Legal
Privacy Policy
Effective date: 1 July 2026 · Last updated: 1 July 2026
This policy explains how Stack Innovations Limited ("we", "us", "our") collects, uses, stores, and discloses your personal information across our products — FinX (personal finance & investing) and HealthX (health & fitness). It covers both our web apps and our native mobile apps. We are committed to protecting your privacy in accordance with the New Zealand Privacy Act 2020 and, where applicable, the EU General Data Protection Regulation (GDPR). Sections that apply to only one product are labelled FinX or HealthX; everything else applies to both.
Health data notice (HealthX). Some HealthX data — training, nutrition, weight, body measurements, and Apple Health data — is sensitive "special category" information under the GDPR (Art. 9). We process it only to provide HealthX to you, and only with your consent. See Section 5.
1 Who We Are
Stack Innovations Limited (NZBN: 9429053630445) is a New Zealand company and the data controller for the personal information described in this policy. We operate FinX (personal finance and investing) and HealthX (health and fitness). Both are products, not separate legal entities. References to "we", "us", and "our" mean Stack Innovations Limited.
Privacy contact: support@stackinnovations.co.nz
2 Information We Collect
Account data (both products)
- Identity: First name, last name, email address, and password (stored as a bcrypt hash — we never store your plaintext password).
- Session tokens: Authentication tokens held in HttpOnly cookies on the web, or in the device keychain / secure storage in the native mobile apps.
FinX — financial data
- Financial data you enter: Portfolio accounts, stock holdings, property details, expenses, debts, savings goals, and budget information. FinX does not connect to your bank or broker — you add this data yourself, so we never hold your bank logins.
- Stock tickers you query: Tickers you search, hold, or watch are sent to our market-data sub-processors (Section 6) to return prices, fundamentals, and analyst data. The vendors do not receive your name or email, but the queries can reveal your financial interests.
- Identity verification: If required under our AML/CFT obligations, government-issued ID and date of birth.
HealthX — health, training & nutrition data
- Profile: Your goal, sex, age, height, current weight, and target rate.
- Training: Training sessions, logged sets (weight, reps, reps-in-reserve), and personal-record history.
- Nutrition: Food-log entries, recipes you save or import, and macro totals.
- Body & progress: Weight entries, body-measurement entries, and any progress photos you choose to upload.
- Coach: Your messages to Atlas (the in-app AI coach) and the transcript of those conversations, stored so the chat has continuity (you can clear it in-app).
- Apple Health (HealthKit) data — iOS app only, and only if you opt in. See Section 5.
Collected automatically
- Log data (both): IP address, browser/OS user-agent, and request timestamps — used for security monitoring, debugging, and (FinX) our audit log.
- Usage data (both): Features used and session activity, to operate and improve the product.
- Approximate location (FinX): A coarse city and country derived from your IP on our own server (open-source geoip-lite) — used to show your login activity and detect suspicious sign-ins. We do not collect precise GPS coordinates.
- Error reports (FinX): When an unhandled exception occurs, our error-tracking sub-processor (Sentry) receives the stack trace, request URL, your user ID, and browser/device, with best-effort PII stripping.
Additional-feature data (both products)
- Two-factor authentication: If you enable 2FA, we store your authenticator secret and single-use backup codes, encrypted at rest.
- Trusted-device tokens: If you tick "Remember this device", we set an opaque token (30-day expiry) so you don't re-enter your code on that device.
- Push subscriptions: If you opt in to notifications, your browser or device provides a vendor-specific endpoint and cryptographic keys we use to sign notification payloads. We never push without explicit opt-in.
Information from third parties
- Stripe: If you subscribe, Stripe processes your payment and we receive a customer ID and subscription status. We never store your card number.
- Market data (FinX): Public stock prices and financial data — not linked to your identity.
3 How We Use Your Information
We use your information only for the purposes for which it was provided or directly related purposes (NZ Privacy Act IPP2):
- Providing, operating, and improving FinX and HealthX — dashboards and net worth, training and nutrition plans, recipe import and shopping lists, insights, and the features you enabled.
- Authenticating your identity and securing your account.
- Processing subscription payments via Stripe.
- Sending transactional emails (welcome, password reset, FinX bill/price alerts, HealthX meal-plan and coaching reminders) — these are not marketing.
- Maintaining security logs and, for FinX, an audit log for compliance.
- Complying with our legal obligations — for FinX, the NZ AML/CFT Act 2009 and FMC Act 2013.
We do not sell your personal information, and we have no advertisers. We do not use your data for profiling unrelated to the service.
