Legal

Privacy Policy

Effective date: April 28, 2026

Summary: StockHeroes.AI collects the minimum data needed to provide you with a personalised stock research service. We do not sell your personal data. We use a small number of strictly necessary cookies. EU/UK users have full GDPR rights; California residents have CCPA/CPRA rights. Questions? Email privacy@stockheroes.ai.

1. Who We Are

StockHeroes.AI (“we”, “us”, or “our”) operates the website and platform available at StockHeroes.AI (the “Service”). We are the data controller for personal data processed under this policy.

Contact: legal@stockheroes.ai

Privacy / DPO enquiries: privacy@stockheroes.ai

2. Data We Collect

2.1 Account Data

When you register, we collect your email address and (optionally) your name. This data is stored with our authentication provider, AWS Cognito, and in our own database.

2.2 Usage Data

We record the watch lists and tickers you save, your subscription tier, and account preferences so we can deliver a personalised experience.

2.3 Payment Data

Subscription payments are processed by Stripe, Inc. We never see or store your full card number, CVV, or bank account details. Stripe provides us with a token, your billing postal code, and card-type metadata. Stripe's privacy policy governs data it collects directly.

2.4 Log and Technical Data

Our servers automatically log IP addresses, browser type and version, operating system, referring URL, and page-request timestamps. These logs are retained for up to 90 days for security and debugging purposes.

2.5 Data You Provide Voluntarily

If you contact us by email or through our contact form, we keep a record of that correspondence.

3. Cookies and Tracking

We use cookies to make the Service work. We do not use advertising cookies or sell data derived from cookies to third parties.

Cookie name	Purpose	Type	Duration
sh_session	Stores your encrypted authentication session token. Required to keep you logged in.	Strictly necessary	Session / 30 days
__stripe_mid	Stripe fraud-prevention identifier set by our payment processor.	Strictly necessary (payment)	1 year
__stripe_sid	Short-lived Stripe session identifier used during checkout.	Strictly necessary (payment)	30 minutes

All cookies listed above are strictly necessary for the Service to function. Because they are essential, they do not require your prior consent under ePrivacy/PECR rules; however, you may block or delete them in your browser settings. Doing so will prevent you from staying logged in and from completing purchases.

We do not use Google Analytics, Meta Pixel, or any other third-party tracking or advertising scripts.

4. Legal Basis for Processing (GDPR / UK GDPR)

For users in the EU and UK, we rely on the following legal bases:

Contract performance (Art. 6(1)(b) GDPR): processing your account data and usage data is necessary to provide the Service you signed up for.
Legitimate interests (Art. 6(1)(f) GDPR): security logging, fraud prevention, and product improvement — balanced against your privacy rights.
Legal obligation (Art. 6(1)(c) GDPR): retaining certain financial records as required by tax and accounting law.
Consent (Art. 6(1)(a) GDPR): where you have explicitly opted in to optional communications (e.g. marketing emails). You may withdraw consent at any time.

5. How We Use Your Data

Create and manage your account.
Authenticate your sessions and keep you securely logged in.
Deliver the personalised stock research features you have subscribed to.
Process payments and manage your subscription via Stripe.
Respond to your support and contact requests.
Send transactional emails (password resets, billing receipts, material policy updates).
Detect, investigate, and prevent fraudulent or abusive activity.
Comply with our legal and regulatory obligations.

We do not use your data to build advertising profiles, sell to data brokers, or share with unrelated third parties for their own marketing.

6. How We Share Your Data

We share data only with the service providers necessary to operate the platform:

Recipient	Purpose	Location	Safeguard
Amazon Web Services (Cognito)	Authentication & identity management	USA / EU	AWS GDPR DPA, SCCs
Stripe, Inc.	Payment processing & billing	USA / EU	Stripe DPA, SCCs
Cloud infrastructure provider	Hosting, compute, database	USA	DPA in place

We may also disclose data if required by law, court order, or to protect the rights and safety of StockHeroes.AI or others.

