Privacy and data
Privacy and Data Policy
Last updated: 23 May 2026
Plain-English summary
- You choose what data to enter, upload, or connect.
- We use your data to provide portfolio tracking, imports, reports, and account features.
- We do not sell your financial records.
- OpenFolio records are user-provided records and estimates, not proof of actual wealth, ownership, legal entitlement, or tax outcome.
- If a serious data incident occurs, we will assess it and notify affected users and regulators where required by Australian law.
1. Who this policy applies to
This policy explains how OpenFolio collects, uses, stores, protects, discloses, and deletes personal information and financial records. It is intended to align with the Privacy Act 1988 (Cth), the Australian Privacy Principles, and the Notifiable Data Breaches scheme where those laws apply to us.
2. Information we collect
Account information
Email address, authentication identifiers, sign-in method, subscription status, and support correspondence.
Financial records you choose to provide
Trades, holdings, dividends, crypto positions, cash accounts, bank transactions, superannuation records, physical assets, debt records, employee equity records, import batches, categories, notes, and related calculations.
Imported and connected data
CSV files, parsed rows, platform identifiers, account labels, balances, activity records, API connection metadata, sync timestamps, and records returned by connected platforms.
Credentials and connection secrets
Where direct connections are supported and you choose to use them, we may store API credentials or tokens needed to operate that connection. You should use read-only permissions where available and revoke access at the source platform when no longer needed.
Technical and security data
IP address, browser information, device information, session metadata, server logs, error logs, request metadata, security events, and audit information collected by our systems or infrastructure providers.
3. Data accuracy and user control
OpenFolio does not independently verify that a record you enter, import, or connect reflects actual ownership, entitlement, market value, broker balance, bank balance, super balance, crypto wallet balance, tax outcome, or legal position. The service reflects the information available to it.
You are responsible for choosing what data to provide, keeping it current, correcting errors, removing duplicates, revoking unwanted connections, and comparing OpenFolio records against official source records.
4. How we use information
- Provide the dashboard, imports, calculations, reports, and account features.
- Calculate holdings, cost bases, estimated tax outcomes, dividends, net worth, and analytics.
- Operate optional direct platform connections you choose to enable.
- Send transactional emails, account notices, security alerts, billing messages, and support responses.
- Protect the service, investigate misuse, debug errors, monitor availability, and improve reliability.
- Comply with legal, tax, security, regulatory, dispute, and enforcement obligations.
5. Legal basis and consent
We collect and process information because you provide it, because it is necessary to operate the service you request, because we have legitimate security and operational interests, because you consent to optional connections or imports, or because we are required or permitted by law to do so.
6. Storage, hosting, and service providers
We use trusted infrastructure and service providers to operate OpenFolio. These may include Supabase for database and authentication, Vercel for hosting, Stripe for payments, Resend or similar email services for transactional email, and market data providers such as Yahoo Finance or CoinGecko.
Where possible, we prefer Australian or reputable cloud regions and providers. Some providers may process technical data outside Australia. We use them only for service delivery, security, payment, support, or operational purposes.
7. Security controls
We use row-level security, account authentication, access controls, HTTPS, provider-managed infrastructure security, environment secret controls, restricted production access, logging, and operational review practices. We aim to collect only data needed for the service and to limit internal access to people who need it.
No internet service can be guaranteed completely secure. You should use strong account security, protect your email account, avoid uploading unnecessary sensitive documents, use read-only platform credentials, and revoke third-party credentials if you suspect risk.
8. Emergency security protocol
If we detect or suspect a serious security issue, compromise, unauthorised access, credential leak, platform abuse, data exposure, operational threat, or legal risk, we may activate an emergency response. This may include disabling sign-ins, invalidating sessions, pausing imports, disconnecting integrations, rotating credentials, restricting exports, blocking requests, preserving logs, engaging providers, and taking the service offline.
We will assess whether the incident is an eligible data breach under the Notifiable Data Breaches scheme and, where legally required, notify affected individuals and the OAIC.
9. Disclosure
We do not sell your personal information or financial records. We may disclose information to service providers, payment processors, infrastructure providers, professional advisers, regulators, law enforcement, courts, dispute bodies, or other parties where required or permitted by law, necessary to operate the service, necessary for security, or necessary to protect rights and safety.
10. Retention and deletion
We keep account and financial records while your account is active or while needed for service, security, backup, legal, billing, dispute, or compliance purposes. If you request deletion, we will take reasonable steps to delete or de-identify personal information we no longer need, subject to backups, legal obligations, billing records, fraud prevention, and security logs.
11. Access, correction, and complaints
You may request access to or correction of personal information we hold about you. You may also request account deletion or raise a privacy complaint by emailing privacy@openfolio.com.au.
If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner at oaic.gov.au.
12. Cookies and analytics
We use cookies and local storage required for authentication, session management, security, and product operation. We may use infrastructure logs and privacy-conscious analytics to maintain and improve the service. We do not sell behavioural advertising profiles based on your financial records.
13. Children
OpenFolio is not intended for children under 18. We do not knowingly collect personal information from children under 18.
14. Changes to this policy
We may update this policy from time to time. Material changes will be notified in the product or by email where practical. Continued use after changes take effect means you accept the updated policy.
15. Related terms
This policy should be read with our Terms of Service, which include important disclaimers, liability limits, data accuracy terms, and no-advice terms.