Privacy Policy

1 Who We Are

Stack Innovations Limited (NZBN: 9429053630445) is a New Zealand company and the data controller for the personal information described in this policy. We operate the finance analytics product FinX; FinX itself is a product, not a separate legal entity. References in this policy to "we", "us", and "our" mean Stack Innovations Limited.

Privacy contact: support@stackinnovations.co.nz

2 Information We Collect

Information you provide

• Account data: First name, last name, email address, and password (stored as a bcrypt hash — we never store your plaintext password)
• Financial data: Portfolio accounts, stock holdings, property details, expenses, debts, savings goals, and budget information you enter manually
• Identity verification: If required under our AML/CFT obligations, government-issued ID and date of birth

Information collected automatically

• Log data: IP address, browser type, and device information collected when you log in or perform actions — used for security monitoring and our audit log
• Approximate location: A coarse city and country derived from your IP address (resolved locally on our server using the open-source geoip-lite library) — used to display your login activity to you and to detect suspicious sign-ins. We do not collect precise GPS coordinates.
• Usage data: Pages visited, features used, and session duration
• Stock tickers you query: Tickers you search for or add to your portfolio or watchlist are sent to our market-data sub-processors (see Section 5) so we can return prices, fundamentals, and analyst data. The vendors do not receive your name or email — but the queries themselves can reveal your financial interests.
• Error reports: When an unhandled exception occurs in the app, our error-tracking sub-processor (Sentry) receives the stack trace, the request URL, your user ID, and your browser/device. We strip known PII paths on a best-effort basis but coverage is partial; do not enter sensitive information into form fields where you would not want it to potentially appear in an error report.
• Cookies: An HttpOnly session cookie containing your authentication token (see Section 9)

Information you provide for additional features

• Two-factor authentication data: If you enable 2FA, we store your authenticator app secret and 8 single-use backup codes, encrypted at rest. You can disable 2FA at any time in your account settings.
• Trusted-device tokens: If you tick "Remember this device" during 2FA verification, we set an opaque random token on your device (30-day expiry) so you do not have to re-enter your authenticator code on the same device. You can revoke trusted devices at any time in your account settings.
• Push notification subscription: If you enable web push notifications, your browser provides us a vendor-specific endpoint URL (Google FCM, Apple Push, or Mozilla autopush) and two cryptographic keys (p256dh and auth) we use to sign notification payloads. You can disable push at any time in your account settings.

Information from third parties

• Stripe: If you subscribe to a paid plan, Stripe processes your payment and we receive a customer ID and payment status. We do not store your card number.
• Market data providers: Public stock prices and financial data — not linked to your identity

3 How We Use Your Information

We collect and use your information only for the purposes for which it was provided or for directly related purposes (NZ Privacy Act IPP2):

• Providing, operating, and improving the FinX service
• Authenticating your identity and securing your account
• Processing subscription payments via Stripe
• Sending transactional emails (welcome, password reset, bill reminders, price alerts) — these are not marketing
• Maintaining our audit log for security and legal compliance
• Complying with our obligations under the NZ AML/CFT Act 2009 and NZ FMC Act 2013

We do not sell your personal information to third parties. We do not use your data for profiling unrelated to the FinX service.

4 AI-Powered Features and Consent

FinX offers optional AI-powered features, including budget insights, tax guidance, savings-goal insights, and per-stock equity analysis. These features process aggregated summaries of your financial data to generate personalised output.

Important disclosure: AI-generated output is for informational purposes only and does not constitute regulated financial advice under the NZ Financial Markets Conduct Act 2013. You should consult a licensed financial adviser before making investment decisions.

When AI features are active, your financial data summaries may be transmitted to a third-party AI provider under a Data Processing Agreement. Please review Section 5 for details.

