Lórien
FINANCIAL

Privacy Policy

Política de Privacidad · Last updated: [DATE] · Version: interim draft
Interim demonstration draft. Lórien Financial is a pre-commercial demonstration tool. During this phase no real client or personal data should be uploaded, and the processor / data-processing- agreement machinery below applies only once the tool is used commercially. This policy is an interim draft pending review by qualified counsel; a Spanish version will be published before commercial use.

1. Controller

The controller for account and usage data is Lórien Financial — [legal/natural-person name, NIF, Barcelona address — TBD]. Data-protection contact: operations@lorienfinancial.com. No Data Protection Officer is mandatory for the current activity; the contact above handles privacy requests.

2. Two Roles

Account & usage data (adviser login email, name, usage): Lórien acts as controller. Client portfolio data that an adviser submits (client codes, ISINs, amounts, screenshots): the adviser is controller and Lórien is processor. Processing of client data is governed by a GDPR Art. 28 Data Processing Agreement signed before any real client data is uploaded, not by this policy.

3. Data & Sources

Pseudonymised portfolio data is treated as ordinary personal data (GDPR Recital 26).

4. Purposes & Legal Bases

PurposeLegal basis (GDPR Art. 6)
Provide the account and service; billing6(1)(b) contract
Security, fraud prevention, service analytics6(1)(f) legitimate interest
Invoices and legal record-keeping6(1)(c) legal obligation
Optional adviser marketing6(1)(a) consent / LSSI Art. 21 soft opt-in

For client portfolio data, Lórien acts as processor on the adviser's documented instructions; the legal basis is the adviser's, and Lórien does not assert consent for that processing.

5. Automated Processing

Screenshot reading (OCR) and hedging analysis are automated. They are decision-support only: a human adviser makes every decision. No solely-automated decision producing legal or similarly significant effects on a data subject is made (GDPR Art. 22 not triggered).

6. Recipients & Sub-processors

Each sub-processor operates under its own data-processing terms.

7. International Transfers

Some processing occurs in the United States (Anthropic for OCR; Netlify for hosting). Transfers are safeguarded by the EU Standard Contractual Clauses (GDPR Art. 46(2)(c)) as the primary mechanism, with the EU-US Data Privacy Framework as a secondary safeguard. A transfer impact assessment has been considered (including the US CLOUD Act for US-incorporated vendors). Uploaded screenshots are processed to extract holdings and are not used to train AI models or permanently stored on Lórien servers. You can request a copy of the relevant safeguards from the contact above.

8. Retention

Screenshots are transient and not permanently stored after OCR. Hedge/analysis requests are kept only as long as needed for the service. Account data is kept for the life of the account plus any tax and commercial record-keeping period required by law. [specific periods TBD]

9. Your Rights

You may exercise the rights of access, rectification, erasure, restriction, portability, and objection (GDPR Arts. 15-22), free of charge, normally within one month. Requests about client portfolio data are routed to the adviser (controller), whom Lórien assists; requests about account data are handled by Lórien first-line. Contact operations@lorienfinancial.com.

10. Complaints

You may lodge a complaint with the Spanish Data Protection Agency (Agencia Española de Protección de Datos, AEPD — aepd.es).

11. Security

We apply technical and organisational measures appropriate to the risk (GDPR Art. 32): encryption in transit and at rest, pseudonymisation where practical, least-privilege access controls, audit logging, and secret management. In the event of a personal-data breach we act on the applicable Art. 33/34 timelines and, where Lórien is a processor, notify the adviser-controller without undue delay.

12. Cookies

The tool uses only strictly necessary ("técnicas") cookies required to sign in and run the app; these are exempt from prior consent. If analytics or marketing cookies are introduced, a compliant consent banner (equal accept/reject, granular, no pre-ticked boxes) will be shown first.

13. Changes

We may update this policy; the current version is always the one published here with its date.

14. Short Notice (First Layer)

Controller: Lórien Financial. Purpose: operate the tool and, where you submit client data, process it on the adviser's instructions. Basis: contract, legitimate interest, legal obligation, or consent as set out above. Rights: access, rectify, erase, object — details in the full policy above. This is a demonstration tool: do not upload real client or personal data during this phase.