← Back

Privacy Policy

Last updated: April 12, 2026

StockPal ("the app", "we", "us") is an investment portfolio tracker. This policy explains what personal information the app collects, how it's used, who it's shared with, and how you can control it. We try to be clear and specific — if anything here is unclear, email [email protected].

Summary

  • We store your email address and the portfolio data you enter.
  • Your portfolio context is sent to OpenAI to generate AI features (Discover picks, chat, ticker insights, daily brief).
  • We do not use analytics SDKs, advertising networks, or trackers.
  • We do not sell or share your data for marketing.
  • You can delete your account and all data in-app at any time.

What we collect

Account information

When you sign in with Apple, we receive your email address (which may be an Apple Private Relay address if you chose to hide your real email) and a stable identifier (Apple's sub claim). We use these only to identify your account and sync your data across devices.

Portfolio data

Accounts, holdings, and watchlist entries that you create or import. This includes ticker symbols, quantities, prices, account names, institution names, and currencies. We use this data only to display your portfolio back to you and to generate the AI-powered features described below.

Usage data

We record a count of how many times you refresh the Discover feed each day to enforce rate limits. We do not track screen views, button taps, session duration, or any other usage telemetry.

What we do NOT collect

  • No analytics (no Google Analytics, Mixpanel, Amplitude, PostHog, Firebase, etc.)
  • No advertising identifiers (no IDFA, no ad networks, no retargeting)
  • No crash reporting or diagnostics SDKs
  • No location data (precise or approximate)
  • No contacts, photos, microphone, or camera access
  • No browsing or search history beyond what's needed to service your requests in real time
  • No payment card or bank account information — subscription payments are processed entirely by Apple and we never see your card

How your data is used

  • Display your portfolio — fetch live prices, compute net worth, convert between currencies, render charts.
  • Generate AI features — your sector weights, held tickers, and chat messages are sent to OpenAI to produce personalized Discover picks, chat replies, ticker insights, and the daily portfolio brief.
  • Authenticate you — verify Sign in with Apple tokens on each launch.
  • Enforce rate limits — count Discover refreshes per day so the AI budget isn't exhausted.

We do not use your data for advertising, marketing, profiling beyond the above, sale to third parties, or any purpose other than operating and improving the app.

Third parties we share with

StockPal processes your data through the following third-party services. We have selected providers with privacy practices at least as protective as our own.

Apple (authentication + payments)

Sign in with Apple is provided by Apple Inc. Premium subscription purchases are processed through Apple's StoreKit — Apple sees and handles your payment information, not us. Apple privacy policy.

Cloudflare (hosting + database)

Your account and portfolio data are stored in Cloudflare Workers and Cloudflare D1 (a serverless SQL database). Cloudflare acts as our data processor and does not use your data for their own purposes. Cloudflare privacy policy.

OpenAI (AI-generated content)

To generate Discover picks, chat replies, ticker insights, and the daily portfolio brief, we send OpenAI a snapshot of your portfolio context (sector weights, list of held tickers, total value in USD) and — if you use the Ask StockPal chat — your chat messages. OpenAI retains API inputs and outputs for up to 30 days for abuse monitoring and then deletes them. OpenAI does not use API data to train their models. OpenAI privacy policy.

Market data providers (EODHD, Yahoo Finance, Twelve Data, CoinGecko)

Market prices, fundamentals, and search results are fetched from these providers. Requests go through our backend — providers do not see your identity, only the ticker symbols being queried. No personally identifiable information is shared with them.

Where your data is stored

Your portfolio data is stored on Cloudflare's global edge network. Data at rest is encrypted; data in transit uses TLS 1.2 or higher. The specific data centre serving your requests depends on your location — Cloudflare may process requests in any region.

If you are located in the European Economic Area, United Kingdom, or Switzerland, please note that your data may be processed outside your region, including in the United States (where OpenAI is based). We rely on standard contractual clauses and our providers' certification frameworks for these transfers.

How long we keep your data

We keep your account and portfolio data for as long as your account is active. When you delete your account (either in-app or by request), all your data is permanently removed from our database within 7 days. Backups are rotated within 30 days. Aggregated, non-identifying logs may be retained longer.

Your rights and choices

Delete your account in-app

Open Profile → Delete account. Type DELETE to confirm. Your account, all holdings, watchlist entries, and AI generation history are erased immediately. This is irreversible.

Request a copy of your data

Email [email protected] from the address associated with your account. We will respond within 30 days with a JSON export of your accounts, holdings, and watchlist.

Correct or update your data

You can edit any account or holding directly in the app. To correct your email address, email us.

Withdraw consent

You can stop us processing your data at any time by deleting your account. Continuing to use the app means you continue to consent.

Children's privacy

StockPal is not directed at children under 13 and we do not knowingly collect personal information from children under 13. If you believe a child has provided us with personal information, please email us and we will delete it.

Data security

We use industry-standard encryption (TLS 1.2+) for all data in transit. Passwords are not stored (we use Sign in with Apple exclusively). Authentication tokens use short-lived JWTs and are stored in the iOS Keychain on your device. Despite best efforts, no system is perfectly secure — if you believe your account has been compromised, email us immediately.

Changes to this policy

We may update this policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. When we make material changes, we will update the "Last updated" date at the top and, for significant changes, notify you within the app on next launch. Continued use of the app after changes constitutes acceptance.

Contact

Questions, requests, or complaints about privacy? Email [email protected]. We aim to respond within 7 days.