Privacy Policy

Coral Dash ("we", "us", "our") is committed to protecting your privacy and handling your personal data responsibly. This Privacy Policy describes our practices regarding the collection, use, and disclosure of your information.

Important: Coral Dash is an independent project and is not affiliated with, endorsed by, or connected to Monzo Bank Ltd. We do not have direct access to your Monzo account or banking credentials.

By using Coral Dash, you consent to the data practices described in this policy. If you do not agree with our practices, please do not use our service.

2.1 Account Information

When you create an account, we collect:

• Email address (via Google OAuth)
• Name and profile information (as provided by Google)
• Account preferences and settings you configure

2.2 Self-Hosted Licence Activation

If you use the self-hosted Docker edition, the following data is sent to coraldash.com once on first boot to activate your licence:

• Your licence key (UUID)
• Your server's hostname

No other data is sent — no user data, no financial data, no usage analytics. After activation, the container runs fully offline and never contacts coraldash.com again. You can firewall the container after first boot.

2.3 Google Account Data

When you connect your Google account, we request read-only access to:

• Your Google Sheets files: To read transaction data from your selected spreadsheet
• File access via Google Picker: You select your spreadsheet using Google's native file picker, which grants us access to only that specific file

We use this data to:

• Retrieve your transaction data from the connected spreadsheet
• Process and display your financial information in the dashboard
• Generate insights, summaries, and reports

We only access the specific spreadsheet you authorise. We do not modify, create, or delete any files. See Section 5 for complete details on Google data handling.

2.4 Usage Data

We may automatically collect information about how you use the service:

• Pages and features you access
• Time spent on the service
• Device information (browser type, operating system)
• IP address

2.5 Payment Information

Payment processing is handled entirely by Stripe, a PCI-compliant payment processor. We do not store your complete credit card number, CVV, or other sensitive payment details on our servers. We may receive and store:

• Last four digits of your card (for display purposes)
• Card type and expiry date
• Billing address
• Stripe customer ID

2.6 Trading 212 Data

If you choose to connect your Trading 212 account, we collect and process the following information:

• API Credentials: Your Trading 212 API key is stored using industry-standard encryption (AES-256). We never store your API key in plain text.
• Account Balances: Cash, invested, and total portfolio values.
• Positions & Holdings: Details of assets held, including quantity, value, and performance metrics.

This data is used solely to calculate and display your net worth and investment performance. We do not execute trades or modify your Trading 212 account in any way.

2.7 Mortgage & Property Data

If you choose to use the mortgage tracking feature, we collect and process the following information:

• Property Information: Address, postcode, property type, number of bedrooms, and number of bathrooms.
• Mortgage Details: Outstanding balance, interest rate, remaining term, lender name, monthly payment amount, and mortgage type (e.g. fixed, variable, tracker).
• Chimnie Property Data: We use the Chimnie API to retrieve enriched property information for UK addresses, including estimated valuations, council tax band, EPC rating, transaction history, and floor area. This data is stored alongside your mortgage record.
• Valuation History: Property valuations are tracked over time to provide historical charts and equity calculations.
• Overpayment Scenarios: Any mortgage overpayment simulations you create, including amounts and frequencies.

This data is used to display mortgage metrics such as equity, loan-to-value (LTV) ratio, amortisation schedules, and to integrate your property as an asset within your net worth overview.

Important: Coral Dash does not provide mortgage advice, property advice, or valuations of any kind. Property valuations displayed are estimates sourced from third-party data and should not be relied upon for financial decisions.

We use the information we collect to:

• Provide, operate, and maintain the Coral Dash service
• Process your subscription and manage your account
• Display your financial data and generate insights
• Send you service-related communications (account updates, billing notices)
• Respond to your enquiries and provide customer support
• Improve and optimise the service
• Detect and prevent fraud or abuse
• Comply with legal obligations

We do not sell, rent, or share your personal data with third parties for their marketing purposes.

Coral Dash uses the following third-party services to operate. By using our service, you acknowledge that your data may be processed by these providers in accordance with their respective privacy policies:

We follow the security best practices and guidelines established by these providers. However, we cannot guarantee the security practices of third-party services beyond what they publicly disclose.

