Investeren

Privacy Policy

Last updated: June 1, 2026

This Privacy Policy explains how Investeren ("investeren.org", "we", "our", or "us") collects, uses, and safeguards your personal data when you use our website, our AI assistant "Morgann" (on the web and via WhatsApp), and related services. It is written to meet our transparency obligations under the EU General Data Protection Regulation (GDPR).

1. Who We Are (Data Controller)

The controller responsible for your personal data is:

  • Lodicy (BV — besloten vennootschap)
  • Beerlegemsebaan 61, 9630 Zwalm, Belgium
  • Chamber of Commerce (KBO-BCE): BE 0656.878.456 · VAT (BTW): BE 0656.878.456
  • Contact: privacy@investeren.org
  • Data protection contact: Achile Batier — achilebatier@gmail.com, +32 499 81 18 71
  • EU representative (GDPR Art. 27): not applicable — established in the European Union.

See our full operator details on the Imprint page.

2. Personal Data We Collect

  • Account data — email address; if you sign in with Google, your name and profile picture.
  • Usage and device data — pages visited, features used, approximate analytics, and (with consent) session-replay data.
  • Portfolio, watchlist & alerts — the holdings, symbols, and price alerts you create.
  • Morgann chat content — the messages, questions, and images you send to the assistant, and its responses. We store this chat history and generate vector embeddings of it so the assistant can recall context.
  • AI-extracted personal facts — to personalise responses, the assistant automatically extracts and stores structured attributes inferred from your conversations, such as your stated risk tolerance, investment horizon, and home currency.
  • WhatsApp data — if you message Morgann on WhatsApp, we process your phone number and message content (including images) via Twilio.
  • Cookies & identifiers — see our Cookie Policy.

3. How We Use Your Data & Legal Bases

We process your personal data for the following purposes, each with a GDPR Art. 6 legal basis:

  • Providing the service (account, portfolio, chat, memory/personalisation) — performance of a contract (Art. 6(1)(b)).
  • Security, fraud and abuse prevention, and improving the platformlegitimate interests (Art. 6(1)(f)).
  • Analytics cookies (Microsoft Clarity) and advertising cookies (Google AdSense)your consent (Art. 6(1)(a)), which you can withdraw at any time.
  • Account-related notifications — contract / legitimate interests.

4. AI Processing & Automated Profiling

Morgann is powered by third-party large language models (LLMs). When you interact with it, your chat content, any images you send, and relevant personalisation context (including the personal facts described above) are transmitted to LLM providers through the Vercel AI Gateway, which routes requests to Anthropic (Claude), OpenAI, and Google (Gemini) depending on the model selected. Text is also sent to an embeddings provider to build the recall index.

We use automated processing to build a limited profile of your investing preferences (e.g. risk tolerance) in order to tailor the assistant's answers. This profiling is used only to personalise informational content; it does not produce legal or similarly significant effects and is not used to make automated decisions about you within the meaning of GDPR Art. 22. You can ask the assistant to forget what it has stored about you (for example via the in-chat memory controls), or contact us to exercise your rights below.

5. Sub-processors & Third-Party Services

We share personal data with carefully selected sub-processors who act on our behalf under data processing agreements. The principal categories are:

  • Infrastructure — Supabase (database, auth, storage) and Vercel (hosting/CDN).
  • AI / LLM providers — Vercel AI Gateway → Anthropic, OpenAI, Google (chat content, images, embeddings, extracted facts).
  • Messaging — Twilio (WhatsApp phone numbers and messages).
  • Analytics & advertising (consent-gated) — Microsoft Clarity and Google AdSense.
  • Data & tooling — Tavily, DeepL, ScrapingBee, Financial Modeling Prep, CoinGecko and similar providers, which generally receive only non-personal query parameters.

The complete, current list — with each provider's purpose, the data it sees, and its transfer basis — is maintained on our dedicated Sub-processors page.

6. International Data Transfers

Several of our providers (including the LLM providers, Twilio, Microsoft Clarity, and Google AdSense) are based in or transfer data to the United States or other countries outside the European Economic Area. Where this happens, we rely on appropriate safeguards under GDPR Chapter V — primarily Standard Contractual Clauses (SCCs) and, where available, certification under the EU-US Data Privacy Framework. You can request more information about these safeguards using the contact details above.

7. Data Storage & Security

Your data is stored using Supabase, with encryption at rest and in transit. We implement appropriate technical and organisational measures, including hashed/redacted logging (for example, IP addresses are hashed and phone numbers are stored redacted in audit logs).

8. Data Retention

  • Account, portfolio, watchlist & alerts — kept while your account is active.
  • Conversation history (web chat & WhatsApp) & embeddings — automatically purged after 365 days. WhatsApp data identified by phone number is covered by this purge and by account deletion.
  • Security/audit logs — purged after 90 days.
  • AI-extracted facts (your profile & preferences) — retained for as long as your account remains active, and removed when you delete your account.

In short: your profile and account data are retained for as long as you maintain an active account with Investeren; conversation history is kept for up to 365 days. If you terminate your account, your personal data is retained for an additional 30 days in a backup system, after which it is permanently deleted — subject to any legal retention obligations.

9. Your Rights

Under the GDPR you have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request erasure of your account and data
  • Export your data (data portability)
  • Object to or restrict certain processing
  • Withdraw consent for analytics/advertising at any time
  • Lodge a complaint with your supervisory authority (in the Netherlands, the Autoriteit Persoonsgegevens; in Belgium, the Gegevensbeschermingsautoriteit)

To exercise any of these rights, contact privacy@investeren.org. We aim to respond within one month.

10. Cookies

We use essential cookies plus, with your consent, analytics and advertising cookies. See our Cookie Policy for details and to manage your choices.

11. Children's Privacy

Our services are not directed to individuals under 18. We do not knowingly collect personal data from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time and will update the "Last updated" date above. Material changes will be communicated appropriately.

13. Contact Us

For any privacy question, contact privacy@investeren.org or see our Imprint.