We build for UK GDPR and PECR from day one. No selling of data and no bank linking. We collect only what we need to provide your wealth tracker, portfolio analytics, and optional AI Insights.
Version 1.0 - Last updated: 24 Jan 2026
Data controller
The data controller for your personal data is Boltons Tech Ltd, a company registered in England and Wales (company number 16985638), with a registered office address at 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ. You can contact us at hello@tremis.ai for any data protection queries.
Data we collect
Account details for authentication (e.g. email) and an internal pseudonymous user identifier.
Profile preferences you set (base currency, timezone, theme, email preferences).
Portfolio data you enter, such as accounts, balances, positions (stocks/crypto/metals), liabilities, notes, allocation goals, and related metadata.
Snapshots and analytics derived from your portfolio (e.g. exposure breakdowns and history).
Cashflow data you enter (cashflow events used to compute cashflow summaries).
AI Insights data (optional): conversation threads and messages, plus usage metadata (e.g. token counts).
Subscription and billing metadata (optional): plan status and Stripe customer/subscription identifiers. We do not store your full card details.
Product usage events we record inside Tremis (e.g. feature usage and reliability events) to improve the product.
Support submissions (name, email, message, hashed IP, user agent) retained for 30 days.
Consent and preference logs (cookie categories, timestamps, region, anonymous ID, locale/time zone, and Do Not Track where available).
Tremis does not currently offer automatic bank or institution connections. We never ask for or store your online banking credentials.
How we use your data
To provide the app (dashboards, analytics, snapshots, and exports) tailored to your base currency/timezone.
To send service communications and weekly summaries if you opt in. We do not send marketing emails without consent.
To provide AI Insights if you choose to use it and grant consent before portfolio data is sent to the AI provider.
To provide customer support, prevent abuse, and improve reliability.
To comply with legal obligations around access, deletion, accounting, and incident response.
Lawful bases
We rely on different lawful bases depending on the category of data:
Data category
Lawful basis
Purpose
Account details and profile preferences
Contract
Create and manage your account
Portfolio and cashflow data you enter
Contract
Deliver dashboards, analytics, snapshots, and exports
AI Insights (portfolio context + chat messages)
Consent
Generate AI responses using your chosen portfolio context
Subscription and billing metadata
Contract / legal obligation
Process payments, manage subscriptions, accounting
Security and abuse prevention logs
Legitimate interests
Protect the service and users
Analytics cookies
Consent
Measure performance and improve reliability
Marketing communications
Consent
Send promotional content you have opted into
Support submissions (hashed IP, user agent)
Legitimate interest
Provide support and prevent abuse
Consent preferences
Legal obligation
Demonstrate GDPR/PECR compliance
Sharing & processors
Supabase for authentication, database, and storage (including Row-Level Security; encryption in transit and at rest).
Vercel for hosting and operational tooling.
Vercel Analytics and Speed Insights (only if you opt into analytics cookies).
Vercel BotID for bot protection on certain endpoints (to prevent abuse).
Resend for sending service communications and weekly emails (if enabled).
Stripe for subscription payments and billing portal access. We receive subscription status and identifiers, but Stripe processes card payments.
AI providers for AI Insights (accessed via Vercel AI Gateway, which routes requests to OpenAI). If you enable AI Insights and give consent, we send your chat message and a portfolio summary to generate a response.
Market data providers (e.g. FX rates and asset pricing) used to value portfolios (for example: exchange rates and quotes via RapidAPI, including Alpha Vantage and exchange-rates7, and metal prices via live-metal-prices). Requests to these APIs do not include your portfolio or identity, but providers may receive standard server request data (like IP).
We never sell data to advertisers or data brokers. No third-party ad networks.
AI Insights (optional)
AI Insights is a portfolio-aware chat feature. Before any portfolio data is sent to the AI provider, Tremis asks for your explicit consent. If you consent, we send (a) the message you type and (b) a summary of your portfolio context (such as totals, exposure breakdowns, and selected snapshots) to our AI providers (via Vercel AI Gateway / OpenAI) to generate a response.
