Privacy Policy

StockFlows.ai ("we", "us") operates this website. For questions about this policy or to exercise your privacy rights, contact privacy@stockflows.ai.

We collect only what we need to run the service:

• Account data — email, display name, hashed password, authentication-provider IDs (e.g. Google) when you sign up.
• User content — dashboards, widget configurations, watchlists, alerts, and journal notes you create.
• Usage data — pages visited, features used, device type, browser, approximate location (from IP), referrer, and timestamps.
• Technical data — IP address, error logs, performance metrics needed to operate and secure the service.
• Communications — messages you send via our contact form or support email.
• Billing data — handled by our payment processor (e.g. Stripe). We receive limited transaction metadata (plan, last-4 of card, country) but never your full card number.

We do not collect bank credentials, brokerage credentials, or actual portfolio holdings unless you explicitly type or import them into your dashboard.

We use personal data to:

• provide, maintain, and improve the service;
• authenticate users and secure accounts;
• save your dashboards, alerts and preferences across devices;
• process payments and prevent fraud;
• send service announcements, security alerts and (if you opt in) product updates;
• analyse aggregate usage to improve UX and performance;
• comply with legal obligations and enforce our Terms.

If you are in the EEA or UK, our legal bases are:

• Contract — to provide the service you signed up for;
• Legitimate interests — to secure, debug, and improve the service;
• Consent — for non-essential cookies and marketing emails;
• Legal obligation — to comply with tax, accounting, and law-enforcement requirements.

We use a small number of cookies and similar technologies for: keeping you signed in, remembering your dashboard layout and theme, and measuring aggregate, privacy-respecting usage (e.g. Plausible, PostHog or a similar analytics provider). You can clear cookies in your browser at any time; doing so will sign you out and reset preferences.

We also use real-time, anonymous performance and analytical signals (for example, an active-viewer count on shared dashboards) to monitor load and usage in real time. These signals carry no personal data — only an ephemeral, in-memory session token that is discarded when you close the tab.

We share data only with:

• Service providers who process data on our behalf (hosting, database, email delivery, analytics, payments, AI providers that summarise news/sentiment) — under written contracts that restrict their use of the data.
• Authorities when required by law, court order, or to protect our rights, users, or the public.
• Successors in the event of a merger, acquisition or sale of assets, with notice to you.

We do not sell your personal data, and we do not share it with brokers or advertising networks for cross-site behavioural advertising.

Our infrastructure may be located in the EU, the United States, or other regions. Where data leaves your country, we rely on appropriate safeguards such as the EU Standard Contractual Clauses or equivalent mechanisms.

We keep your account data and User Content for as long as your account is active. After account deletion, we remove or anonymise personal data within 90 days, unless we are legally required to retain it (e.g. invoices for tax purposes). Backups expire on a rolling 30-day cycle.

We use industry-standard measures including TLS in transit, encryption at rest, hashed passwords, least-privilege access controls, and routine dependency scanning. No system is 100% secure; please use a strong, unique password and enable any available multi-factor authentication.

Depending on your jurisdiction (in particular under the EU/UK GDPR), you have the following rights regarding your personal data:

10.1 Right to Access

You can request a copy of the personal data we hold about you, together with information on how it is processed, who it is shared with, and how long it is retained. We will respond within 30 days of a verified request.

10.2 Right to Erasure (Right to be Forgotten)

You can ask us to delete your personal data when it is no longer necessary for the purpose it was collected, you withdraw consent, or you object to processing. We will erase or anonymise your data within 30 days, except where we are legally required to retain it (e.g. tax records).

To exercise either right, email privacy@stockflows.ai from the address linked to your account.

Other rights you may have:

• correct inaccurate data;
• export your data in a portable format;
• object to or restrict certain processing;
• withdraw consent for marketing or non-essential cookies;
• lodge a complaint with your local data-protection authority.

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the CPRA gives you the following rights:

• Right to know what personal information we collect, use, disclose and (if applicable) sell;
• Right to delete personal information we hold about you, subject to legal exceptions;
• Right to correct inaccurate personal information;
• Right to opt-out of sale or sharing of personal information — we do not sell or share personal information for cross-context behavioural advertising;
• Right to non-discrimination — we will not deny you service or charge different prices for exercising your CCPA rights.

To submit a CCPA request, email privacy@stockflows.ai with the subject "California privacy request".

StockFlows is not directed to children under 18 and we do not knowingly collect personal data from them. If you believe a child has provided us data, contact us and we will delete it.

We may update this Privacy Policy as the service evolves. Material changes will be announced in-app or by email at least 14 days before they take effect. The "Last updated" date at the top reflects the current version.

Questions, requests, or complaints? Email privacy@stockflows.ai or use our contact form.