5 Disclosure to Third Parties

We disclose your information to the following recipients only as necessary to provide the service. Each is engaged under a Data Processing Agreement (DPA) where personal data is shared:

• Fly.io, Inc. (Sydney region; company incorporated in the United States): Application hosting and runtime infrastructure. Governed by Fly.io's Data Processing Agreement.
• Neon, Inc. (Sydney region — AWS ap-southeast-2): Managed PostgreSQL hosting. Data is encrypted at rest and in transit. Governed by Neon's Data Processing Agreement.
• Stripe, Inc. (US): Payment processing and subscription management. Governed by Stripe's Privacy Policy and Stripe's Data Processing Agreement.
• Anthropic, PBC (US): AI-powered budget insights and tax guidance — only if you have enabled AI features. Governed by Anthropic's API terms and Data Processing Agreement. Per Anthropic's API terms, your inputs are not used to train their models. Financial data is transmitted as summaries without direct identifiers where possible.
• Polygon.io, Inc. (US; integrated via the "Massive" SDK, the same vendor): Real-time and historical US stock market data, fundamentals, technical indicators, news, and dividends. We send the ticker symbol you query along with our server's IP address; we do not send your name or email. Governed by Polygon's terms.
• Finnhub Stock API (US): Stock metrics, beta, forward EPS, recommendation trends, and pre/post-market quotes — used as a gap-filler for fields Polygon does not expose. Same data shape as above (ticker plus our server's IP).
• Financial Modeling Prep (US): Analyst price targets and forward earnings estimates. Same data shape as above.
• Yahoo, Inc. (US/global): Market data for international tickers (NZX .NZ, ASX .AX, LSE .L, HKEX .HK, TSE .T, and others) where Polygon coverage is unavailable. Public Yahoo Finance endpoints; governed by Yahoo's terms.
• Functional Software, Inc. ("Sentry") (US): Error tracking and performance monitoring. When an unhandled exception occurs in our app, Sentry receives the stack trace, the request URL, your user ID, your browser/device, and a (best-effort PII-stripped) snapshot of the request body. Governed by Sentry's Data Processing Agreement.
• Web push providers (Google FCM, Apple Push Notification Service, Mozilla autopush — global): If you enable push notifications, the endpoint URL your browser issues routes through one of these providers. We send VAPID-signed payloads (a notification title, body text, and the URL to open) to that endpoint; the provider delivers it to your device. We do not receive any data back from these providers about delivery beyond HTTP status codes.
• Google LLC (Google Workspace / Gmail SMTP, US): Transactional email delivery (password resets, receipts, security alerts). Covered by Google's Workspace Data Processing Amendment.
• Regulatory authorities: We may disclose information to the NZ Office of the Privacy Commissioner, Financial Markets Authority, NZ Police Financial Intelligence Unit, or other authorities where required by law.

An up-to-date list of sub-processors is maintained on request: email support@stackinnovations.co.nz.

We do not disclose your information to any other third party without your consent, except where required by law.

6 Data Storage and Security

We implement industry-standard security measures to protect your information:

• All data in transit is encrypted using TLS 1.2 or higher
• Passwords are hashed using bcrypt (cost factor 12) — never stored in plaintext
• Authentication tokens are stored in HttpOnly, Secure cookies
• Sessions automatically expire after 30 minutes of inactivity, or after 7 days of inactivity for devices you have explicitly marked as trusted (via "Remember this device" during 2FA verification), with a hard 24-hour (or 30-day for trusted devices) absolute cap from the time of sign-in. Logging out, changing your password, or revoking a trusted device immediately invalidates every session on every device.
• Multi-factor authentication (TOTP) is available and recommended
• An append-only audit log records all significant account actions
• Rate limiting and account lockout protect against brute-force attacks

No method of transmission or storage is 100% secure. If you become aware of a security issue, please contact support@stackinnovations.co.nz immediately.

Breach notification

If we become aware of a notifiable privacy breach affecting your information, we will notify you and the Office of the Privacy Commissioner within 72 hours of becoming aware of it, as required by the NZ Privacy Act 2020 (s112).