We store AI Insights threads and messages in our database so you can view, continue, or delete conversations. AI output can be incorrect or incomplete; it is provided for informational purposes only and is not financial advice.
International transfers
Some vendors process data outside the UK/EEA. We rely on SCCs/IDTA or other approved safeguards.
We only work with vendors that provide GDPR-ready contractual commitments.
Retention
Account data is retained while you use Tremis and deleted on request.
Portfolio and cashflow data are preserved for your history until you delete them or close your account.
Support logs (hashed IP, user agent) are kept for up to 30 days for abuse prevention, then purged.
Consent logs are retained for up to 13 months unless a longer legal requirement applies.
AI Insights conversations are retained until you delete them (or close your account), subject to the same deletion workflows as other user content.
Billing records may be retained as required for accounting, fraud prevention, and legal compliance.
Backups follow the same retention and are removed when the source data is deleted.
Your rights (UK GDPR and EU GDPR)
Access and export: download your data or snapshots from the Settings area.
Portability: receive your personal data in a structured, commonly used, machine-readable format (such as CSV or JSON) so you can transfer it to another service.
Deletion: request account and data deletion at any time. We remove your portfolio data, snapshots, and other associated records, subject to any legally required retention.
Correction: update manual accounts and details directly in the product.
Objection and restriction: you can object to certain processing or ask us to restrict processing in specific circumstances.
Withdraw consent: where we process data based on your consent (e.g., analytics cookies or marketing emails), you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before you withdrew.
Complain to a supervisory authority: if you are unhappy with how we handle your data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO). If you are in the EEA, you may also contact your local data protection authority.
Submit a formal request via Privacy Requests and we will respond within 30 days.
Security controls
All data encrypted in transit and at rest. Service-role access is limited to required functions only.
Row-Level Security in Supabase to ensure users only access their own records.
Least-privilege credentials and access logging for operational systems and staff access.
Incident response plan with a 72-hour notification window where required.
Cookies & analytics
Product cookies for authentication and session management.
Vercel Analytics and Speed Insights for performance; no behavioural ad tracking.
No third-party marketing pixels or social sharing scripts in the product.
Analytics and optional cookies are only set after you opt in.
You can update your cookie choices at any time via .
Cookie inventory
Names and expiry can vary by browser and configuration. This table lists the key categories we use today.
Name
Category
Purpose
Type
Expiry
sb-*-auth-token
Essential
Supabase authentication session
Cookie
Session / up to 1 year
tremis_cookie_consent
Essential
Stores your cookie consent preferences
localStorage
Persistent until cleared
tremis_anonymous_id
Essential
Anonymous identifier for consent logging
localStorage
Persistent until cleared
va_*
Analytics
Vercel Analytics page-view and event tracking
Cookie
Session
speed-insights-*
Analytics
Vercel Speed Insights performance measurement
Cookie
Session
We do not currently set any marketing cookies. If this changes, this table will be updated and consent will be requested before any marketing cookies are placed.
Contact for privacy & data rights
Email hello@tremis.ai for data subject requests or regulatory questions. You can also use the contact form and select “Data rights”.
Data Protection Officer: Boltons Tech Ltd has not appointed a formal Data Protection Officer at this time. All privacy enquiries are handled directly by the team via the contact details above.
EU representative: if you are in the European Economic Area and wish to raise a data protection matter, please contact us at hello@tremis.ai. We will appoint a formal EU representative under Article 27 of the EU GDPR if and when required.
Children
Tremis is not intended for children under 16. We do not knowingly collect data from minors.
Automated decision-making and profiling
Tremis generates portfolio analytics, performance metrics, exposure breakdowns, and weekly summary reports from your holdings data. These calculations are used solely to present information to you and do not produce legal effects or similarly significant decisions about you. We do not use automated decision-making that would require additional safeguards under Article 22 of the UK GDPR or EU GDPR.
Non-advisory stance
Tremis provides read-only tracking and analytics. We do not provide regulated financial advice or execution services. Always verify investment decisions independently.
Still need help?
Our team is happy to answer any questions you have.