not show a cookie banner.

NameTypePurposeLifetime
refresh_tokenCookie (httpOnly, secure)Keeps you signed inUp to 30 days, cleared on logout
NEXT_LOCALECookieRemembers the language you picked1 year, set only if you switch language
kresmion.tracker.sidlocalStorageRandom visit session id, not derived from your identityUntil your browser clears it
Theme, board layout, UI preferenceslocalStorageRemembers your display settingsUntil your browser clears it

Who receives data (subprocessors)

ProviderLocationWhat they doData involved
Hetzner Online GmbHGermany (EU)Hosts our serversAll service data, encrypted at rest where applicable
ResendUnited StatesDelivers transactional and newsletter emailYour email address and email content
GoogleUnited StatesSign-in, only if you choose Google OAuthYour Google account email and name

Our servers are in the European Union. Where a provider processes data outside the EU (email delivery, Google sign-in), the transfer is protected by recognized safeguards such as the EU standard contractual clauses or an adequacy framework. We will update this table before adding any new provider that touches personal data.

How long we keep data

DataRetention
Account dataUntil you delete your account, plus a 30-day cancellable grace period, then permanently purged
Encrypted backupsDeleted data rolls out of backup rotation within 30 days
Direct messagesUntil you or the other participant delete them, or account deletion
Newsletter addressUntil you unsubscribe; a minimal suppression record prevents accidental re-adds
Security and audit logsUp to 12 months
Site telemetryUp to 24 months
Server logsUp to 90 days

Account deletion

When you delete your account, you are signed out everywhere immediately and a 30-day grace period starts. Signing back in during those 30 days fully restores the account. After the grace period, all data tied to your account is permanently purged, and associated records are deleted or de-identified by our cascade rules. The only thing we retain is a single anonymous deletion record with no user identifiers, used for capacity planning.

Your rights

You can act on most rights yourself, instantly:

For anything else (objection, restriction, questions about this policy), email inquiry@kresmion.com. We respond within 30 days. If you are in the EU or UK, you also have the right to complain to a supervisory authority; in France that is the CNIL (cnil.fr). We extend these same rights to all users worldwide, whether or not local law requires it.

Security

Client-side AES-256-GCM encryption for portfolio data, TLS for all traffic, encryption at rest for messages, salted one-way hashing for IP addresses, role-separated database access, and recurring security audits. No system is perfectly secure, but our architecture is built so that the most sensitive data is unreadable even to us.

Data breaches

If a breach creates a risk to you, we will notify the competent supervisory authority within 72 hours where required, and affected users without undue delay, with a plain description of what happened and what we are doing about it.

Children

Kresmion is not directed at children and requires users to be at least 18. We do not knowingly collect data from anyone under 18.

Changes to this policy

This privacy commitment is enforced structurally, by the encryption flow, not by policy. Any material change will be announced explicitly in advance, on the site or by email, not buried in an update. The date at the top reflects the latest version.