Privacy & Data Protection

Privacy Policy

How we protect your data and respect your privacy

1. Introduction

Welcome to InvestBud. We are committed to protecting your personal data and respecting your privacy in accordance with the General Data Protection Regulation (GDPR), the German Federal Data Protection Act (BDSG), and other applicable data protection legislation. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our property investment analysis platform.

We are committed to transparency about how we handle your personal data.
We only collect data that is necessary to provide and improve our services.
We implement appropriate technical and organizational measures to protect your data.
We never sell your personal data to third parties.
We comply with the GDPR and all applicable German and European data protection laws.

2. Data We Collect

We collect the following categories of personal data to provide and improve our services:

Account Data

Name and email address (via Clerk authentication)
Profile information and display preferences
Authentication credentials and login history
Language and localization preferences

Usage Data

Property analysis inputs and results
Feature usage patterns and interaction history
Pages visited and time spent on each section
Search queries and calculator usage

Payment Data

Payment method details (processed securely by Stripe)
Subscription status and billing history
Invoice information and transaction records
Free trial and plan change history

Technical Data

IP address and browser type
Device information and operating system
Cookies and similar technologies
Referral source and access timestamps

3. Legal Basis for Processing

We process your personal data based on the following legal grounds under the GDPR:

Contract Performance (Art. 6(1)(b) GDPR): Processing necessary to provide our services, manage your account, and fulfill subscription obligations.
Consent (Art. 6(1)(a) GDPR): Where you have given explicit consent, such as for optional analytics cookies or marketing communications.
Legitimate Interest (Art. 6(1)(f) GDPR): Processing necessary for our legitimate business interests, such as improving our platform, preventing fraud, and ensuring security.
Legal Obligation (Art. 6(1)(c) GDPR): Processing required to comply with applicable laws, such as tax regulations and record-keeping requirements.

4. Third-Party Services

We use carefully selected third-party services to provide and improve our platform:

Clerk (Authentication)

We use Clerk for user authentication and account management. Clerk processes your email address, name, and authentication data. Clerk is GDPR-compliant and acts as a data processor on our behalf.

Stripe (Payment Processing)

Payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. Stripe collects and processes your payment card details directly — we never store your full card number. Stripe acts as an independent data controller for payment data.

MongoDB Atlas (Data Storage)

Your property analysis data and account information are stored in MongoDB Atlas, hosted on servers within the European Union. MongoDB provides enterprise-grade encryption and security measures.

5. Cookies & Tracking

We use cookies and similar technologies to provide and improve our services:

Essential Cookies

Required for the platform to function properly. These include authentication session cookies and security tokens. These cookies cannot be disabled.

Preference Cookies

Used to remember your settings, such as language preference and display options. These cookies enhance your user experience but are not strictly necessary.

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

Account data: Retained for the duration of your account and up to 30 days after deletion request.
Property analysis data: Retained for the duration of your account. Deleted upon account closure.
Payment records: Retained for 10 years as required by German tax law (§ 147 AO).
Technical logs: Automatically deleted after 90 days.
Cookie data: Varies by cookie type, from session duration to 12 months maximum.

7. Your Rights Under GDPR

As a data subject, you have the following rights under the General Data Protection Regulation:

Right of Access (Art. 15 GDPR): Request a copy of your personal data and information about how it is processed.
Right to Rectification (Art. 16 GDPR): Request correction of inaccurate or incomplete personal data.
Right to Erasure (Art. 17 GDPR): Request deletion of your personal data ('right to be forgotten'), subject to legal retention obligations.
Right to Restriction (Art. 18 GDPR): Request restriction of processing in certain circumstances.
Right to Data Portability (Art. 20 GDPR): Receive your data in a structured, commonly used, machine-readable format.
Right to Object (Art. 21 GDPR): Object to processing based on legitimate interests or for direct marketing purposes.
Right to Withdraw Consent (Art. 7(3) GDPR): Withdraw previously given consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us using the information provided below. We will respond to your request within 30 days.

8. Contact Information

If you have questions about this privacy policy or wish to exercise your data protection rights, please contact us:

Data Controller: Cengizhan Hakan
Address: Leipziger Str 47, 10117 Berlin
Email: [email protected]
Phone: +49 1520 8341657

You also have the right to lodge a complaint with a supervisory authority. The competent supervisory authority in Germany can be found at: https://www.bfdi.bund.de

February 2026