OnlyDividends Logo
OnlyDividends
OnlyDividends Logo
OnlyDividends

Privacy Policy

OnlyDividends Mobile Application

Last Updated: May 5, 2026

1. Introduction

At OnlyDividends, your privacy is our priority. We are committed to protecting your personal data and being transparent about how we collect, use, and safeguard your information.

OnlyDividends operates on a privacy-first principle. Unlike many financial applications, we do not require you to link your bank accounts, brokerage accounts, or provide access to your financial institutions. You maintain full control over your data by manually entering only the stock symbols and quantities you wish to track.

This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights regarding your data. It applies to all users of the OnlyDividends mobile application (the "Application").

2. Data Controller

The data controller responsible for your personal data is:

  • Name: El Mourad Sroutou, entrepreneur individuel
  • SIREN: 930 167 796
  • Address: 60 Rue François 1er, 75008 Paris, France
  • Email: support@onlydividends.app

We process your personal data in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation - "GDPR") and the French Data Protection Act (Loi Informatique et Libertés).

3. What Personal Data Do We Collect?

We collect only the data necessary to provide you with our services. We practice data minimization and do not collect more information than required.

3.1 Account and Authentication Data

When you create an account, we collect and store:

  • Email address
  • A unique user identifier assigned by Firebase Authentication
  • Sign-in provider used (email/password, Google, or Apple) and authentication metadata such as account creation date, last sign-in time, and email verification status
  • Display name and profile photo URL, when provided by Google or Apple Sign-In
  • For Apple Sign-In, we request the "full name" and "email" scopes; you may choose to share your name and may use Apple's "Hide My Email" relay address

Passwords are not stored or visible to us; they are managed entirely by Firebase Authentication. OAuth tokens from Google and Apple are exchanged with Firebase for an authenticated session and are not retained by us.

If you sign up with email and password, we will send you an email verification link, and a password reset email if you request one. These transactional emails are delivered via Resend (see Section 5).

3.2 Portfolio Data

When you add a holding, we store the information you enter and the public market data we retrieve for that ticker:

  • Stock ticker symbol and company name
  • Number of shares (quantity) you enter
  • Reporting currency of the security
  • Most recent quoted price
  • Last dividend amount and dividend payment dates
  • Logo URL, exchange, and sector classification (public reference data)
  • Date the holding was added and last updated

We do not store purchase price, cost basis, transaction history, capital gains, or any other position-level financial detail beyond the ticker and quantity you enter.

3.3 User Preferences and Subscription

  • Base reporting currency (EUR, USD, GBP, CAD, CHF, AUD)
  • Language preference (English, French, Spanish)
  • Timezone (IANA identifier)
  • Withholding tax rate
  • Monthly dividend income goal (if set)
  • Notification preference (off by default)
  • Email updates preference
  • Light/dark mode preference
  • Subscription status (free vs. premium plan, plan type, renewal/expiration date, cancellation status)

3.4 Technical, Diagnostic and Usage Data

We automatically collect certain technical information needed to operate, secure, and improve the Application:

  • Device type, operating system version, and Application version
  • Crash and error reports (stack traces, device state at the time of an error)
  • Performance traces (e.g. screen render times, network request durations)
  • Masked session replays in production at a reduced sample rate (see Section 10)
  • Push notification tokens (FCM/APNs), used to deliver dividend notifications
  • Device attestation tokens via Firebase App Check (see Section 13)
  • IP address (used for security, abuse prevention, and rate-limiting; not used for advertising)
  • Analytics events linked to your Firebase user identifier after sign-in (see Section 9)

3.5 Data We Do NOT Collect

To emphasize our privacy-first approach, we want to be clear about what we do not collect:

  • Bank account credentials or access
  • Brokerage account credentials, balances, or transaction history
  • Purchase prices, cost basis, or capital gains data
  • Government identifiers (social security numbers, tax IDs, ID documents)
  • Payment card details (handled directly by Apple App Store and Google Play)
  • Contacts, photos, or location data
  • Advertising identifiers (IDFA, AAID); we do not perform cross-app or cross-site advertising tracking

3.6 Local Storage on Your Device

For functionality and offline use, the Application stores data locally on your device:

  • An encrypted MMKV store containing your authentication state, settings, and subscription cache. The encryption key is generated on first launch and held in the iOS Keychain or Android Keystore via Expo SecureStore.
  • An offline Firestore cache so the Application can render your portfolio without a network connection.
  • An AsyncStorage entry for your selected language.
  • A small unencrypted preferences file used solely to remember your light/dark mode choice for the splash screen, so the splash matches your theme on next launch.

