Privacy Policy

The data controller for personal information collected through this site is [Insert legal entity name — e.g. StoxHub Pty Ltd] (“StoxHub”, “we”, “us”).

Privacy contact: privacy@stoxhub.com.

• We only collect what we need to run the service.
• We do not sell your personal information and we do not share it with advertisers.
• We use AWS (us-east-1) for hosting, Stripe for payments, AWS Cognito for accounts, and AWS RUM and Pinpoint for analytics — with consent where required.
• You can ask us to access, correct, or delete your data at any time at privacy@stoxhub.com.

Account data. Email address, hashed password (held by AWS Cognito), Google sub-identifier if you sign in with Google, email-verification status, account creation and last-login timestamps.

Subscription and billing data.Subscription tier, start and end dates, billing currency, Stripe customer and subscription IDs, payment method type (e.g. “Visa ending 1234”), and country derived from your billing details. We do not receive or store full card numbers; Stripe handles all card data and is PCI-DSS Level 1 certified.

Watchlists and product activity. Tickers you watchlist, screener filters and weights you save, prompts you submit to the Research / thesis tool, and the resulting cached briefs.

Technical and analytics data. If you have given consent to non-essential cookies, we collect via AWS RUM and AWS Pinpoint: page views, navigation events, button clicks, JavaScript errors, performance metrics, browser, device type, approximate location derived from IP, and a Cognito Identity Pool guest identifier. Without consent we collect only what is strictly necessary to deliver the page (Cognito session cookie, anti-abuse rate-limit counters keyed by IP, and standard server logs).

Communications. If you contact us by email we keep the message and our reply.

For users in the EEA and UK, the lawful bases under GDPR / UK GDPR are:

• Performance of contract — running your account, processing payments, delivering paid features, providing support (Article 6(1)(b)).
• Legitimate interests — fraud prevention, abuse and rate-limit enforcement, security, debugging, and basic service-availability monitoring; we balance these against your rights and use only what is reasonably necessary (Article 6(1)(f)).
• Consent — non-essential analytics cookies and similar identifiers, and any direct marketing emails (Article 6(1)(a)). You can withdraw consent at any time.
• Legal obligation — keeping tax and accounting records, and responding to lawful regulator or law-enforcement requests (Article 6(1)(c)).

When you use the Research / thesis tool or generate a company brief, your prompt or the relevant ticker is sent to AWS Bedrock for inference. Generated outputs are cached on our infrastructure so subsequent users see the same brief without paying the inference cost again. We do not include personal identifiers in prompts and we do not use your prompts to train any AI model. AWS does not use customer prompts or completions in Bedrock to train its or third-party foundation models.

Strictly necessary cookies. Cognito session cookies, CSRF tokens, and short-lived rate-limit counters. These cannot be disabled if you want to use the site.

Analytics cookies and identifiers. AWS RUM and AWS Pinpoint use identifiers to attribute page views and events to a session. We only set these afteryou accept the cookie banner. You can change your choice any time by clicking “Cookie preferences” in the footer.

We rely on a small set of vetted vendors:

• Amazon Web Services, Inc. — hosting, database (DynamoDB), object storage (S3), authentication (Cognito), AI inference (Bedrock), analytics (RUM, Pinpoint). Region: us-east-1 (US).
• Stripe, Inc. — subscription billing and payment processing. Stripe stores your payment card data; we never see it.
• Google LLC— only if you choose “Continue with Google” for sign-in.
• Finnhub, U.S. Securities and Exchange Commission (EDGAR), and other public market-data providers — these providers serve us read-only data; we do not send them personal data about you.

We do not sell personal information, and we do not share it for cross-context behavioural advertising. We may disclose data to law enforcement or regulators where legally compelled.

We are hosted in the United States (AWS us-east-1). If you access the site from outside the US your data will be transferred to and processed in the US. For users in the EEA, UK, and Switzerland we rely on the European Commission’s Standard Contractual Clauses (and the UK Addendum / Swiss equivalent) with our sub-processors, plus AWS’s and Stripe’s supplementary measures.

• Account data — kept while your account is active and for up to 24 months after deletion to handle disputes and comply with anti-fraud and tax obligations.
• Billing records — kept for at least 7 years to comply with tax law.
• Watchlists and saved screener filters — kept until you delete them or close your account.
• Thesis prompts and generated briefs — cached indefinitely so other users see the same brief; not linked to your identity in our public cache.
• Analytics events — typically 30–90 days, then aggregated.
• Server logs — typically 30 days.

Depending on where you live you have some or all of the following rights. We will respond to verified requests within 30 days (45 in California, 30 in Australia, 1 month in the EEA/UK).

• access a copy of your personal data;
• correct inaccurate data;
• delete your data (right to erasure / right to be forgotten);
• port your data to another provider;
• object to or restrict processing based on legitimate interests;
• withdraw consent (without affecting prior processing);
• opt out of “sale” or “sharing” under CCPA / CPRA — note that we do not sell or share personal information as those terms are defined; and
• lodge a complaint with your supervisory authority (e.g. the UK ICO, your EEA Data Protection Authority, or the Australian OAIC).

To exercise any right, email privacy@stoxhub.com from the address on your account, or use Account to delete your account directly.

The site is not intended for and not directed at children under 18. We do not knowingly collect personal data from children. If you believe a child has provided personal data, please email privacy@stoxhub.com and we will delete it.

We use TLS for all traffic, AWS-managed encryption at rest for our databases and object storage, scoped IAM roles for our Lambdas, and short-lived OAuth tokens. No system is perfectly secure; if we ever suffer a breach affecting your data we will notify you and the relevant supervisory authority within the timelines required by law.

California (CCPA / CPRA). In the past 12 months we have collected the categories of personal information described in Section 3 (identifiers, commercial information, internet activity, and inferences derived from product activity). We use it for the purposes in Section 4. We do not sell or share personal information for cross-context behavioural advertising and we have not done so in the past 12 months. You have the right to know, delete, correct, and limit use of sensitive personal information, and not to be discriminated against for exercising any of these rights.

EEA / UK. The data controller is [Insert legal entity name]. You can lodge a complaint with your local data protection authority. The UK authority is the ICO (ico.org.uk).

Australia. We comply with the Australian Privacy Principles under the Privacy Act 1988 (Cth). Complaints can be escalated to the OAIC (oaic.gov.au).

New Zealand. We comply with the Privacy Act 2020. Complaints can be made to the Office of the Privacy Commissioner (privacy.org.nz).

We may update this Privacy Policy. Material changes will be notified by email to active subscribers and / or by an in-site notice at least 14 days before they take effect.

Email privacy@stoxhub.com for any privacy question.