Last updated: April 2026
Privacy Policy
Quadran is built from the ground up to protect your privacy. This document explains precisely what data is processed, why, and how — in compliance with the General Data Protection Regulation (GDPR).
Also available in: Français
Data Controller
The data controller for personal data collected through the Quadran extension and the site quadran.io is:
Quadran
Website: quadran.io
Contact: contact@quadran.io
Data Collected
Quadran applies a strict data minimisation principle. The table below summarises all processing activities:
| Category | Data | Where stored |
|---|---|---|
| Financial data | Holdings, valuations, performance history, allocations | On your device only (chrome.storage.local) |
| User settings | Model portfolios, tax preferences, fees, investment horizon | On your device only (chrome.storage.local) |
| Anonymous vote | Text identifier of the voted broker (e.g. trade_republic) |
Supabase server (anonymous, not linked to your identity) |
| Email activation (OTP) | Email address entered during extension activation; one-time code sent by email and verified | Supabase server — email is used solely to send the code; not retained after successful verification |
| Payment data | Email address, payment card details | Processed by our payment provider — never stored by Quadran |
| Contact form & waitlist | Email address (waitlist); email address + message (contact form) | Supabase server (see Article 8 — Transfers Outside the EU) |
| Copilot analysis (optional) | Structured summary of your portfolio (valuations, allocations, investor profile) — only when you initiate an analysis | Sent to the AI provider of your choice (Anthropic or OpenAI) via your own API key — never stored by Quadran |
Quadran collects no identity data (name, surname, postal address), no broker login credentials, and no browsing behaviour data. An email address is collected only during OTP activation; it is not used for any other purpose and is not retained after verification.
Purposes and Legal Basis
| Purpose | Legal basis (GDPR) |
|---|---|
| Displaying the dashboard and rebalancing calculations | Performance of contract (Art. 6.1.b) |
| Local saving of preferences and performance history | Performance of contract (Art. 6.1.b) |
| Voting on future broker integrations | Legitimate interest — product improvement (Art. 6.1.f) |
| Subscription management and billing | Performance of contract (Art. 6.1.b) + Legal obligation (Art. 6.1.c) |
| Responding to contact form requests | Legitimate interest (Art. 6.1.f) — processing your request |
| Waitlist management | Consent (Art. 6.1.a) — voluntary sign-up |
| Email address activation and OTP verification | Consent (Art. 6.1.a) — voluntarily entered during extension activation |
| Copilot analysis (AI-generated advice) | Explicit consent (Art. 6.1.a) — user-initiated with their own API key |
Local Data (Chrome Extension)
All your financial data is processed and stored exclusively on your device, in the isolated storage of the Chrome extension (chrome.storage.local). This storage is inaccessible to other extensions, third-party websites, and Quadran itself.
The extension uses the following Chrome permissions:
storage— local saving of your settings, portfolios, and performance history.tabs— opening the dashboard in a new tab and navigating to your brokers at your request.activeTab— detecting which broker page is currently open in order to show the correct connection status in the popup.- Access to broker domains — reading portfolio data displayed on your broker pages (saxoinvestor.fr, trader.degiro.nl, espaceclient.linxea.com, clients.boursobank.com, clients.boursorama.com, boursedirect.fr, app.traderepublic.com, mabanque.fortuneo.fr) while you are logged in, to populate your dashboard.
Quadran never reads your login credentials, passwords, or 2FA codes. It only extracts portfolio data already displayed on screen — data you can see yourself.
The extension also makes network requests to the following external services:
- api.coingecko.com — to fetch real-time cryptocurrency prices (no authentication required).
- jicuionlzywydhdnesnf.supabase.co — for license validation, anonymous community votes, and contact forms.
- api.anthropic.com — only when you configure an Anthropic API key and explicitly start a Copilot analysis.
- api.openai.com — only when you configure an OpenAI API key and explicitly start a Copilot analysis.
Anonymous Vote Data
The community voting feature for future broker integrations (the "Connections" section of the site and app) transmits to our servers only:
- The text identifier of the voted broker (e.g.
trade_republic) - The direction of the vote (add or remove)
No information identifying the voter is transmitted or stored. This data is used solely to display the aggregated ranking of the most-requested brokers.
This data is hosted on Supabase (see Article 7 — Third-Party Sharing and Article 8 — Transfers Outside the EU).
Payment Data
Payments for Premium subscriptions and lifetime access are handled by a PCI-DSS certified third-party payment provider. Quadran never stores, processes, or directly accesses your bank card details.
Your email address is collected at the time of purchase to:
- Issue your invoice and payment receipt
- Manage access to your licence or subscription
- Inform you of renewals and changes to terms
This email address will never be used for marketing purposes without your explicit consent.
