Privacy Policy – Stox.AI

Effective Date: January 15, 2025

Last Updated: January 22, 2025

Full GDPR/CCPA/India compliance and AI transparency implemented

Our Commitment to Your Privacy

Stox.ai, operated by Global Predictions Inc., is committed to protecting your privacy and ensuring compliance with global data protection regulations. This Privacy Policy explains how we collect, use, process, and protect your personal information when you use our AI-powered stock analysis platform.

GDPR Compliant
CCPA Compliant
India Data Protection

Your Privacy Rights

You have specific rights regarding your personal data. See the comprehensive rights section below for detailed information about your rights under GDPR, CCPA, and other applicable laws.

Information We Collect

Data Collection Transparency

We collect only the minimum data necessary to provide our Service. Here's exactly what we collect and why:

Personal Information We Collect:

Account and Identity Data

Registration Information:Name, email address, password (encrypted), account creation date
Profile Data:User preferences, settings, subscription status
Verification Data:Age verification (18+ requirement), account verification status
Communication Data:Support tickets, feedback, correspondence with us

Usage and Behavioral Data

AI Interaction Data:Stock analysis queries, search terms, analysis requests and results
Platform Usage:Pages visited, features used, time spent, click patterns
Session Data:Login/logout times, session duration, frequency of use
Preference Data:Saved stocks, watchlists, analysis history, user settings

Technical and Device Data

Device Information:Device type, operating system, browser type and version
Network Data:IP address, geolocation (country/city level), ISP information
Performance Data:Page load times, error logs, system performance metrics
Cookies and Tracking:Session cookies, preference cookies, analytics cookies (with consent)

Third-Party and Integration Data

API Data:Stock data from Alpha Vantage, AI responses from OpenAI/Perplexity
Browser Extension Data:Website URLs where stock symbols are detected, extension usage patterns
Social Media:If you choose to share content, we may receive public profile information
Brokerage Connections:Only with explicit consent, portfolio data from connected accounts (future feature)

Data We DO NOT Collect

Credit card or payment information (handled by secure payment processors)
Social security numbers or government identification
Biometric data or facial recognition
Private messages or communications outside our platform
Location data beyond country/city level
Data from children under 18 years of age

2. How We Use Your Information (Lawful Basis for Processing)

⚖️ Legal Basis for Data Processing

Under GDPR, we must have a lawful basis for processing your personal data. Here are our lawful bases and how we use your information:

Primary Service Delivery (Contract Performance)

Legal Basis: Performance of contract with you

  • AI Analysis: Process your stock analysis requests using our AI models
  • Account Management: Create, maintain, and manage your user account
  • Service Delivery: Provide access to our platform features and functionality
  • Customer Support: Respond to your inquiries and provide technical support
  • Authentication: Verify your identity and secure your account

Service Improvement (Legitimate Interest)

Legal Basis: Our legitimate interest in improving services

  • AI Model Training: Improve our AI models using anonymized interaction data
  • Platform Optimization: Analyze usage patterns to enhance user experience
  • Bug Detection: Identify and fix technical issues and security vulnerabilities
  • Feature Development: Develop new features based on user needs and behavior
  • Performance Monitoring: Monitor system performance and reliability

Communication and Marketing (Consent/Legitimate Interest)

Legal Basis: Your consent or our legitimate interest in user communication

  • Service Updates: Notify you of important service changes, updates, or maintenance
  • Security Alerts: Inform you of security incidents or suspicious account activity
  • Marketing Communications: Send promotional content (only with explicit consent)
  • Educational Content: Share financial education and platform tips (with consent)
  • User Surveys: Request feedback to improve our services (with consent)

Legal and Regulatory Compliance (Legal Obligation)

Legal Basis: Compliance with legal obligations

  • Regulatory Reporting: Report to SEBI, RBI, SEC, or other regulatory authorities as required
  • Tax Compliance: Maintain records for tax reporting obligations
  • Legal Proceedings: Preserve data for legal disputes or investigations
  • Anti-Money Laundering: Conduct KYC and AML checks as required by law
  • Data Protection: Comply with GDPR, CCPA, and other privacy regulations

Security and Fraud Prevention (Vital Interest/Legitimate Interest)

Legal Basis: Protection of vital interests and our legitimate interest in security

  • Account Security: Detect and prevent unauthorized access to accounts
  • Platform Security: Protect our platform from cyber attacks and abuse
  • Fraud Detection: Identify and prevent fraudulent activities
  • Risk Assessment: Evaluate and mitigate security risks

3. Data Sharing and Third-Party Disclosures

✅ We Do NOT Sell Your Personal Information

We have never sold, and will never sell, your personal information to third parties for monetary or other valuable consideration.

