Privacy Policy

We process only the minimum amount of personal data necessary to maintain your account and deliver core tracking capabilities:

• Account Identifiers: Your email address, name, and surname (optional) provided during clickwrap registration to authenticate your access.
• Subscription Status & Credits: Transaction flags, tier details (Scout, Explorer), and remaining AI usage budget generated through subscriptions.
• Usage Metadata: Basic logs of query counters and API request speeds to prevent abuse and protect third-party market data lines.

We do not collect or store credit card details, bank information, or payment credentials. All payment processing is handled externally.

To deliver an advanced, real-time workspace, Stocky integrates secure third-party processors. Each service is fully GDPR-compliant:

2.1 Payments & Tax: Polar.sh

All checkout flows, tax allocations, and invoicing routines are executed by our Merchant of Record, Polar Software Inc. By initiating an upgrade, your billing email and subscription inputs are shared securely with Polar under their privacy policies.

2.2 Platform Infrastructure: Firebase

We use Google Cloud Firebase for secure user authentication and profile management. Account passwords are managed directly by Firebase Authentication, completely hidden from us.

2.3 Market Data: Financial Modeling Prep (FMP)

FMP provides our raw equity feeds. No personally identifiable user data is shared with FMP. We retrieve cached bulk data through secure server environments to prevent exchange tracking of individual user preferences.

2.4 User Document Vault Storage Processing

Files, spreadsheets, and notes saved inside your Document Vault are stored in secure, private containers managed directly by Firebase Storage. Content within these documents is read by our AI integrations strictly to generate responses for your active research sessions, and is never stored externally, sold, shared, or utilized to train independent machine learning models.

Stocky does not utilize invasive tracking cookies or target marketing ads. We utilize local browser storage (such as WebAssembly cache or localStorage) solely to remember your UI selections, visual themes (light/dark mode), display currencies, and active timezone.

4.1 Secure Cloud Infrastructure

Your account profile and metadata are stored inside secure Google Cloud Firebase servers hosted in EU cloud server zones (primarily Frankfurt/Belgium). Since we operate out of Italy, all technical security configurations, secure database access models, and administrative policies conform fully to European data protection regulations.

4.2 Data Transfers Outside the EEA

Processing your subscriptions through Polar.sh and executing queries through optional third-party AI models (Google Gemini API, OpenAI API, Anthropic API) may require routing data to servers outside the European Economic Area (EEA), primarily the United States. To guarantee a level of protection equivalent to that of the EEA, all such transfers are executed under rigorous regulatory safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission, and the EU-U.S. Data Privacy Framework.

4.3 Data Retention Periods

We retain your personal data (name, email, and subscription metadata) only for as long as your account is active. Upon receiving a formal account deletion request, all personal data is permanently deleted from our active systems within 30 days. Please note that transactional billing records are maintained longer to comply with statutory commercial record-keeping and tax retention requirements under Italian law.

5.1 Personal Rights

Under GDPR rules, you possess absolute, non-negotiable rights over your personal data:

• Right to Access: You can request a summary and file copy of all account parameters we hold.
• Right to Rectification: You can modify your name, password, or preferences at any time inside the app's Account tab.
• Right to Erasure (Right to be Forgotten): You can permanently delete your user profile and active billing links by requesting account termination.
• Right to Data Portability: You can request a machine-readable JSON bundle of your profile.

5.2 Right to Lodge a Complaint

If you believe that the processing of your personal data infringes GDPR rules, you have the statutory right to lodge a complaint with a supervisory authority. In Italy, the competent authority is the Garante per la protezione dei dati personali, located at Piazza Venezia 11, 00187 Rome (official website: www.garanteprivacy.it).

If you have questions regarding this policy, want to exercise your rights, or require data deletion assistance, please contact the controller: