Privacy Policy

1. Introduction

Prisma ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our portfolio tracking application.

The data controller within the meaning of Art. 4(7) GDPR is Surplexic GmbH, Eckenheimer Landstraße 24, 60318 Frankfurt am Main, Germany — info@surplexic.com.

2. Information We Collect

2.1 Personal Information

• Account Information: Email address, username, and authentication credentials (encrypted)
• Profile Data: User preferences and settings
• Terms Acceptance: Records of your acceptance of our Terms and Conditions

2.2 Financial Information

• Clear Transaction Data: Asset-Symbol of your transactions
• Encrypted Transaction Data: Amount, Date, Price, Fees of your Transactions (End-to-end encrypted and stored securely)

2.3 Usage Information

• App Usage: Features used, pages viewed, and user interactions for service improvement
• Log Data: Error logs and performance data for service improvement

3. How We Use Your Information

3.1 Service Provision

• Provide and maintain the portfolio tracking service
• Calculate portfolio performance and analytics
• Display financial data and reports

3.2 Service Improvement

• Analyze usage to improve features
• Debug issues and optimize performance
• Develop new features and functionality

3.3 Communication

• Send important service notifications
• Respond to your inquiries and support requests
• Notify you of Terms and Privacy Policy updates

4. Information Sharing and Disclosure

4.1 Third-Party Processors

We use the following third-party processors to provide the service. With each of these we have a Data Processing Addendum (Auftragsverarbeitungsvertrag, AVV) in place as required by GDPR Art. 28. The complete list of subprocessors is available on request at info@surplexic.com.

A. Firebase Authentication (Google Ireland Limited)

• Purpose: account authentication, password reset, session management
• Data: email address, hashed password, pseudonymous Firebase User ID, sign-in timestamps
• Legal basis: Art. 6(1)(b) GDPR — performance of the contract with you
• Transfer: data is stored on Google's EU infrastructure; transfers to the United States, where they occur, are based on the EU Standard Contractual Clauses (SCCs) and the EU-US Data Privacy Framework

B. Firebase Realtime Database (Google Ireland Limited)

• Purpose: storing your portfolio data (transactions, holdings, preferences)
• Data: portfolio data stored end-to-end encrypted using a key derived from your password and recovery key — Google cannot read this content
• Legal basis: Art. 6(1)(b) GDPR — performance of the contract with you
• Transfer: see Section 4.1.A

C. Firebase Cloud Functions (Google Ireland Limited)

• Purpose: server-side logic such as account deletion, broker import processing
• Data: limited to the data needed for the specific function call; never includes unencrypted portfolio content
• Legal basis: Art. 6(1)(b) GDPR — performance of the contract with you
• Transfer: see Section 4.1.A

D. Firebase App Check (Google Ireland Limited)

• Purpose: anti-abuse and platform integrity (verifies requests come from a genuine, unmodified instance of the Prisma app)
• Data: anonymized device attestation tokens issued by Apple App Attest; no user-identifying data
• Legal basis: Art. 6(1)(f) GDPR — legitimate interest in preventing abuse and securing the service
• Transfer: see Section 4.1.A

E. Firebase Crashlytics (Google Ireland Limited) — see Section 4.4 for full disclosure

F. Broker statement import (when broker import is used)

• Purpose: parsing of broker transaction statements (PDF/CSV) you upload to import into Prisma
• Data: only the broker statement file you yourself select; the file is parsed entirely on your device — its contents are not transmitted to Surplexic servers, Firebase Cloud Functions, or any third party as part of the parsing step. Only the resulting transactions you confirm are then saved to your encrypted portfolio (see Section 4.1.B)
• Legal basis: Art. 6(1)(b) GDPR — performance of the contract; the import is initiated by you
• Note: this is a local file parser, not an API integration with the broker. We do not connect to your broker account. You are responsible for complying with your broker's own terms (see ToS § 4.3)

G. Market data providers

• Purpose: asset prices, fundamentals, dividend data
• Data: no personal or user data is shared; only asset symbols are queried

H. Apple (App Store / In-App Purchase)

• Purpose: subscription billing and Apple-side subscription management
• Data: subscription status; payment data handled exclusively by Apple, not by us
• Legal basis: Art. 6(1)(b) GDPR — performance of the contract; Apple acts as a separate controller for payment data

4.2 Legal Requirements

We may disclose your information if we are required to do so by law or in response to valid requests by public authorities.

4.3 Business Transfers

In the event of a merger, acquisition, or sale, your information may be transferred as part of the business assets.

4.4 Crash Diagnostics (Firebase Crashlytics)

When the app crashes or encounters an internal error, an automatic diagnostic report is sent to Firebase Crashlytics, a service operated by Google Ireland Limited. The report contains only technical information:

• Stack trace of the error
• Device model and iOS version
• App version and build number
• A non-personal cohort label (subscription tier: free / trial / pro)
• A pseudonymous installation identifier managed by Google (within the meaning of Art. 4(5) GDPR — cannot be linked to your identity outside this app, but may persist for the installation lifetime)

We do not transmit any of the following to Crashlytics: your name, email address, account ID, portfolio holdings, transactions, or any other identifiable information. The diagnostic report is not linked to your Prisma user account on our side.