4 AI-Powered Features and Consent
Both products offer optional AI features powered by Anthropic's Claude. Each feature sends only the data it needs:
- FinX: budget insights, tax guidance, savings-goal insights, and per-stock equity analysis — from aggregated summaries of your financial data.
- HealthX: Atlas (the in-app coach), "Snap food" photo macro estimates, and recipe extraction from a URL or pasted caption.
Consent required: AI processing is opt-in. You must explicitly consent (at registration or in settings) before any AI feature is activated, and you can withdraw consent at any time — this immediately disables AI features but does not affect data already processed.
Per Anthropic's commercial API terms, your inputs are not used to train their models. HealthX "Snap food" photos are sent to Claude to estimate the dish and macros and are not stored on our servers after the request completes.
Important: AI output is informational only. It is not regulated financial advice under the NZ FMC Act 2013 (FinX), nor medical advice (HealthX). Consult a licensed professional before making decisions.
5 Health & Fitness Data (HealthX)
HealthX processes health and fitness information — training logs, nutrition, weight, body measurements, progress photos, and (if you opt in) Apple Health data. Under the GDPR this is special-category data (Art. 9); we process it only to provide HealthX to you, and only with your consent.
Apple Health (HealthKit) — iOS app only
If you turn on "Sync with Apple Health" in the iOS app, HealthX reads the following from Apple Health, with your permission: body weight, daily step count, active and basal energy, resting heart rate, workout records, and last night's sleep. HealthX may write your completed in-app workouts back to Apple Health.
HealthKit-specific disclosures (required by Apple):
- HealthKit data is used exclusively to provide health and fitness features inside HealthX — never for advertising or marketing.
- HealthKit data is never sold, rented, or disclosed to any third party, and is never shared for advertising or data-broker purposes.
- HealthKit data is not disclosed to anyone except for purposes directly related to providing health-management services back to you.
- You can revoke HealthX's access at any time in iOS Settings → Privacy & Security → Health → HealthX. Data already in Apple Health stays on your device, owned by you.
6 Disclosure to Third Parties
We disclose your information only as necessary to run the service. Each recipient is engaged under a Data Processing Agreement (DPA) where personal data is shared. "Both" means the sub-processor serves FinX and HealthX.
- Fly.io, Inc. (Sydney region; US company) — application hosting and runtime. Both.
- Neon, Inc. — managed PostgreSQL hosting; data encrypted at rest and in transit. Both. (Region per product; see Section 11.)
- Stripe, Inc. (US) — payments and subscriptions. We never store your card number. Governed by Stripe's Privacy Policy. Both.
- Anthropic, PBC (US) — Claude AI features, only if you have enabled AI. Inputs are not used to train their models. Both.
- Apple HealthKit (iOS) — on-device; HealthKit data only leaves your device through HealthX's own APIs as described in Section 5. HealthX.
- Open Food Facts — open food database queried for barcode / product lookups. HealthX.
- Polygon.io / "Massive" (US) — real-time and historical market data, fundamentals, indicators, news, and dividends. We send the ticker plus our server's IP, not your name or email. FinX.
- Finnhub (US) — supplementary stock metrics and estimates. FinX.
- Financial Modeling Prep (US) — analyst price targets and forward earnings. FinX.
- Yahoo (US/global) — market data for international tickers (NZX, ASX, and others) where other coverage is unavailable. FinX.
- Functional Software, Inc. ("Sentry") (US) — error tracking; receives stack traces, request URL, user ID, browser/device, and a best-effort PII-stripped request snapshot. FinX.
- Web push providers (Google FCM, Apple Push, Mozilla autopush — global) — deliver notifications you opted into; they see the endpoint, not the decrypted message body. Both.
- Google LLC (Gmail / Workspace SMTP, US) — transactional email delivery. Both.
- Regulatory authorities — where required by law (e.g. the NZ Office of the Privacy Commissioner; for FinX, the Financial Markets Authority and NZ Police Financial Intelligence Unit).
An up-to-date sub-processor list is available on request: email support@stackinnovations.co.nz. We do not disclose your information to any other third party without your consent, except where required by law.
7 Data Storage and Security
- All data in transit is encrypted using TLS 1.2 or higher.
- Passwords are hashed using bcrypt (cost factor 12) — never stored in plaintext. We can never see your password; if you lose it we issue a reset, not a recovery.
- Authentication tokens are stored in HttpOnly, Secure cookies (web) or the device keychain (native apps).
- Two-factor authentication (TOTP) is available and recommended.
- FinX sessions expire after 30 minutes of inactivity (7 days for trusted devices), with a 24-hour (30-day trusted) absolute cap; logging out, changing your password, or revoking a device invalidates every session immediately. An append-only audit log records significant account actions.