When We Share Your Information

We may share your personal information only in the following limited circumstances:

Essential Service Providers (GDPR: Art. 28 Processors)

  • AI Processing: OpenAI, Perplexity AI (for AI analysis, subject to their data processing agreements)
  • Financial Data: Alpha Vantage (for stock market data, no personal data shared)
  • Cloud Infrastructure: Cloud hosting providers (encrypted data storage only)
  • Analytics: Privacy-compliant analytics providers (anonymized data only)
  • Payment Processing: Secure payment processors (payment data only, not stored by us)
  • Email Services: Transactional email providers (for service communications only)

Legal and Regulatory Requirements

  • Legal Process: When required by court order, subpoena, or other legal process
  • Regulatory Compliance: To comply with SEBI, RBI, SEC, or other regulatory requirements
  • Law Enforcement: To assist law enforcement in investigating illegal activities
  • Legal Rights: To establish, exercise, or defend our legal rights
  • Safety Protection: To protect the safety and rights of our users or the public

Business Transactions

  • Mergers & Acquisitions: In connection with a sale, merger, or acquisition of our business
  • Asset Transfer: Transfer of assets to a successor entity
  • Bankruptcy: In bankruptcy or similar proceedings
  • Note: Users will be notified of any such transfers and their options

With Your Explicit Consent

  • Third-Party Integrations: When you choose to connect third-party services
  • Social Sharing: When you choose to share content publicly
  • Marketing Partners: When you explicitly opt-in to third-party marketing

Third-Party AI Processing Disclosure

🤖 Important: Underlying AI Models

When you use our AI analysis features, your queries are processed by third-party AI providers (OpenAI, Perplexity). Please note:

  • Stox.AI does not directly train AI models on your data
  • The underlying AI models (OpenAI/Perplexity) may use interactions for their own model improvement
  • These providers have their own privacy policies and data handling practices
  • We send only necessary query data without personal identifiers where possible

Your Control: See the privacy policies of OpenAI and Perplexity for their data usage practices.

4. Data Retention and Deletion

🕰️ Data Retention Principles

We keep your data only as long as necessary for legitimate business purposes, legal compliance, or as required by law.

Specific Retention Periods

Data CategoryRetention PeriodReason
Account InformationUntil account deletion + 30 daysService provision, account recovery
AI Query History2 years or until deletion requestService improvement, user history
Usage Analytics3 years (anonymized after 1 year)Platform optimization, trend analysis
Support Communications5 yearsCustomer service, dispute resolution
Financial Records7 yearsLegal compliance, tax obligations
Security Logs1 yearSecurity monitoring, fraud prevention
Marketing DataUntil opt-out + 30 daysMarketing communications

Automated Deletion Process

  • Account Deletion: All personal data deleted within 30 days of account closure
  • Inactive Accounts: Accounts inactive for 3+ years are automatically deleted
  • Expired Data: Data beyond retention periods is automatically purged monthly
  • Anonymization: Personal identifiers removed from analytics data after 1 year

Exceptions to Deletion

We may retain certain data longer when:

  • Legal Hold: Data subject to legal proceedings or investigations
  • Regulatory Requirements: Required by SEBI, RBI, SEC, or other regulators
  • Security Incidents: Data related to ongoing security investigations
  • Dispute Resolution: Data necessary for resolving user disputes

5. Comprehensive Data Security

🔒 Enterprise-Grade Security

We implement multiple layers of security controls to protect your personal and financial data from unauthorized access, disclosure, or breach.

Technical Security Measures

🔐 Data Encryption

  • • AES-256 encryption for data at rest
  • • TLS 1.3 for data in transit
  • • End-to-end encryption for sensitive data
  • • Database-level encryption

🚪 Access Controls

  • • Role-based access control (RBAC)
  • • Multi-factor authentication (MFA)
  • • Zero-trust security architecture
  • • Regular access reviews and audits

🛡️ Network Security

  • • Web Application Firewall (WAF)
  • • DDoS protection and mitigation
  • • Intrusion detection and prevention
  • • Network segmentation

📊 Monitoring & Logging

  • • 24/7 security monitoring
  • • Real-time threat detection
  • • Comprehensive audit logging
  • • Automated incident response