7 Retention Periods

We retain your personal information for as long as necessary to provide the service and comply with our legal obligations:

• Account and financial data: Retained for the lifetime of your account plus 7 years after closure (NZ FMC Act 2013 record-keeping requirement)
• Audit log: 7 years minimum (NZ AML/CFT Act 2009; NZ FMC Act 2013)
• Authentication logs: 7 years
• Password reset tokens: Deleted after use or expiry (1 hour)
• AI processing consent records: Retained for the lifetime of your account (the consent timestamp is stamped on your user record at the policy version in effect; we keep this for our recordkeeping obligations under the FMC Act 2013).
• Push notification subscriptions: Retained while you have push enabled. Automatically purged when your browser reports the subscription as expired (HTTP 404 or 410 from the push service) or when you disable push in Settings.
• Trusted device tokens: 30 days from issuance, or until you revoke the device in Settings — whichever comes first.
• Sentry error reports: Retained per Sentry's project-level retention settings (currently 90 days for error events and 30 days for performance traces).

When you delete your account, we anonymise your profile data (name, email, financial data) and delete your active sessions. Audit log records are retained in anonymised form for the periods stated above.

8 Your Rights

Under the NZ Privacy Act 2020, you have the following rights (and equivalent rights under GDPR if you are an EU resident):

Access (IPP6 / GDPR Art.15)

You can request a machine-readable export of all data we hold about you at any time from your account settings or by emailing support@stackinnovations.co.nz. We will respond within 20 working days.

API: GET /api/me/export (authenticated)

Correction (IPP7 / GDPR Art.16)

You can update your name and email address in your account settings. If you believe other information is inaccurate, contact us.

Deletion (IPP9 / GDPR Art.17)

You can delete your account from your account settings. This will anonymise your profile data and delete your financial data. Audit records are retained in anonymised form for the legal periods described in Section 7.

API: DELETE /api/me (authenticated, requires password confirmation)

Withdraw consent

You may withdraw your consent to AI processing at any time in your account settings. This will disable AI features immediately.

Complaints

If you believe we have breached your privacy rights, please contact us first at support@stackinnovations.co.nz. You also have the right to complain to the Office of the Privacy Commissioner (NZ) or your local supervisory authority (EU).

9 Cookies and Tracking

We use a minimal set of cookies:

• token — HttpOnly, Secure session cookie containing your JWT authentication token. This cookie is strictly necessary for the service to function. The cookie's lifetime is up to 24 hours by default, or up to 30 days if you have explicitly trusted the device. Within that window the JWT itself is refreshed on activity and expires after 30 minutes idle (or 7 days idle for trusted devices). Logging out or changing your password invalidates this cookie immediately on every device.
• trust_token — HttpOnly, Secure cookie set when you choose "Remember this device" for two-factor authentication. Expires after 30 days.
• stack-theme — localStorage key (not a cookie) storing your dark/light mode preference. No personal data.

When you click an Upgrade or Manage Subscription button, you are redirected to checkout.stripe.com (or Stripe's billing portal). Stripe sets its own cookies under its own domain to operate that flow; those cookies are governed by Stripe's Privacy Policy, not ours.

We do not use advertising cookies, third-party tracking pixels, or analytics cookies. We do not use Google Analytics or similar services.

10 International Transfers

FinX's primary application server runs in Sydney, Australia (fly.io syd region) and our database is hosted in Sydney, Australia (Neon, AWS ap-southeast-2). Your personal information is also processed by sub-processors located in the United States (Stripe, Anthropic, Sentry, Polygon, Finnhub, Financial Modeling Prep, Google Workspace) and various global locations operated by Google FCM, Apple, and Mozilla for push notification delivery. Where personal data is transferred to these sub-processors, we ensure appropriate safeguards are in place (such as Standard Contractual Clauses for EU transfers and binding data processing agreements) consistent with the NZ Privacy Act 2020 and GDPR requirements.

11 Children's Privacy

FinX is not intended for persons under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

12 Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email and/or by an in-app banner the next time you sign in, and update the "Last updated" date at the top of this page. Your continued use of FinX after the effective date constitutes acceptance of the revised policy.

13 Contact Us