Privacy Policy

1. Introduction

MMM Fund ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our personal fund management platform ("Service"). This policy complies with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Data Controller

MMM Fund acts as the data controller for the personal data processed through the Service. For any inquiries regarding your data, you may contact us at privacy@mmmfund.com.

3. Data We Collect

We collect the following categories of personal data:

3.1 Account Information

• Full name
• Email address
• Password (stored as a bcrypt hash, never in plain text)
• Avatar image (optional)

3.2 Security Data

• Two-factor authentication secrets and backup codes (encrypted)
• Session information (IP address, user agent, device details)
• Login attempt records (for fraud detection and account lockout)

3.3 Financial Data

• Transaction records (deposits, withdrawals, amounts, dates)
• Investment tracking data and portfolio information

3.4 Technical Data

• Browser type and version
• IP address
• Access timestamps
• Cookies and similar technologies (see Section 8)

4. Legal Basis for Processing

We process your personal data based on the following legal grounds under GDPR Article 6:

• Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service, including account management, transaction processing, and portfolio tracking.
• Legitimate interests (Art. 6(1)(f)): Processing for security purposes, fraud prevention, service improvement, and analytics.
• Legal obligation (Art. 6(1)(c)): Processing required to comply with applicable laws, such as financial record-keeping requirements.
• Consent (Art. 6(1)(a)): Where applicable, for optional features such as marketing communications. You may withdraw consent at any time.

5. How We Use Your Data

We use your personal data to:

• Create and manage your account
• Authenticate your identity and maintain session security
• Process and display your financial transactions and investment data
• Send transactional emails (account verification, password resets, security alerts)
• Detect and prevent fraud, unauthorized access, and account abuse
• Comply with legal and regulatory obligations
• Improve and maintain the Service

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected:

• Account data: Retained while your account is active. Upon account deletion, personal data is anonymized within 30 days (see Section 7).
• Session data: Automatically expired and deleted after 7 days of inactivity.
• Security logs: Retained for up to 12 months for fraud detection purposes.
• Transaction records: Retained in anonymized form after account deletion to maintain financial reporting integrity.

7. Your Rights (GDPR)

Under the GDPR, you have the following rights regarding your personal data:

• Right of Access (Art. 15): Request a copy of all personal data we hold about you.
• Right to Rectification (Art. 16): Update or correct inaccurate personal data through your account settings.
• Right to Erasure (Art. 17): Delete your account and all associated personal data. We implement this through anonymization: your personal information (name, email, password, avatar, 2FA data) is permanently erased, while anonymized transaction records are retained for referential integrity.
• Right to Restriction (Art. 18): Request that we limit the processing of your data under certain circumstances.
• Right to Data Portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format.
• Right to Object (Art. 21): Object to the processing of your data based on legitimate interests.

To exercise any of these rights, contact us at privacy@mmmfund.com or use the account deletion feature in your account settings.

8. Cookies

We use the following cookies:

• Authentication cookies (essential): httpOnly, Secure, SameSite=Strict cookies that store encrypted session tokens. These are strictly necessary for the Service to function and cannot be disabled.
• Preference cookies (functional): Store your display preferences such as theme settings. These expire after 1 year.

We do not use third-party tracking cookies or advertising cookies.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• Password hashing with bcrypt (cost factor 12)
• Encrypted JWT tokens stored in httpOnly cookies with SameSite protection
• Token rotation with family-based theft detection
• Account lockout after multiple failed login attempts
• Rate limiting on authentication endpoints
• TOTP-based two-factor authentication
• TLS encryption for all data in transit

10. Third-Party Services

We use the following third-party services that may process your data:

• Resend: For delivering transactional emails (verification, password reset, security alerts). Subject to Resend's Privacy Policy.
• Vercel: For hosting and serving the frontend application. Subject to Vercel's Privacy Policy.

All third-party processors are selected for their compliance with GDPR and maintain appropriate data processing agreements.

11. International Data Transfers

If your data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or transfers to countries with an adequacy decision.

12. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a minor, we will take steps to delete such data promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by updating the "Last updated" date and, where required, by sending you an email notification. We encourage you to review this page periodically.

14. Contact & Complaints

For any questions or concerns about this Privacy Policy or our data practices, contact us at privacy@mmmfund.com.

If you believe your data protection rights have been violated, you have the right to lodge a complaint with your local data protection supervisory authority.