- Rate limiting and account lockout protect against brute-force attacks.
No method of transmission or storage is 100% secure. If you become aware of a security issue, email support@stackinnovations.co.nz immediately.
Breach notification
If we become aware of a notifiable privacy breach affecting your information, we will notify you and the Office of the Privacy Commissioner within 72 hours of becoming aware of it, as required by the NZ Privacy Act 2020 (s112).
8 Retention Periods
- FinX account & financial data: Retained for the lifetime of your account plus 7 years after closure (NZ FMC Act 2013 record-keeping). Audit and authentication logs are kept 7 years (NZ AML/CFT Act 2009; FMC Act 2013).
- HealthX account & app data: Retained until you delete your account. Atlas conversation history is kept until you delete your account or clear it in-app.
- Server logs: Approximately 30 days.
- Password reset tokens: Deleted after use or expiry (1 hour).
- AI consent records (FinX): Kept for the lifetime of your account for FMC Act recordkeeping.
- Push subscriptions: Kept while enabled; purged when the push service reports the subscription expired or when you disable push.
- Trusted-device tokens: 30 days from issuance, or until you revoke the device.
- Sentry error reports (FinX): Per Sentry retention (currently ~90 days for errors, 30 days for performance traces).
- Stripe billing records: Retained per Stripe's policy and as required for tax/accounting.
When you delete your account, we anonymise or delete your profile and product data and end your active sessions. For FinX, audit records are retained in anonymised form for the periods above. HealthX account deletion is a full, irreversible removal of your rows; any HealthKit data on your phone is not affected.
9 Your Rights
Under the NZ Privacy Act 2020 (and equivalent GDPR rights for EU residents), you have the following rights:
Access (IPP6 / GDPR Art.15)
Both apps show you all of your data directly. You can request a machine-readable export at any time — FinX provides a self-serve export (GET /api/me/export); for HealthX, request one in-app or by email. We respond within 20 working days.
Correction (IPP7 / GDPR Art.16)
You can edit your profile, logs, holdings, recipes, and history directly in the app. If other information is inaccurate, contact us.
Deletion (IPP9 / GDPR Art.17)
You can delete your account in Settings. FinX (DELETE /api/me, password-confirmed) anonymises your profile and deletes your financial data, retaining anonymised audit records per Section 8. HealthX performs a full, irreversible deletion of every row associated with your account. HealthKit data on your phone stays in Apple Health, owned by you.
Withdraw consent
You may withdraw consent to AI processing at any time in settings; this disables AI features immediately.
Complaints
Please contact us first at support@stackinnovations.co.nz. You may also complain to the Office of the Privacy Commissioner (NZ) or your local supervisory authority (EU).
10 Cookies and Tracking
We use a minimal set of cookies:
token — HttpOnly, Secure session cookie holding your authentication token. Strictly necessary. For FinX, its lifetime is up to 24 hours (30 days for trusted devices), with the token refreshed on activity and expiring after 30 minutes idle. Logging out or changing your password invalidates it immediately.
trust_token — HttpOnly, Secure cookie set when you choose "Remember this device" for two-factor authentication. Expires after 30 days.
- Theme preference — a localStorage key (not a cookie) storing your dark/light mode preference. No personal data.
When you upgrade or manage a subscription, you are redirected to Stripe; Stripe sets its own cookies under its own domain, governed by Stripe's Privacy Policy. We do not use advertising cookies, third-party tracking pixels, or analytics cookies such as Google Analytics.
11 International Transfers
Our application servers run in Sydney, Australia (Fly.io syd region), and our databases are hosted by Neon (managed PostgreSQL). Your information is also processed by sub-processors in the United States (Stripe, Anthropic, Sentry, the FinX market-data vendors, and Google Workspace) and in various global locations for push-notification delivery (Google, Apple, Mozilla). Where personal data is transferred to these sub-processors, we rely on appropriate safeguards (such as Standard Contractual Clauses for EU transfers and binding data-processing agreements) consistent with the NZ Privacy Act 2020 and GDPR.
12 Children's Privacy
HealthX is intended for people aged 16 and over. FinX is intended for people aged 18 and over. We do not knowingly collect personal information from anyone under those ages. If you believe a child has signed up, contact us and we will delete the account.
13 Changes to This Policy
We may update this policy from time to time. If we make material changes, we will notify you by email and/or by an in-app banner the next time you sign in, and update the "Last updated" date above. Continued use of FinX or HealthX after the effective date constitutes acceptance of the revised policy.