Privacy Policy

1. Data We Collect

We collect the minimum information required to deliver and improve the service:

• Account information: full name, email address, and phone number provided during registration.
• Profile information: optional details such as city, country, and preferred currency.
• Transaction and portfolio data: stock symbols, quantities, purchase prices, and dates that you enter manually or import.
• Payment references: a non-sensitive transaction ID returned by our payment gateways (Stripe, M-Pesa). We never store card numbers, CVVs, or full mobile-money credentials.
• Usage data: pages visited, features used, IP address, browser type, and device identifiers — collected automatically for security and product improvement purposes.
• Communications: the content of support emails or contact form submissions you send us.

2. How We Use Your Data

• To create and manage your account.
• To display live market data, calculate portfolio performance, and generate analytics reports.
• To process your subscription payment and send receipts.
• To send transactional emails (password resets, price alert notifications, billing receipts).
• To detect and prevent fraud, abuse, or security threats.
• To improve the platform (aggregated, anonymised analytics only — never sold to third parties).
• To comply with legal obligations.

3. Legal Basis for Processing (GDPR)

Where GDPR applies, we process your data on the following bases: performance of a contract (to provide the service you subscribed to); legitimate interests (security, fraud prevention, and product improvement); and compliance with legal obligations.

4. Third Parties We Share Data With

We share data only where strictly necessary:

• Stripe, Inc. — payment processing for card transactions. Stripe is PCI-DSS Level 1 certified. Stripe's privacy policy is available at stripe.com/privacy.
• M-Pesa / bKash — mobile wallet payment processing. Only the transaction reference is returned to SPS.
• Amazon Web Services (AWS) — cloud hosting and encrypted database storage.
• Sentry — anonymised error monitoring. No financial or personally identifiable data is included in error reports.

We do not sell, rent, or share your personal data with advertisers, data brokers, or any third party for commercial purposes.

5. Data Retention

We retain your account data for as long as your account is active. After you delete your account, data is permanently removed within 30 days, except where we are required by law to retain it longer (e.g., financial transaction records may be retained for up to 7 years for tax and audit purposes).

6. Your Rights

Depending on your jurisdiction, you have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your data ("right to be forgotten").
• Data portability (export your portfolio history as CSV).
• Object to or restrict certain processing.
• Lodge a complaint with your local data protection authority.

To exercise any of these rights, email privacy@sps.app.

7. Cookies

We use strictly necessary cookies for session management and CSRF protection. We do not use advertising or third-party tracking cookies. You can delete cookies at any time via your browser settings; note that doing so will log you out.

8. Security

We employ industry-standard security measures including TLS encryption in transit, AES-256 encryption at rest, and strict access controls. See our Security page for full details.

9. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated by email and via an in-app banner at least 14 days before they take effect. The "Last Updated" date at the top of this page reflects the most recent revision.

10. Contact

Questions about this policy? Email privacy@sps.app or write to us at: Level 7, Banani Tower, Banani, Dhaka 1213, Bangladesh.