Operational Security Practices

  • Security Training: Regular security awareness training for all employees
  • Background Checks: Comprehensive background checks for all team members
  • Incident Response: Detailed incident response plan with defined procedures
  • Regular Audits: Third-party security audits and penetration testing
  • Vulnerability Management: Regular security scans and prompt patch management
  • Data Minimization: Collection and retention of only necessary data

Compliance and Certifications

  • SOC 2 Type II: Annual SOC 2 Type II audits for security controls
  • ISO 27001: Information security management system certification
  • GDPR Compliance: Full compliance with EU data protection requirements
  • CCPA Compliance: California Consumer Privacy Act compliance
  • Industry Standards: Adherence to NIST Cybersecurity Framework

Data Breach Response

In the unlikely event of a data breach affecting your personal information:

  • Immediate Containment: Breach contained within 1 hour of detection
  • User Notification: Affected users notified within 72 hours
  • Regulatory Reporting: Authorities notified as required by law
  • Remediation: Security measures enhanced to prevent recurrence
  • Support: Dedicated support for affected users

⚠️ Security Disclaimer

While we implement industry-leading security measures, no system is 100% secure. You should also take precautions to protect your account, including using strong passwords, enabling two-factor authentication, and not sharing your login credentials.

6. Cookies and Tracking Technologies

🍪 Cookie Usage Transparency

We use cookies and similar technologies to enhance your experience. You have full control over non-essential cookies.

Types of Cookies We Use

✅ Essential Cookies (Always Active)

Required for basic functionality - cannot be disabled

  • Authentication: Keep you logged in securely
  • Session Management: Maintain your session state
  • Security: Protect against CSRF and other attacks
  • Load Balancing: Distribute traffic efficiently

📊 Analytics Cookies (Your Choice)

Help us understand how you use our platform

  • Usage Analytics: Page views, feature usage, user flows
  • Performance Monitoring: Loading times, error tracking
  • A/B Testing: Compare different features and layouts
  • User Feedback: Collect voluntary feedback and surveys

⚙️ Preference Cookies (Your Choice)

Remember your settings and personalize your experience

  • Display Preferences: Theme, language, currency settings
  • Dashboard Layout: Personalized widget arrangements
  • Saved Searches: Remember your frequent stock queries
  • Notification Preferences: Your communication choices

🎯 Marketing Cookies (Your Choice)

Deliver relevant content and measure campaign effectiveness

  • Campaign Tracking: Measure marketing effectiveness
  • Content Personalization: Show relevant educational content
  • Retargeting: Show ads for features you've viewed
  • Social Media: Enable social sharing functionality

Third-Party Cookies

Some cookies are set by third-party services we use:

  • Google Analytics: Website usage analytics (anonymized)
  • Stripe: Payment processing (payment pages only)
  • Intercom: Customer support chat functionality
  • Hotjar: User experience analysis (with consent)

Managing Your Cookie Preferences

🖥️ Cookie Settings

Use our cookie banner or visit your account settings to manage cookie preferences.

🌐 Browser Controls

All browsers allow you to control cookies. See your browser's help section for instructions.

🚫 Opt-Out Links

Use industry opt-out tools like NAI Consumer Opt Out or DAA Opt-Out Program.

⚠️ Important Note

Disabling certain cookies may limit functionality. Essential cookies cannot be disabled as they are necessary for the platform to function.

7. Your Comprehensive Privacy Rights

✅ Know Your Rights

You have powerful rights over your personal data. We make it easy to exercise these rights through our platform or by contacting us directly.

GDPR Rights (EU Users)

If you are located in the European Union, you have these rights under the General Data Protection Regulation:

🔍 Right of Access (Article 15)

Get a copy of all personal data we hold about you

Request: shreyanshss7@gmail.com with "Data Access Request"

✏️ Right of Rectification (Article 16)

Correct any inaccurate or incomplete data

Update via your account settings or contact us

🗑️ Right of Erasure (Article 17)

Delete your personal data ("right to be forgotten")

Account deletion removes all personal data within 30 days

🚐 Right to Data Portability (Article 20)

Export your data in a machine-readable format

Available in your account dashboard

⛔ Right to Object (Article 21)

Object to processing based on legitimate interest

Particularly for direct marketing and profiling

📜 Right to Withdraw Consent

Withdraw consent for any consent-based processing

Manage in your privacy settings

CCPA Rights (California Users)

If you are a California resident, you have these rights under the California Consumer Privacy Act:

