Privacy Policy

This Privacy Policy describes how SigmaThesis ("we", "us") collects, uses, and protects your personal data when you use our website and services at sigmathesis.com (the "Service"). We comply with the EU General Data Protection Regulation (GDPR) and applicable Hungarian data protection law.

Account data: email address, and (if you sign in with Google) your name and profile picture as provided by Google OAuth.

Investment data you create: portfolio holdings, watchlist tickers, saved investment theses, alert configurations. This data is stored in your account and is visible only to you.

Usage data: which features you use, AI credit consumption, timestamps of significant actions (e.g., last sign-in). We use this to operate the credit system and improve reliability.

Payment data: when you subscribe to Pro or buy a credit pack, payment is processed by Paddle (our Merchant of Record). Paddle collects billing information directly from you; we never see your full card number or CVV. We receive only confirmation of payment and the email address linked to your subscription.

Technical data: standard server logs (IP address, browser type, request timestamps) for security and abuse prevention. These are auto-rotated after a short period.

We do not collect: location data beyond IP-derived country, biometric data, or any "special category" data under GDPR Article 9.

Under GDPR, we process your data on the following legal bases:

• Contract (Art. 6(1)(b)): to provide the Service you signed up for — account creation, feature access, AI processing
• Legitimate interest (Art. 6(1)(f)): operational logging, fraud prevention, product improvement
• Legal obligation (Art. 6(1)(c)): tax records, compliance with payment regulations (handled by Paddle)
• Consent (Art. 6(1)(a)): only where required (we currently do not run cookie-based tracking that requires consent)

To run the Service we rely on the following processors. Each handles a specific function and is contractually bound to GDPR-compliant data handling:

For processors outside the EU (e.g., Anthropic, Google), transfers are protected by Standard Contractual Clauses (SCCs) and adequacy decisions where applicable.

We do not sell your personal data. We do not share data with advertisers, brokers, or marketing networks. Data is shared only with the processors listed above, only to the extent necessary to operate the Service, and never for unrelated commercial purposes.

We may disclose data if required by valid legal process (court order, regulator demand). If such a request appears overly broad, we will challenge it where lawful.

We use the minimum technical storage required to run the Service:

• Authentication session (Supabase, secure cookies + localStorage): keeps you signed in
• Preferences (localStorage): theme, language, watchlist, portfolio (until you log in to sync)
• Anonymous view counter (localStorage): enforces the 5-stock pre-signup view limit

We do not use analytics cookies, advertising cookies, or third-party tracking pixels. Vercel Analytics is privacy-friendly and does not track individuals.

If you are in the EU/EEA, the UK, or Switzerland, you have the following rights:

• Access — request a copy of the personal data we hold about you
• Rectification — correct inaccurate or incomplete data
• Erasure ("right to be forgotten") — request deletion of your account and associated data
• Restriction — limit how we process your data in certain cases
• Portability — receive your data in a machine-readable format
• Objection — object to processing based on legitimate interests
• Withdraw consent — where processing is based on consent, withdraw it at any time
• Lodge a complaint with a supervisory authority (in Hungary: NAIH — Nemzeti Adatvédelmi és Információszabadság Hatóság)

To exercise any of these rights, email support@sigmathesis.com. We respond within 30 days as required by GDPR.

Active accounts: we retain account data and your saved investment data for as long as your account is active.

Deleted accounts: when you delete your account (or we delete it at your request), we erase personal data within 30 days, except where retention is legally required (e.g., tax records related to subscription payments are retained for the statutory period required by Hungarian law, typically 8 years for tax-relevant documents).

Server logs: rotated automatically (typically 30 days).

We protect your data with industry-standard measures: HTTPS encryption for all traffic, password hashing via Supabase (bcrypt), service-role keys kept server-side only, and access controls on production systems. No system is 100% secure; if a breach occurs that affects your data, we will notify you and the relevant authorities within 72 hours as required by GDPR Article 33.

The Service is not directed to individuals under 18. We do not knowingly collect data from minors. If you believe a minor has provided us data, contact us and we will delete it.

Some processors (Anthropic, Google, Cloudflare) operate globally. Transfers outside the European Economic Area are protected through Standard Contractual Clauses (SCCs) and, where applicable, adequacy decisions of the European Commission.

We may update this Privacy Policy from time to time to reflect changes in practices or law. Material changes will be communicated by email or via an in-app notice. The "Last updated" date at the top of this page indicates the most recent revision.

For privacy questions, data requests, or to exercise your GDPR rights, contact us at support@sigmathesis.com.

You also have the right to lodge a complaint with your local data protection authority. In Hungary, this is NAIH (naih.hu).