Privacy Policy

Last updated: 2026-07-12

1. Controller and contact

Stockwayup is operated by Evgenii Kofanov (JDG), NIP 5273062563, al. Jana Pawła II 43A/37B, 01-001 Warsaw, Poland (the "Controller", "we", "us").

If you have questions about privacy or want to exercise your rights, contact: [email protected]

2. Scope

This Privacy Policy explains how we process personal data when you use:

This policy applies to registered users and visitors.

3. Personal data we process

Depending on how you use the Service, we may process the following categories of personal data:

3.1. Account and profile data

  • email address
  • account identifiers
  • optional profile details you choose to provide (if/when profile features are enabled)

3.2. Portfolio and content you provide

  • portfolios, holdings, transactions, watchlists
  • notes, comments, and other content you submit (if these features are enabled)

3.3. Support and communications

  • messages you send us (email or in-app)
  • technical information you include in support requests

3.4. Technical and usage data

  • IP address, device type, browser type, operating system
  • timestamps, pages/screens viewed, basic usage events needed to operate and secure the Service
  • error logs and diagnostics (to keep the Service stable and secure)

3.5. Community visibility (if enabled)

If you choose to make parts of your portfolio/profile visible to other registered users, those parts become visible within the platform according to your privacy settings. You can change these settings inside the Service.

4. Purposes and legal bases

We process personal data under the GDPR on the following bases:

4.1. To provide and operate the Service (GDPR Art. 6(1)(b) - contract)

  • create and manage accounts
  • provide portfolio tracking, analytics, scoring, and related functionality
  • authenticate users and maintain sessions

4.2. To secure the Service and prevent abuse (GDPR Art. 6(1)(f) - legitimate interests)

  • prevent fraud, automated abuse, and attacks
  • protect availability and integrity (rate limiting, security monitoring)

Our legitimate interest is operating a secure and reliable service.

4.3. To provide support and communicate with you (GDPR Art. 6(1)(b) and/or 6(1)(f))

  • respond to requests and resolve issues
  • communicate service-related information (for example, important security notices)

4.4. To comply with legal obligations (GDPR Art. 6(1)(c))

  • comply with applicable laws, regulatory requests, and lawful government demands

4.5. For analytics or marketing (GDPR Art. 6(1)(a) - consent, if enabled)

If we enable analytics or marketing technologies that are not strictly necessary, we will request your consent before activating them, and you can withdraw consent at any time.

5. Cookies and similar technologies

We use strictly necessary security cookies to protect the Website from automated abuse. For example, we use Cloudflare security features that may set the cf_clearance cookie. We also use an HttpOnly refresh cookie to authenticate users and maintain sessions. For details, see our Cookie Policy.

6. Browser and session storage

The short-lived access token used to authenticate API requests is held only in volatile memory. It is not written to local storage and is removed when the page process ends or the session terminates.

The refresh credential is stored only in the HttpOnly refresh cookie described above and cannot be read by website JavaScript. Local storage is limited to non-secret UI preferences and technical settings.

We may store non-secret UI preferences such as:

  • minilogSettings - used to store technical settings related to client-side logging/diagnostics

You can remove this data by clearing site data in your browser settings. Clearing preferences may reset parts of the interface; clearing cookies ends the browser session.

7. Sharing of personal data (recipients)

We do not sell your personal data.

We share personal data only with trusted service providers (processors) to the extent necessary to operate and secure the Service. These recipients include:

7.1. Hosting and infrastructure (processor)

  • Scaleway S.A.S. - hosting and server infrastructure.

7.2. Email delivery (processor)

  • MailerSend - sending transactional emails (for example, account emails and support communications).

7.3. Security and performance (processor)

  • Cloudflare - security and anti-bot protection and performance features.

7.4. Legal and compliance

We may disclose data if required by law, court order, or to protect our rights and users.

We may change our service providers over time.

8. International data transfers

Some service providers may process data outside the European Economic Area (EEA). Where this occurs, we use appropriate safeguards required by GDPR (for example, adequacy decisions or Standard Contractual Clauses), as applicable.

9. Data retention

We keep personal data only as long as necessary for the purposes described above:

  • Account data: for as long as your account is active, and afterward for a reasonable period to handle support, security, and legal obligations.
  • Portfolio data and user content: kept while your account is active, and deleted or anonymized after account deletion, except where we must retain data for legal or security reasons.
  • Logs and security records: retained for a limited period, typically from days to months, depending on the purpose (security, debugging, abuse prevention).

If you request deletion, we will delete or anonymize data unless retention is required by law or necessary for establishing, exercising, or defending legal claims.

10. Your rights (GDPR)

If you are in the EEA/UK (and in many other jurisdictions with similar rights), you may have the right to:

  • access your personal data
  • rectify inaccurate or incomplete data
  • delete your personal data (in certain cases)
  • restrict processing (in certain cases)
  • object to processing based on legitimate interests (in certain cases)
  • data portability (for data processed on the basis of contract or consent, in certain cases)
  • withdraw consent at any time (if processing is based on consent)

To exercise your rights, contact [email protected]. We may ask for additional information to verify your identity.

11. Complaints

If you believe we have not handled your personal data properly, you have the right to lodge a complaint with a supervisory authority.

In Poland, the supervisory authority is: President of the Personal Data Protection Office (UODO).

12. Security

We implement reasonable technical and organizational measures to protect personal data against unauthorized access, loss, misuse, or alteration. No method of transmission or storage is fully secure. You should keep your devices secure and avoid using the Service on shared devices.

13. Children

The Service is not intended for children under 18. We do not knowingly collect personal data from children.

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The "Last updated" date indicates when changes were made. If changes are material, we will provide notice via the Website and/or email where reasonable.

15. Contact

Questions about this Privacy Policy: [email protected]