Last updated: March 2026
StockSmarty ("we", "us", "our") is operated by StockSmarty Limited, registered in England and Wales (company number 17088000). We are the data controller for the personal data described in this policy.
Contact: support@stock-smarty.com
We collect the following personal data:
Account information: Your full name, email address, and hashed password (we never see or store your actual password — it is managed by our authentication provider).
Subscription data: Your subscription tier, billing status, billing period dates, and Stripe customer ID. We do not store your payment card details — these are held exclusively by Stripe.
Usage data: The number of searches and rebalances you perform each month, used to enforce plan limits.
Portfolio data: Stock tickers, allocation percentages, investment amounts, and other portfolio information you choose to save.
Consent records: Whether you accepted the Terms & Conditions (and when), and whether you opted into marketing communications.
We use your personal data for the following purposes:
To provide the Service (legal basis: performance of a contract) — authenticating your account, storing your portfolios, enforcing usage limits based on your subscription tier, and processing your subscription.
To process payments (legal basis: performance of a contract) — creating and managing your Stripe customer record, processing subscription charges, and handling billing changes.
To send transactional emails (legal basis: performance of a contract / legitimate interest) — account creation confirmations, payment receipts, subscription changes, payment failure notices, and security alerts.
To send marketing communications (legal basis: legitimate interests under UK GDPR Article 6(1)(f), or consent under Article 6(1)(a) for users who signed up before April 2026) — product updates, tips, new features, and occasional promotional offers about StockSmarty's own services. Because you have an active account with us, we rely on our legitimate interest in keeping you informed about the service you've signed up for, as supported by UK GDPR Recital 47. You have an absolute right to object to this processing at any time — either by clicking the unsubscribe link in any marketing email, or by turning off "Email Preferences" in your account settings. We will stop immediately and never resume without your explicit consent. Users who signed up under the prior explicit-consent flow and opted out will continue to be honoured permanently under their original preference.
To comply with legal obligations (legal basis: legal obligation) — maintaining financial records as required by HMRC, responding to lawful requests from authorities.
We share your data with the following third-party data processors:
Supabase (database and authentication) — stores your account information, portfolio data, and usage data. Supabase is SOC 2 Type II compliant. Data is encrypted at rest and in transit. Check your Supabase project region for data location (EU or US). Supabase Privacy Policy.
Stripe (payment processing) — processes your subscription payments and stores your payment card details. Stripe is PCI DSS Level 1 compliant. We share your email and Stripe customer ID with Stripe. Stripe Privacy Policy.
Railway (railway.app) — our backend compute infrastructure. Processes all stock analysis requests, ETF data, and the API key used to communicate with EODHD. Railway is based in the United States and processes data under standard contractual clauses.
Vercel (hosting) — hosts our web application. Vercel processes your requests but does not store your personal data beyond standard server logs. Vercel Privacy Policy.
EODHD (financial data provider) — provides stock and ETF data. We send stock tickers to EODHD for analysis. No personal user data is shared with EODHD.
Resend (email delivery service) — delivers transactional emails such as account verification, password resets, and subscription notifications. We share your email address and name with Resend solely to deliver these emails. Resend does not use your data for marketing purposes. Resend Privacy Policy.
Anthropic (AI analysis provider) — powers the AI Portfolio Analysis and Portfolio News summary features. When you use these features, we send anonymised portfolio data (stock tickers, allocations, yields, sector, market cap) to Anthropic. We do not send your name, email address, user ID, or any other personal identifier. Anthropic does not train its models on your data. Anthropic Privacy Policy.
We do not sell your personal data to any third party. We do not share your data with advertisers or marketing platforms.
Your account data (profile information, portfolios, usage records) is stored in our Supabase database. Supabase, Inc. is a US-based company and our database instance is hosted in a region chosen by us; some data may therefore be transferred outside the UK. For any such international transfers, we rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (SCCs), as approved by the UK Information Commissioner's Office, to ensure an equivalent level of data protection. Supabase Privacy Policy.