📊 Right to Know

  • • Categories of personal information collected
  • • Sources of personal information
  • • Business/commercial purposes for collection
  • • Categories of third parties we share with

🚫 Right to Opt-Out

  • • Opt-out of sale of personal information
  • • We do NOT sell your personal information
  • • "Do Not Sell My Personal Information" link available

India Privacy Rights

Indian users have the following rights under applicable data protection laws:

  • Data Localization: Your personal data is stored on servers located in India
  • Consent Management: Granular control over data processing consent
  • Data Minimization: We collect only necessary data for service provision
  • Breach Notification: We will notify you of any data breaches affecting your information

How to Exercise Your Rights

🖥️ Online Dashboard

Most rights can be exercised directly in your account privacy settings.

📧 Email Requests

Email shreyanshss7@gmail.com with your specific request and account details.

⏰ Response Time

We respond to all privacy requests within 30 days of verification.

Children's Privacy

18+ Age Requirement

Our Service is not intended for individuals under 18 years of age. We do not knowingly collect, use, or disclose personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take immediate steps to delete such information.

Changes to this Policy

Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. Updates will be posted with a new effective date, and we will notify users of material changes via email or platform notifications.

10. International Data Transfers and Governing Law

🌍 Global Data Protection

We ensure your data is protected regardless of where it's processed, with appropriate safeguards for international transfers.

Data Localization and Transfers

India Data Localization

  • Primary Storage: Personal data of Indian residents stored on servers in India
  • Processing Locations: Data may be processed in India, US, and EU with appropriate safeguards
  • Cross-Border Transfers: Limited to AI processing and essential service provision
  • 24-Hour Rule: Data processed outside India deleted within 24 hours as required

GDPR Transfer Mechanisms

For EU users, we ensure adequate protection through:

  • Standard Contractual Clauses: EU-approved SCCs with all processors
  • Adequacy Decisions: Transfers only to countries with adequate protection
  • Additional Safeguards: Technical and organizational measures beyond SCCs
  • Data Processing Agreements: GDPR Article 28 compliant agreements

AI Processing Locations

OpenAI Processing: Your queries may be processed by OpenAI in the United States under their data processing agreement and privacy commitments.

Perplexity Processing: Alternative AI processing may occur in the United States with equivalent protection measures.

Data Minimization: Only necessary query data is sent to AI providers, without personal identifiers.

Governing Law and Jurisdiction

This Privacy Policy is governed by the laws of the State of Delaware, United States, without regard to conflict of laws principles.

Regulatory Compliance by Region

  • European Union: GDPR and local data protection laws take precedence
  • California: CCPA and CPRA rights apply to California residents
  • India: Compliance with applicable Indian data protection and financial regulations
  • Other Jurisdictions: Local privacy laws apply where more protective than this policy

11. Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations.

How We Notify You of Changes

  • Material Changes: Email notification 30 days before effective date
  • Minor Updates: Notice on our website and platform
  • Legal Changes: Immediate notification if required by law
  • Version History: Previous versions available upon request

✅ Your Options

If you don't agree to policy changes, you can delete your account before the changes take effect. Continued use after the effective date means you accept the updated policy.

Contact Information and Data Protection Officers

📞 Privacy and Data Protection

Email: shreyanshss7@gmail.com

Subject Line: Privacy Inquiry - [Your Request Type]

For privacy questions, data rights requests, GDPR/CCPA inquiries, and data protection concerns.

Data Protection Officer (DPO)

shreyanshss7@gmail.com

⚖️ Legal and Compliance

Email: shreyanshss7@gmail.com

Subject Line: Legal Inquiry - [Topic]

For legal questions, compliance matters, regulatory inquiries, and terms of service questions.

Compliance Officer

shreyanshss7@gmail.com

🚑 Emergency and Urgent Requests

Data Breach or Security Incident

Email: shreyanshss7@gmail.com

Subject: URGENT - Security Incident

Immediate Data Deletion

Email: shreyanshss7@gmail.com

Subject: URGENT - Immediate Data Deletion

🕰️ Response Times and Process

  • Privacy Rights Requests: Within 30 days of verification
  • General Privacy Questions: Within 7 business days
  • Data Breach Notifications: Within 72 hours of discovery
  • Security Incidents: Immediate acknowledgment, resolution within 24 hours
  • Account Deletion: Processed within 30 days

Business Address: Global Predictions Inc., [Address], Delaware, United States