4. Legal Bases for Processing

Under the GDPR, we process your personal data based on the following legal grounds:

PurposeLegal BasisData Categories
Providing the Service (portfolio tracking, dividend calendar, notifications)Contract Performance (Art. 6(1)(b) GDPR)Account Data, Portfolio Data, Preferences
Managing subscriptions and paymentsContract Performance (Art. 6(1)(b) GDPR)Account Data, Subscription Status
Application security, abuse and fraud prevention, App Check, rate-limitingLegitimate Interest (Art. 6(1)(f) GDPR)Technical Data, Device Attestation Tokens, IP Address
Improving the Application, debugging, and quality monitoring (analytics, crash reports, performance, masked session replay)Legitimate Interest (Art. 6(1)(f) GDPR)Technical Data, Crash and Error Reports, Session Recordings
Sending optional product updates or marketing communications, only if you have expressly opted in (off by default)Consent (Art. 6(1)(a) GDPR)Email Address
Responding to GDPR rights requests and complying with French lawLegal Obligation (Art. 6(1)(c) GDPR)Account Data, Request Details, Subscription Records

5. Service Providers and Sub-processors

We do not sell your personal data. We share data only with trusted service providers necessary to operate the Application. For each provider we describe what data is shared and why.

5.1 Service Providers

  • Firebase (Google LLC): Authentication, Firestore database hosting (Paris region for our user data), Cloud Functions, App Check, Firebase Analytics, and Firebase Cloud Messaging for push notifications. Privacy Policy: https://firebase.google.com/support/privacy
  • Sentry: Error monitoring, performance monitoring, and masked mobile session replay. Privacy Policy: https://sentry.io/privacy/
  • RevenueCat: Subscription management. Receives your Firebase user identifier as the in-app user ID along with purchase and entitlement metadata for your subscription. Privacy Policy: https://www.revenuecat.com/privacy
  • Apple App Store / Google Play Store: Payment processing and platform subscription management. We do not receive or store payment card details.
  • Resend: Delivery of transactional emails (email verification at signup and password reset). Resend receives your email address and the email content. Privacy Policy: https://resend.com/legal/privacy-policy
  • Financial Modeling Prep (FMP): Stock search and reference data (profile, dividend history, FX rates). FMP receives the ticker symbols, search terms, currencies, and dates needed to answer the request. FMP does not receive your Firebase user identifier or your share quantities. Privacy Policy: https://financialmodelingprep.com/developer/docs/terms
  • Logo.dev: Company and ticker logos. Logo URLs are loaded directly by your device when displayed; as a result, Logo.dev may receive the ticker symbol, your IP address, and standard HTTP request metadata (e.g., user agent). Website: https://logo.dev
  • Google Sign-In (Google LLC): Optional sign-in provider. If you choose to sign in with Google, we receive your email address and, if available, your name and profile picture. Privacy Policy: https://policies.google.com/privacy
  • Apple Sign-In (Apple Inc.): Optional sign-in provider. If you choose to sign in with Apple, we receive your email address (or Apple's relay address if you use "Hide My Email") and, if you share it, your name. Privacy Policy: https://www.apple.com/legal/privacy/

5.2 Legal Requirements

We may disclose your data if required by law, court order, or government request, or to protect our rights, property, or safety.

6. Data Storage Location and International Transfers

Your primary account, portfolio, and preference data is stored in Firebase Firestore in the Paris, France region (europe-west9), within the European Union. Cloud Functions that read or write your data run in the same EU region.

Some services necessary to operate the Application — including Firebase Authentication, Firebase Analytics, Firebase Cloud Messaging, RevenueCat, Resend, Sentry, Financial Modeling Prep, Logo.dev, Apple, and Google — may process data outside the European Economic Area (EEA). Where data is transferred outside the EEA, we rely on appropriate GDPR safeguards, such as the European Commission's Standard Contractual Clauses, adequacy decisions, or applicable data processing agreements.

7. How Long Do We Keep Your Data?

We retain your data only for as long as necessary to provide our services or comply with legal obligations:

Data TypeRetention Period
Account, Portfolio and Preference Data (primary database)Deleted upon account deletion, subject to temporary backups, provider logs, and legal obligations
Analytics Data (Firebase Analytics)14 months (or as configured in Firebase Analytics)
Crash, Error and Performance Reports (Sentry)According to Sentry project retention
Session Replays (Sentry)According to Sentry project retention
Notification Delivery Logs (idempotency records)Retained for operational integrity (to prevent duplicate notifications)
Subscription Event LogsUp to 5 years (audit, billing, and legal compliance)
Security and Rate-Limit LogsShort-lived; auto-cleaned within 1 hour to 2 days depending on log type
Server-Side Market Data Cache (FMP responses)Up to 24 hours per record (refreshed daily)
FMP API Usage RecordsUp to 60 days
Resend Email Delivery LogsAccording to Resend's retention policy
Legal/Compliance RecordsUp to 5 years as required by French law

Note: Upon account deletion, your account, portfolio, and preferences are deleted from our primary database. The records listed above as retained — notification delivery logs, subscription event logs, security and rate-limit logs, market data caches, FMP usage records, provider infrastructure logs, Firebase Analytics records, Sentry events and replays, Resend delivery logs, and RevenueCat records — may be retained as needed for legal compliance, billing, security, fraud and abuse prevention, debugging, and service integrity.

8. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights:

  • Right of Access (Art. 15): Request a copy of the personal data we hold about you.
  • Right to Rectification (Art. 16): Request correction of inaccurate or incomplete data.
  • Right to Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
  • Right to Restriction (Art. 18): Request limitation of processing in certain circumstances.
  • Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Right to Object (Art. 21): Object to processing based on legitimate interests.
  • Right to Withdraw Consent (Art. 7): Withdraw consent at any time for processing based on consent.

