Last updated:
Last updated: 2026-04-28. The short version: your portfolio never leaves your computer.
No. CSV parsing, holdings reconciliation, dividend application, and metric computation all happen in your browser using JavaScript. The only data sent to the server is the list of ticker symbols you hold, so the server can return historical prices. The server never sees quantities, transaction amounts, or any personally identifiable information.
Client-side processing · No portfolio data ever transmittedFoliolytic collects the minimum data needed to operate the site and improve the product. Specifically:
When you upload a CSV, the parser extracts ticker symbols and queries our price database to retrieve historical prices for those tickers. The server logs that a request was made for those tickers, but does not log who sent the request, in what quantities, or what dollar amounts were involved. This is technically necessary — we cannot show you charts and metrics without knowing which prices to retrieve.
Foliolytic uses Google Analytics 4 for site-level usage statistics (which pages are popular, which countries visitors come from, which device types are most common). GA4 may set its own cookies and is governed by Google's privacy policy. You can block GA4 with any standard ad-blocker (uBlock Origin, Brave Shield, etc.) without affecting site functionality.
| Type | Essential cookies / localStorage only. No advertising or tracking cookies are set by Foliolytic itself. |
|---|---|
| fl_visits | localStorage. An integer counter that increments on each visit. Used solely to distinguish first-time vs. returning visitors in aggregate metrics. Clearing your browser data resets this. |
| fl_vid | localStorage. A randomly-generated UUID that uniquely identifies your browser. Cannot be linked to any personal identity. |
| fl_sid | sessionStorage. A randomly-generated UUID for the current browser session. Cleared automatically when you close the tab. |
| Google Analytics | GA4 may set _ga and _ga_* cookies for its own analytics. Lifetime up to 24 months. Block via ad-blocker if you prefer. |
| Cloudflare | Cloudflare may set __cf_bm and similar cookies for bot detection and security. These are essential for the site to remain available under load. |
You can clear all Foliolytic-set cookies and localStorage at any time via your browser's site-data tools. The site will continue to work — you'll just appear as a brand-new visitor on the next load.
Foliolytic uses Cloudflare as its CDN and DDoS-protection layer. Cloudflare sees your IP address and the URLs you request. Cloudflare's privacy policy is at cloudflare.com/privacypolicy.
Foliolytic uses GA4 for aggregate site usage statistics. GA4 sees the same anonymous data described in 'What we collect' above. Google's privacy policy is at policies.google.com/privacy. You can opt out by installing the Google Analytics opt-out browser add-on or by using any ad-blocker.
Foliolytic loads the 'Plus Jakarta Sans' and 'JetBrains Mono' fonts from Google Fonts. Loading a font sends a request to Google's font servers, which see your IP address and user agent. Google does not associate font requests with your identity.
If you upload a portfolio with European ISINs, those ISINs are sent to OpenFIGI (Bloomberg's free-tier symbology service) to be resolved into Yahoo-compatible tickers. OpenFIGI sees the ISINs but not who sent them, and Foliolytic caches results so the same ISIN is queried at most once per portfolio upload.
Treasury yields, CPI, and other macro data come from public sources. Foliolytic pulls this data once nightly into its own database — your browser never queries these third parties directly.
Under the General Data Protection Regulation, the following apply:
Under the California Consumer Privacy Act:
Anonymous analytics events are retained for 14 months for product-improvement purposes (matching Google Analytics 4's standard retention period). After 14 months, individual session-level rows are aggregated into monthly summaries and the row-level data is purged.
The list of tickers in our price database is retained indefinitely (it's just a list of tickers, not an account history).
If you ever want a specific session deleted earlier, contact [email protected] with the approximate date and time of your visit.
Foliolytic runs on a hardened server stack: HTTPS-only with HSTS preload (minimum 2-year max-age), Content Security Policy Level 3 (no inline scripts beyond the analytics tag, no unauthorized eval or external scripts), X-Frame-Options DENY (no embedding in iframes), Cross-Origin-Opener-Policy same-origin, and Permissions-Policy disabling 35+ browser features by default. The full security header set is documented in the site's nginx configuration.
The application code is open to inspection — view-source on any page shows the unobfuscated client-side JavaScript that processes your CSV. The PHP server-side code is small and the only persistent state it holds is the public price database plus anonymous analytics.
Foliolytic is not directed at children under 13. We don't knowingly collect personal information from anyone under 13. If you believe a child has somehow used the site (which would be unusual since there is no signup), contact [email protected] and we will work to ensure no relevant data is retained.
If we make material changes to how data is handled, the 'Last updated' date at the top of this page will change and a banner will appear on the homepage for at least 30 days. Material changes will never reduce your privacy retroactively — any new data-collection that goes beyond what's described here will be opt-in.
Privacy questions, GDPR or CCPA requests, or just general feedback: [email protected]. Foliolytic is run by one person and replies are usually within 48 hours.
Every metric below has its own dedicated calculator with worked examples, interpretation tables, and a free CSV upload tool.
Now that you know what data we don't collect, see what we can do for your portfolio.
Analyze Your Portfolio Free →