When you connect your Google account to Coral Dash, we request the following read-only permissions:

What We Store

• OAuth refresh token: Stored encrypted in our database to maintain your Google connection
• Selected spreadsheet ID: To remember which spreadsheet to sync from
• Synced transaction data: Transaction data imported from your spreadsheet

What We Do NOT Do

• Modify, create, or delete any files in your Google account
• Access any files other than your explicitly selected spreadsheet
• Share your Google data with third parties
• Use your data for advertising, profiling, or marketing purposes
• Retain your data after you request deletion

Revoking Google Access

You can disconnect your Google account at any time from your account settings. When you disconnect:

• Your OAuth tokens are immediately deleted from our database
• Your stored spreadsheet ID and configuration are cleared
• We lose all access to your Google account and data
• Previously synced transaction data remains in your Coral Dash account unless you request its deletion

You can also revoke access directly from your Google Account at any time by visiting Google Account Permissions.

We implement industry-standard security measures to protect your data:

• All data is transmitted over HTTPS (TLS encryption)
• Database access is protected by row-level security policies
• Authentication is handled via secure OAuth protocols
• Sensitive credentials (like Trading 212 API keys) are stored using AES-256 encryption
• Access to production systems is restricted and logged

Your data is primarily stored on Supabase's cloud infrastructure, which may be located in data centres in the United States or other regions. Vercel's edge network operates globally.

Self-hosted users: All data is stored entirely on your own infrastructure. We have no access to your self-hosted data. The security of your self-hosted installation — including database backups, network configuration, and access controls — is your responsibility.

We retain your personal data for as long as your account is active or as needed to provide you with the service.

• Active accounts: Data is retained while your subscription is active.
• Account deletion: Upon your request to delete your account, we will delete your personal data within 30 days, except where we are required to retain it for legal purposes.
• Legal retention: We may retain certain data as required by law (e.g., transaction records for tax purposes) or to protect our legal rights.

Google Data Retention

For data obtained through your Google account connection:

• OAuth tokens: Deleted immediately when you disconnect your Google account or delete your Coral Dash account
• Synced transaction data: Retained until you request deletion or delete your account. You can request deletion of synced data while keeping your account active.
• Spreadsheet metadata: Your selected spreadsheet ID is deleted when you disconnect your Google account

Trading 212 Data Retention

For data obtained through your Trading 212 integration:

• API Credentials: Your encrypted API keys are deleted immediately when you disconnect the integration or delete your account.
• Historical Data: Snapshots of your account value may be retained to provide net worth history charts, even after disconnection, unless you explicitly request deletion or delete your account.

Property & Mortgage Data Retention

For data associated with the mortgage tracking feature:

• Property & Mortgage Data: Your property details, mortgage information, and overpayment scenarios are stored while your account is active and deleted upon account deletion or upon request.
• Valuation History: Historical property valuations are retained for charting purposes and deleted when you remove the mortgage or delete your account.
• Chimnie Data: Cached property details retrieved from Chimnie are deleted when you remove the mortgage or delete your account.

You can disconnect your Google account independently of deleting your Coral Dash account. This allows you to remove Google access while retaining other account data.

If you are located in the UK or European Economic Area (EEA), you have certain rights under the General Data Protection Regulation (GDPR):

• Right of access: You can request a copy of the personal data we hold about you.
• Right to rectification: You can request that we correct any inaccurate or incomplete data.
• Right to erasure: You can request that we delete your personal data (subject to legal retention requirements).
• Right to data portability: You can request a copy of your data in a structured, machine-readable format.
• Right to object: You can object to certain types of processing.
• Right to withdraw consent: Where we process data based on your consent, you can withdraw that consent at any time.

To exercise any of these rights, please contact us through our contact page or delete your account through your account settings.

Coral Dash uses cookies for the following purposes:

• Essential cookies: Required for authentication and maintaining your session. These cannot be disabled.
• Preference cookies: Remember your settings and preferences (e.g., theme selection).

We do not use third-party tracking cookies or advertising cookies. We do not share cookie data with third parties for advertising purposes.

Coral Dash is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without parental consent, we will take steps to delete that information.

Your data may be processed and stored in countries outside the United Kingdom and European Economic Area, including the United States, where our third-party service providers (Supabase, Vercel, Stripe, Google, Chimnie) maintain their infrastructure.

These providers are selected for their compliance with applicable data protection standards and, where applicable, participate in data protection frameworks recognised by UK and EU authorities.

Self-hosted users: Your data remains on your own server in the location you choose. No international data transfers are made by us for self-hosted installations (the one-time licence activation sends only your licence key and hostname).

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make material changes, we will:

• Update the "Last updated" date at the top of this page
• Notify you via email for significant changes

Your continued use of the service after any changes indicates your acceptance of the updated policy.

If you have any questions about this Privacy Policy or our data practices, please contact us through our contact page.