Last updated: March 2026
StockSmarty ("we", "us", "our") is operated by StockSmarty Limited, registered in England and Wales (company number 17088000). We are the data controller for the personal data described in this policy.
Contact: support@stock-smarty.com
We collect the following personal data:
Account information: Your full name, email address, and hashed password (we never see or store your actual password — it is managed by our authentication provider).
Subscription data: Your subscription tier, billing status, billing period dates, and Stripe customer ID. We do not store your payment card details — these are held exclusively by Stripe.
Usage data: The number of searches and rebalances you perform each month, used to enforce plan limits.
Portfolio data: Stock tickers, allocation percentages, investment amounts, and other portfolio information you choose to save.
Consent records: Whether you accepted the Terms & Conditions (and when), and whether you opted into marketing communications.
We use your personal data for the following purposes:
To provide the Service (legal basis: performance of a contract) — authenticating your account, storing your portfolios, enforcing usage limits based on your subscription tier, and processing your subscription.
To process payments (legal basis: performance of a contract) — creating and managing your Stripe customer record, processing subscription charges, and handling billing changes.
To send transactional emails (legal basis: performance of a contract / legitimate interest) — account creation confirmations, payment receipts, subscription changes, payment failure notices, and security alerts.
To send marketing communications (legal basis: consent) — product updates, new features, and promotional offers. Only if you have explicitly opted in. You can withdraw consent at any time.
To comply with legal obligations (legal basis: legal obligation) — maintaining financial records as required by HMRC, responding to lawful requests from authorities.
We share your data with the following third-party data processors:
Supabase (database and authentication) — stores your account information, portfolio data, and usage data. Supabase is SOC 2 Type II compliant. Data is encrypted at rest and in transit. Check your Supabase project region for data location (EU or US). Supabase Privacy Policy.
Stripe (payment processing) — processes your subscription payments and stores your payment card details. Stripe is PCI DSS Level 1 compliant. We share your email and Stripe customer ID with Stripe. Stripe Privacy Policy.
Vercel (hosting) — hosts our web application. Vercel processes your requests but does not store your personal data beyond standard server logs. Vercel Privacy Policy.
EODHD (financial data provider) — provides stock and ETF data. We send stock tickers to EODHD for analysis. No personal user data is shared with EODHD.
We do not sell your personal data to any third party. We do not share your data with advertisers or marketing platforms (unless you opt into marketing and we use an email delivery service in the future, which will be disclosed here).
Your data is stored on Supabase servers. Please check your project's region in our infrastructure settings — if data is stored outside the UK/EEA, appropriate safeguards are in place (Standard Contractual Clauses).
We implement the following security measures: all data transmitted via HTTPS/TLS encryption; Row Level Security (RLS) on our database ensuring users can only access their own data; API authentication on all endpoints; service role keys stored securely as environment variables and never exposed to browsers; password hashing managed by Supabase Auth; and API key authentication on our backend services.
While we take reasonable steps to protect your data, no system is 100% secure. You are responsible for keeping your login credentials confidential.
Active accounts: We retain your data for as long as your account is active and you continue to use the Service.
Account deletion: When you delete your account, we immediately and permanently delete your portfolios, usage records, display name, and authentication credentials. Your email is freed from our authentication system, allowing you to re-register in future if you wish.
Post-deletion retention (6 years): We retain a limited set of data for up to six (6) years following account deletion, under the legal bases of legitimate interest (UK GDPR Article 6(1)(f)) for defence of legal claims and compliance with HMRC financial record-keeping obligations. The retained data includes: your email address (as proof of Terms acceptance), your Stripe customer ID (if applicable, for HMRC audit trail), the date you accepted our Terms, your subscription tier at the time of deletion, and your marketing consent preference.
After the six-year retention period, your email address will be fully anonymised or deleted. Non-personal data (such as your former subscription tier) may be retained indefinitely for aggregate analytics.
Stripe records: Stripe independently retains invoice, payment, and customer records in accordance with their own data retention policies, applicable tax laws, and financial regulations. We do not control Stripe's retention of your payment data. Your Stripe customer record is retained in an inactive state as required for financial record-keeping under UK law.
Under the UK General Data Protection Regulation, you have the right to:
Access — request a copy of the personal data we hold about you.
Rectification — request correction of inaccurate personal data. You can update your name and password directly in Account Settings.
Erasure — request deletion of your personal data. You can delete your account in Account Settings (after cancelling any active subscription). Please note that certain data is retained for up to six years post-deletion for legal compliance purposes, as described in Section 6 above.
Restriction — request that we restrict processing of your data in certain circumstances.
Data portability — request your data in a structured, machine-readable format.
Object — object to processing based on legitimate interests.
Withdraw consent — withdraw marketing consent at any time by contacting us or updating your preferences.
To exercise any of these rights, contact us at support@stock-smarty.com. We will respond within 30 days.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
We use essential cookies and browser local storage only, for the purpose of maintaining your authenticated session and remembering your cookie consent preference. These are strictly necessary for the Service to function and do not require consent under UK PECR regulations.
Specifically, we store: your authentication token (managed by Supabase, our auth provider) to keep you signed in between visits; and a cookie consent flag to remember that you have seen our cookie notice. No personal data is stored in cookies.
We do not use analytics cookies, advertising cookies, tracking pixels, or any third-party tracking tools. If this changes in the future, this policy will be updated and appropriate consent mechanisms will be implemented.
The Service is not intended for anyone under 18 years of age. We do not knowingly collect personal data from children. If you believe a child under 18 has created an account, please contact us and we will delete it promptly.
We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice within the Service at least 30 days before they take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.
Paid subscribers have access to an AI-powered portfolio analysis feature. When you use this feature, the following data about your portfolio is transmitted to Anthropic, Inc. (the maker of Claude AI) for processing:
No personally identifiable information is included — your name, email address, account ID, or any other identifying data is never sent to Anthropic. The data transmitted is limited to anonymous portfolio composition data only.
Anthropic processes this data solely to generate your analysis response. We do not share any other personal data with Anthropic. Anthropic's own Privacy Policy (available at anthropic.com) governs their handling of data received via their API.
The legal basis for this processing is the performance of your subscription contract (Article 6(1)(b) UK GDPR). If you do not wish your portfolio data to be processed by Anthropic, simply do not use the AI Analysis feature.
For any questions about this Privacy Policy or to exercise your data rights, contact us at: support@stock-smarty.com