Legal basis (GDPR Art. 6(1)(f) — legitimate interest): processing this data is necessary to detect, debug, and fix bugs in the app, which is essential to providing a stable and secure service. Because no personal data is collected for this purpose, we do not require your separate consent.

Retention: Crash reports are automatically deleted after 90 days by Crashlytics' default retention policy.

Right to object (GDPR Art. 21): you may object to this processing at any time by contacting us at info@surplexic.com. Future reports from your device will then no longer be processed for this purpose.

International transfers: Google Ireland Limited acts as our processor under a Data Processing Addendum. Transfers to the United States are made on the basis of the EU Standard Contractual Clauses and the EU-US Data Privacy Framework.

5. Data Security

5.1 Security Measures

• Authentication credentials are securely stored by Firebase Auth
• Data transmission is protected with HTTPS/TLS encryption
• Secure authentication and authorization systems
• Regular security assessments and updates
• Access controls and monitoring
• All your financial transaction data is end-to-end encrypted and stored securely. It can only be read by you; we do not have access to your unencrypted financial data.

5.2 Data Retention

We retain personal data only for as long as needed for the purpose for which it was collected, then delete it. Specific retention periods per category:

Where applicable law requires longer retention (e.g., tax law, AML, legal hold), we retain the minimum data necessary to comply for the legally required period and restrict its processing.

6. Your Rights and Choices

6.1 Account Management

• Update your personal information through the app
• Delete your account and associated data

7. GDPR Rights (EU Users)

If you are a resident of the European Union, you have additional rights under the General Data Protection Regulation (GDPR):

7.1 Your Rights

• Right of Access (Art. 15 GDPR): Request copies of your personal data
• Right to Rectification (Art. 16 GDPR): Request correction of inaccurate data
• Right to Erasure (Art. 17 GDPR): Request deletion of your personal data
• Right to Restrict Processing (Art. 18 GDPR): Request limitation of data processing
• Right to Data Portability (Art. 20 GDPR): Request transfer of your data in a structured, commonly used, machine-readable format
• Right to Object (Art. 21 GDPR): Object to processing based on legitimate interests
• Right to Withdraw Consent (Art. 7(3) GDPR): Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing

To exercise these rights, contact us at info@surplexic.com. We will respond within 30 days as required by Art. 12(3) GDPR.

7.2 Right to Lodge a Complaint (Art. 77 GDPR)

You have the right to lodge a complaint with a data protection supervisory authority if you believe your personal data has been processed in violation of the GDPR. The supervisory authority responsible for Surplexic GmbH is:

You may also lodge a complaint with the supervisory authority of your habitual residence, place of work, or place of the alleged infringement.

7.3 Legal Basis for Processing

• Contract (Art. 6(1)(b) GDPR): Processing necessary for providing our services (account, portfolio data, subscription management)
• Consent (Art. 6(1)(a) GDPR): Where you have given explicit consent (e.g., marketing emails, optional features)
• Legitimate Interests (Art. 6(1)(f) GDPR): For service improvement, fraud prevention, and automatic crash diagnostics (see Section 4.4)
• Legal Obligation (Art. 6(1)(c) GDPR): Where required to comply with applicable law (e.g., tax, AML, court orders)

8. Children's Privacy

Our service is not intended for children under 18 years of age. We do not knowingly collect personal information from children under 18.

9. International Data Transfers

Your data may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place for international transfers (see Section 4.1 for the applicable mechanisms, including EU Standard Contractual Clauses (SCCs) per Art. 46(2)(c) GDPR and the EU–US Data Privacy Framework where the recipient is certified).

10. Tracking Technologies on Mobile

Prisma is a mobile application and does not use cookies. We also do not use the Apple Advertising Identifier (IDFA) or any cross-app/cross-site tracking technologies. The App Tracking Transparency (ATT) framework is therefore not required.

The only technical identifiers we rely on are:

• Firebase Installation ID: a pseudonymous, app-scoped identifier (Art. 4(5) GDPR) managed by Google for crash reporting and authentication. It cannot be linked to your identity outside this app.
• Apple's anonymized device identifiers used by App Check (Apple App Attest) for anti-fraud and platform integrity. These cannot be used to track you across apps.

We do not run any web analytics, marketing pixels, or third-party advertising SDKs in the app.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new Privacy Policy in the app and updating the "Last updated" date.

12. Contact Information

If you have questions about this Privacy Policy or wish to exercise your privacy rights, please contact us at:

• Privacy / GDPR / data protection: info@surplexic.com (please use subject line "GDPR Request")
• General product support: support@myprisma.app
• Website: https://myprisma.app/privacy

13. Data Protection Contact

Surplexic GmbH is not required to appoint a Data Protection Officer under § 38 BDSG (fewer than 20 employees regularly processing personal data, no core activity requiring systematic large-scale monitoring or processing of special-category data).

For all data protection inquiries and to exercise your GDPR rights, please contact: