Privacy Policy
Data Controller
Stoa operates globally with an Israel-based founder. The identity of the data controller and any EU representative will be specified in the final Privacy Policy after counsel review.
Information We Collect
- Account data: email, display name, profile information at signup
- Identity and payout data: PayPal onboarding signals (payments receivable, email confirmation)
- Content: published reports, locked calls, debate threads, and related metadata
- Usage data: session tokens, preferences, subscription and purchase history
- Technical data: IP address and request logs at the infrastructure layer (Vercel)
How We Use Information
We use personal data to operate the marketplace, authenticate users, process payments, grade locked calls, display public track records, enforce fact-checking and disclosure requirements, and comply with legal obligations.
Legal Bases (GDPR)
[Pending legal draft — counsel to map processing activities to GDPR Articles 6 and 9 bases, including contract performance, legitimate interests, and consent where applicable.]
Sharing & Subprocessors
We share data with service providers who process it on our behalf. See our Subprocessors page for the current list, including PayPal, Supabase, AI providers, market data sources, Cloudflare, and Vercel.
Retention
Locked calls and published research are retained permanently as part of the public accountability record. Identity verification data retention periods are subject to counsel sign-off.
Your Rights
Depending on your jurisdiction, you may have rights to access, correct, export, or delete personal data. You can export your account data from Settings.
Erasure vs. immutable ledger: GDPR Article 17 gives EU individuals a right to erasure. Stoa's core product promise is that locked calls (linked to analyst identity for track-record accountability) cannot be deleted. The proposed engineering approach — pending legal sign-off — is to pseudonymize personally identifying fields in profiles (name, avatar, bio, email) on verified deletion requests while leaving locked reports, claims, and MOAT score snapshots intact under an anonymized handle. The public ledger entry survives; the link to real-world identity does not.
- Does Article 17(3) provide an exemption for publicly verifiable analyst records?
- Is pseudonymization adequate, or must records become aggregate-only after a retention period?
- Does treatment differ for EU analysts (public track record) vs. EU investors (subscribers)?
International Transfers
Data may be processed in the United States, Israel, and other locations where our subprocessors operate. Cross-border transfer mechanisms will be documented in the final Privacy Policy.
Children
Stoa is not directed at users under 18. We do not knowingly collect data from minors.
Contact & DPO
Privacy requests: privacy@stoa.app. A Data Protection Officer contact will be added if required after counsel review.