7. International Data Transfers

StockHeroes.AI is operated from the United States. If you access the Service from the EU, UK, or another jurisdiction with data protection laws, your data will be transferred to and processed in the USA. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, the UK International Data Transfer Agreement (IDTA) as the transfer mechanism for such transfers.

8. Data Retention

Account and usage data: retained for the life of your account plus 12 months after deletion (to handle disputes and legal obligations), then permanently deleted.
Financial records (billing history): retained for 7 years as required by US tax law and applicable EU accounting directives.
Server logs: retained for 90 days, then automatically purged.
Support correspondence: retained for 3 years, then deleted.

9. Your Rights

9.1 Rights Under GDPR / UK GDPR (EU & UK Residents)

You have the right to:

Access: request a copy of the personal data we hold about you.
Rectification: ask us to correct inaccurate or incomplete data.
Erasure ("right to be forgotten"): request deletion of your data, subject to legal retention obligations.
Data portability: receive your data in a structured, machine-readable format.
Restriction: ask us to pause processing of your data in certain circumstances.
Object: object to processing based on legitimate interests or for direct marketing.
Withdraw consent: where processing is based on consent, withdraw it at any time without affecting prior lawfulness.
Lodge a complaint: you have the right to complain to your local supervisory authority (e.g. the ICO in the UK, or your national DPA in the EU).

To exercise any of these rights, email privacy@stockheroes.ai. We will respond within 30 days (extendable to 90 days for complex requests).

9.2 Rights Under CCPA / CPRA (California Residents)

If you are a California resident, you have the right to:

Know: request disclosure of the categories and specific pieces of personal information we have collected about you, and how it has been used and shared.
Delete: request deletion of your personal information, subject to certain exceptions.
Correct: request correction of inaccurate personal information.
Opt-out of sale or sharing: we do not sell or share your personal information for cross-context behavioral advertising. No opt-out is therefore required, but you may contact us to confirm.
Limit use of sensitive personal information: we do not use sensitive personal information beyond what is necessary to provide the Service.
Non-discrimination: we will not discriminate against you for exercising any of these rights.

To submit a verifiable consumer request, email privacy@stockheroes.ai with “California Privacy Rights” in the subject line. We will verify your identity before responding.

California residents may also designate an authorised agent to make requests on their behalf by providing written authorisation.

9.3 Other US State Privacy Rights

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), and other US states with comprehensive privacy laws have similar rights to access, correct, delete, and port their data, and to opt out of targeted advertising and profiling. Contact us at privacy@stockheroes.ai to exercise these rights.

10. Security

We implement technical and organisational measures to protect your personal data, including:

HTTPS/TLS encryption for all data in transit.
Authentication tokens stored in HttpOnly, SameSite=Strict cookies to mitigate XSS and CSRF attacks.
Passwords hashed by AWS Cognito using industry-standard algorithms — we never see or store your plaintext password.
Database access restricted to application-layer services only; no public-facing database endpoint.
Regular dependency updates and security patching.

No method of transmission over the Internet or electronic storage is 100% secure. If you discover a potential security vulnerability, please disclose it responsibly to legal@stockheroes.ai.

11. Children's Privacy

The Service is not directed at children under the age of 16 (or 13 in the USA under COPPA). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us immediately at privacy@stockheroes.ai and we will delete it promptly.

12. Third-Party Links

The Service may contain links to external sites. We are not responsible for the privacy practices of those sites and encourage you to review their privacy policies.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting a notice on the Service and, where required by law, by sending an email to your registered address at least 30 days before the change takes effect. The effective date at the top of this page always reflects the most recent version.

14. Contact Us

If you have questions, complaints, or requests about this Privacy Policy or how we handle your data:

StockHeroes.AI
Privacy enquiries: privacy@stockheroes.ai
General contact: legal@stockheroes.ai

You may also visit our Contact page to submit a request.