Third-Party Data Sharing
Quadran never sells, rents, or transfers your data to third parties for commercial purposes. The only data recipients are the technical subprocessors strictly necessary for the service to function:
| Third party | Data shared | Purpose | Conditions |
|---|---|---|---|
| Supabase | Anonymous votes, email (OTP activation, waitlist), email + message (contact) | Database hosting | Always active for these features |
| Payment provider (PCI-DSS certified) | Email, card details | Payment processing and billing | Only during a purchase |
| Anthropic (optional) | Structured portfolio summary | Copilot analysis generation (Claude) | Only if you configure an Anthropic API key and start an analysis |
| OpenAI (optional) | Structured portfolio summary | Copilot analysis generation (GPT-4o) | Only if you configure an OpenAI API key and start an analysis |
| CoinGecko | No personal data — only ticker symbol queries | Real-time cryptocurrency price data | When the crypto section is active |
No data is shared with advertising networks, tracking platforms, data brokers, or any third party not listed above.
AI Copilot: when you use the Copilot feature, a structured summary (valuations, allocations, investor profile) is sent to the AI provider you have chosen via your own API key. This transfer only occurs on your explicit request. Quadran has no access to your API key or to the exchanges with the AI provider.
Transfers Outside the European Union
Some of the subprocessors mentioned in Article 7 operate outside the European Union:
- Supabase — servers in the United States. This transfer is governed by the European Commission's Standard Contractual Clauses (SCCs). Vote data is strictly anonymous; contact/waitlist data is limited to the email address and message.
- Anthropic / OpenAI (optional) — servers in the United States. The transfer only takes place at your initiative, via your own API key, and is subject to each provider's terms and privacy policy.
- CoinGecko — public API, no personal data transferred.
Local financial data never leaves your device and is therefore not subject to cross-border transfers.
Data Retention
| Data | Retention period |
|---|---|
| Local financial data (history, holdings, settings) | Stored on your device until you uninstall the extension or manually delete via the export/reset feature |
| Anonymous votes | Retained while the voting feature is active; deleted if the feature is removed |
| OTP activation email | Deleted immediately after successful code verification; maximum 24 hours if the code expires unused |
| Billing data (email, payment history) | 10 years from the transaction date (statutory accounting obligation) |
| Active licence data | Duration of subscription + 1 year after cancellation for dispute management |
| Email (waitlist) | Until you unsubscribe or 3 years of inactivity |
| Email + message (contact form) | 3 years from the closure of the request |
Your Rights (GDPR)
In accordance with Regulation (EU) 2016/679, you have the following rights regarding your personal data:
- Right of access — obtain confirmation that data relating to you is being processed and receive a copy.
- Right of rectification — have inaccurate or incomplete data corrected.
- Right to erasure — request deletion of your data under the conditions provided by the GDPR.
- Right to restriction — obtain the temporary suspension of processing.
- Right to data portability — receive your data in a structured, machine-readable format (the extension offers a JSON export function).
- Right to object — object to processing based on legitimate interest.
- Withdrawal of consent — withdraw consent previously given at any time.
To exercise these rights, contact us at contact@quadran.io. We will respond within a maximum of 30 days.
You also have the right to lodge a complaint with the CNIL (Commission Nationale de l'Informatique et des Libertés): www.cnil.fr.
Data Security
Quadran applies the following technical and organisational measures:
- All financial data remains on your device — no network transit is possible for this data.
- The Supabase API key used for votes is a public anonymous key (anon key) protected by database-level security rules (Row Level Security).
- The quadran.io website is served exclusively over HTTPS.
- The extension is subject to the strict security policy of Chrome Manifest V3 (no remote code execution, isolated sandbox).
- API keys for AI providers are stored in your local browser storage and never transmitted to Quadran servers.
Cookies and Trackers
The quadran.io website does not use tracking or advertising cookies.
The only storage mechanisms used are:
localStorage(website) — stores your vote preference to prevent duplicate votes in the same browsing session. No personal data is stored.chrome.storage.local(extension) — local storage of your financial data and settings on your device. Not accessible from the website.
If audience analytics tools are integrated in the future, this section will be updated and a compliant consent banner will be added.
Minors
Quadran is a tool intended for adult investors. We do not knowingly collect data from persons under 18 years of age. If you are a parent or guardian and believe a minor has provided personal data, please contact us at contact@quadran.io so we can delete it.
Changes
We reserve the right to modify this privacy policy at any time. In the event of a material change, we will notify you via an in-extension notification or by email if you hold a subscriber account.
The date of the last update appears at the top of this document. We encourage you to check this page regularly.
Contact
For any questions about this policy or to exercise your rights:
Email: contact@quadran.io
Website: quadran.io
Response time: maximum 30 days
Competent supervisory authority: CNIL — Commission Nationale de l'Informatique et des Libertés, 3 Place de Fontenoy, 75007 Paris — www.cnil.fr