We implement the following security measures: all data transmitted via HTTPS/TLS encryption; Row Level Security (RLS) on our database ensuring users can only access their own data; API authentication on all endpoints; service role keys stored securely as environment variables and never exposed to browsers; password hashing managed by Supabase Auth; and API key authentication on our backend services.
While we take reasonable steps to protect your data, no system is 100% secure. You are responsible for keeping your login credentials confidential.
Active accounts: We retain your data for as long as your account is active and you continue to use the Service.
Account deletion: When you delete your account, we immediately and permanently delete your portfolios, usage records, display name, and authentication credentials. Your email is freed from our authentication system, allowing you to re-register in future if you wish.
Post-deletion retention (6 years): For users with a billing history (i.e. at least one payment was made), we retain a limited set of data for up to six (6) years following account deletion, under the legal bases of legitimate interest (UK GDPR Article 6(1)(f)) for defence of legal claims and compliance with HMRC financial record-keeping obligations. For free users with no billing history, your email address is anonymised immediately on deletion and is not retained. For users with billing history, the retained data includes: your email address (as proof of Terms acceptance), your Stripe customer ID (if applicable, for HMRC audit trail), the date you accepted our Terms, your subscription tier at the time of deletion, and your marketing consent preference.
After the six-year retention period, your email address will be fully anonymised or deleted. Non-personal data (such as your former subscription tier) may be retained indefinitely for aggregate analytics.
Stripe records: Stripe independently retains invoice, payment, and customer records in accordance with their own data retention policies, applicable tax laws, and financial regulations. We do not control Stripe's retention of your payment data. Your Stripe customer record is retained in an inactive state as required for financial record-keeping under UK law.
Under the UK General Data Protection Regulation, you have the right to:
Access — request a copy of the personal data we hold about you.
Rectification — request correction of inaccurate personal data. You can update your name and password directly in Account Settings.
Erasure — request deletion of your personal data. You can delete your account in Account Settings (after cancelling any active subscription). Please note that certain data is retained for up to six years post-deletion for legal compliance purposes, as described in Section 6 above.
Restriction — request that we restrict processing of your data in certain circumstances.
Data portability — request your data in a structured, machine-readable format.
Object — object to processing based on legitimate interests.
Withdraw consent — withdraw marketing consent at any time by contacting us or updating your preferences.
To exercise any of these rights, contact us at support@stock-smarty.com. We will respond within 30 days.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
We use two categories of cookies: essential cookies and analytics cookies.
Essential cookies are strictly necessary for the Service to function and do not require consent under UK PECR regulations. These include your authentication token (managed by Supabase, our auth provider) to keep you signed in between visits, and a cookie consent flag to remember your cookie preference.
Analytics cookies are set by Google Analytics 4, which we use to understand how visitors use the site — for example, which pages are visited and how long sessions last. Google Analytics collects this data in an anonymised and aggregated form. IP addresses are anonymised before storage. We do not use this data to identify individual users. You can opt out of Google Analytics tracking at any time by using the Google Analytics Opt-out Browser Add-on.
We do not use advertising cookies or tracking pixels.
The Service is not intended for anyone under 18 years of age. We do not knowingly collect personal data from children. If you believe a child under 18 has created an account, please contact us and we will delete it promptly.
We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice within the Service at least 30 days before they take effect. The "Last updated" date at the top of this page indicates when the policy was last revised.
Paid subscribers have access to an AI-powered portfolio analysis feature. When you use this feature, the following data about your portfolio is transmitted to Anthropic, Inc. (the maker of Claude AI) for processing:
No personally identifiable information is included — your name, email address, account ID, or any other identifying data is never sent to Anthropic. The data transmitted is limited to anonymous portfolio composition data only.
Anthropic processes this data solely to generate your analysis response. We do not share any other personal data with Anthropic. Anthropic's own Privacy Policy (available at anthropic.com) governs their handling of data received via their API.
The legal basis for this processing is the performance of your subscription contract (Article 6(1)(b) UK GDPR). If you do not wish your portfolio data to be processed by Anthropic, simply do not use the AI Analysis feature.
For any questions about this Privacy Policy or to exercise your data rights, contact us at: support@stock-smarty.com