Privacy Policy · Effective April 21, 2026

What we collect, what we don’t, and what you can do about it.

Stockstead is built so the calculator works without an account and without sending your inputs anywhere. If you choose to create an account, we collect only what we need to keep that account working.

1. Scope

This Privacy Policy explains how Stockstead, a service operated by an individual sole proprietor based in New York, New York (LLC formation in progress) (“Stockstead,” “we,” “us”) collects, uses, and discloses information when you visit stockstead.com and related subdomains (the “Service”). By using the Service you acknowledge this policy.

2. Information we collect

2.1 Information you provide to us

  • Account information. When you create an account, we collect your email address and an authentication token. We do not store passwords in plaintext; authentication is handled by our identity provider (Supabase Auth).
  • Saved scenarios. If you explicitly save a calculator scenario to your account, the inputs you entered (purchase price, down payment, portfolio balance, rate assumptions, etc.) are stored to your account so you can retrieve them later.
  • Leads / newsletter. If you subscribe to our newsletter or submit a contact form, we store your email and the associated message.
  • Messages to support. Emails you send us are retained in our inbox for as long as needed to support you.

2.2 Information collected automatically

  • Usage / product analytics. We use PostHog to understand which features are used and how the site performs. This includes page views, click events, referrer, approximate geography (derived from IP), device type, browser, and a pseudonymous device identifier. We do not send your calculator inputs (purchase price, portfolio balance, tax rate, etc.) to analytics.
  • Tag management. We use Google Tag Manager to load and manage other analytics and advertising tags on the site.
  • Advertising. On pages where we display ads, Google AdSense and its partners may set cookies or similar technologies to serve ads, measure ad performance, and prevent fraud.
  • Server logs. Our hosting infrastructure records standard request logs (IP address, user-agent, request URL, timestamp) for a limited period for security and operational purposes.

2.3 Information we do NOT collect from the calculator

When you use the calculator without saving a scenario to your account, the inputs stay in your browser. They are not transmitted to, stored by, or visible to us. Analytics record that you used the calculator — not what you typed into it.

3. How we use information

  • Operate and maintain the Service and your account
  • Save and display your scenarios when you request them
  • Respond to your support or contact-form messages
  • Send newsletter or product updates you opted into (you can unsubscribe from any email)
  • Understand and improve how the Service is used, via aggregate analytics
  • Serve ads on ad-supported pages and measure their performance
  • Detect and prevent fraud, abuse, and security incidents
  • Comply with legal obligations and enforce our Terms of Use

4. Legal bases (for EEA/UK visitors, if any)

Where GDPR/UK GDPR applies, we rely on: contract (to provide the Service and your account), legitimate interests (analytics, fraud prevention, product improvement), consent (marketing emails, non-essential cookies), and legal obligation (tax, accounting, lawful requests).

5. Sub-processors we share data with

We share information only with the service providers required to run the Service. We do not sell personal information.

  • Supabase — authentication, database (accounts, saved scenarios, leads).
  • PostHog — product and usage analytics.
  • Google Tag Manager — tag loading and management.
  • Google AdSense — ad serving, measurement, and fraud prevention on ad-supported pages.
  • Vercel (or successor hosting provider) — site hosting, request logs, and delivery via content-delivery network.
  • Email provider — for any newsletter, transactional, or support email we may send.

Each sub-processor has its own privacy policy and security controls. We choose providers that publicly commit to reasonable data protection.

6. Cookies and similar technologies

We use a small number of first- and third-party cookies for:

  • Authentication (keeping you logged in) — essential
  • Analytics (PostHog) — improves the product
  • Advertising (AdSense / its partners) — on ad-supported pages

You can block or delete cookies in your browser settings. Blocking essential cookies will make parts of the Service (like being logged in) not work.

7. Retention

  • Account data and saved scenarios are retained until you delete them or close your account.
  • Analytics events are retained per our analytics provider’s default (typically 7 years for PostHog unless reconfigured).
  • Server logs are retained for a short operational period (typically 30–90 days).
  • Support emails are retained as long as needed to answer you and then as long as needed for our records.

8. Your rights

8.1 All users

  • Access. Email us to request a copy of what we hold.
  • Correct. Update your email in Account settings.
  • Delete. Nuke your data in Settings → Account → Delete account, or email us and we will process the request.
  • Unsubscribe from any marketing email via the link in that email.

8.2 California residents (CCPA/CPRA)

You have the right to know what personal information we collect, request deletion, request correction, and opt out of any “sale” or “share” of your personal information. We do not sell personal information. To the extent any third-party advertising on ad-supported pages constitutes a “share” under CPRA, you may opt out by emailing us.

8.3 EEA / UK residents

You have rights to access, rectification, erasure, restriction, portability, and to object to processing based on legitimate interests. You may lodge a complaint with your supervisory authority.

9. Children

The Service is not directed to children under 13 and we do not knowingly collect personal information from children under 13. Accounts are restricted to users 18 or older.

10. Security

We use commercially reasonable administrative, technical, and physical safeguards. No method of transmission or storage is 100% secure. If we become aware of a breach affecting your personal information, we will notify affected users as required by applicable law.

11. International transfers

Stockstead is operated in the United States. If you access the Service from outside the U.S., you understand that your information will be transferred to, processed, and stored in the U.S. and in any jurisdiction where our sub-processors operate.

12. Do Not Track

We do not currently respond to Do Not Track browser signals. Where supported, we do honor the Global Privacy Control (GPC) signal for opt-out of “sale/share” of personal information.

13. Changes

We may update this Privacy Policy from time to time. When we do, we will update the “Effective” date at the top. If changes are material, we will take reasonable steps to notify you (e.g., a banner on the site or an email).

14. Contact

Privacy questions or requests: hello@stockstead.com.

Operator: Stockstead, a service operated by an individual sole proprietor based in New York, New York (LLC formation in progress). This policy was last updated on April 21, 2026.