We do not engage in automated decision-making, including profiling, that produces legal effects or similarly significantly affects you.

8.1 How to Exercise Your Rights

To exercise any of these rights, contact us at support@onlydividends.app. We will respond within one (1) month. We may request proof of identity before processing your request.

8.2 Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the French data protection authority:

  • CNIL (Commission Nationale de l'Informatique et des Libertés)
  • Website: https://www.cnil.fr
  • Address: 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France

In accordance with Article 77 GDPR, you may also lodge a complaint with the data protection authority of your EU country of residence (for example, the AEPD in Spain, the BfDI in Germany, the Garante in Italy).

9. Analytics and Diagnostics

We use Firebase Analytics to understand how the Application is used and to improve features. After you sign in, analytics events are linked to your Firebase user identifier. Examples of events we record include screen views; sign-up, sign-in and password-reset events; settings changes; notification toggles; paywall and subscription events; and stock-added, stock-updated and stock-deleted events. Stock-added events include the ticker symbol you added.

We use Sentry for crash, error and performance monitoring. Sentry receives stack traces, device and Application metadata, and breadcrumbs leading up to an error.

10. Mobile Session Replay

In production, the Application uses Sentry's mobile session replay feature to help us reproduce and fix issues. Replay is configured as follows:

  • Session sample rate: 10% of sessions are recorded.
  • Error sample rate: 100% of sessions that include an error are recorded.
  • Masking: All text, images, and vector content are automatically masked, so the captured replay shows the layout and interactions, not your actual data.
  • Purpose: Debugging, quality improvement, and error diagnosis only.

There is currently no in-app opt-out for analytics or session replay. If you wish to opt out, you may contact us at support@onlydividends.app and we will configure your account accordingly.

11. Push Notifications

Dividend notifications are opt-in and disabled by default. When you enable them, the Application requests operating-system notification permission and registers a push token (FCM on Android, APNs on iOS) with Firebase Cloud Messaging. The token is stored on your account so we can deliver notifications to your device.

When you disable notifications in the Application or sign out, we clear the stored push token where possible. You can also revoke notification permission at any time in your device's system settings.

Notification payloads may include the dividend amount, the company name or ticker, and the payment date. To prevent duplicate notifications, we keep a short delivery record per notification containing your user identifier, the ticker symbol, the payment date, the amount, the currency, and the timestamp the notification was sent.

12. Account Deletion

You can delete your account at any time from Settings → Delete Account in the Application. When you do:

  • Your Firebase Authentication account is permanently deleted.
  • Your user profile document and your full holdings sub-collection are deleted from our primary Firestore database.
  • Your local data on your device (encrypted MMKV stores, Firestore offline cache, language preference) is cleared on sign-out.

Some operational records may be retained as described in Section 7 — including notification delivery logs (for idempotency), subscription event logs, security and rate-limit logs, market data caches, provider infrastructure logs, Firebase Analytics and Sentry records, Resend delivery logs, and RevenueCat records — and only for the purposes listed there.

If you cannot use in-app deletion, or if you wish to exercise any other GDPR right (access, rectification, erasure, portability, objection, restriction, withdrawal of consent), please contact us at support@onlydividends.app.

13. Application Security and Integrity

We implement appropriate technical and organizational measures to protect your personal data:

  • Transport encryption: TLS/SSL is used for all communications with our backend and third-party providers.
  • At-rest encryption: Firestore and provider databases encrypt data at rest. On your device, sensitive local state is held in an encrypted MMKV store with the encryption key kept in the iOS Keychain or Android Keystore.
  • Access controls: Firestore security rules ensure that you can only read and write your own data, and our Cloud Functions enforce ownership checks server-side.
  • App Check: In production, calls to our backend require a valid attestation token. We use Apple App Attest with DeviceCheck fallback on iOS, and Google Play Integrity on Android. Development and staging builds may use a debug provider.
  • Security updates: We keep our systems and dependencies up to date with security patches.

While we strive to protect your data, no method of transmission or storage is 100% secure. We cannot guarantee absolute security.

14. No Sale of Personal Data and No Advertising Tracking

We do not sell your personal data. The Application contains no advertising and does not use the iOS Advertising Identifier (IDFA) or the Android Advertising ID for cross-app or cross-site advertising tracking.

15. Children's Privacy

The Application is not intended for users under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at support@onlydividends.app, and we will delete such data promptly.

16. Third-Party Links

The Application may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal data.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or in-app notification. The "Last Updated" date at the top of this policy indicates when it was last revised.

Continued use of the Application after changes become effective constitutes acceptance of the revised Privacy Policy.

18. Language

This Privacy Policy is available in English, French, and Spanish. In the event of any discrepancy between language versions, the French version shall prevail.

19. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

  • Email: support@onlydividends.app
  • Address: El Mourad Sroutou, 60 Rue François 1er, 75008 Paris, France
  • Website: https://onlydividends.app