Privacy Policy

Effective date: 10 April 2026 · Pocket Investor

This policy is written in plain English. It tells you what personal information Pocket Investor collects, how we use it, who we share it with, and what rights you have. This policy covers users globally, with specific sections addressing the requirements of Australian privacy law, the European Union GDPR, the United States CCPA, and Hong Kong PDPO. If anything is unclear, email us at [email protected] and we will explain.

Not financial advice. Pocket Investor is a financial research and news tool. Nothing in this app — including AI-generated content — constitutes financial advice or a recommendation to buy, hold, or sell any financial product. All AI-generated content is for informational purposes only. You should consider your own circumstances and, where appropriate, seek advice from a licensed financial adviser before making investment decisions.

Jurisdiction coverage — jump to your section:

Australia — Australian Privacy Act 1988 and Australian Privacy Principles: Sections 1–10 (core policy) and Section 7 (your rights)
European Union / EEA — General Data Protection Regulation (GDPR): Section 11
United States (California) — California Consumer Privacy Act (CCPA) and Nevada SB 220: Section 13
Hong Kong — Personal Data (Privacy) Ordinance (Cap. 486) (PDPO): Section 14

1. Who we are

Pocket Investor is operated by an Australian individual based in Australia. When this policy refers to “Pocket Investor”, “we”, “us”, or “our”, it means that operator.

This policy is governed primarily by the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) contained in Schedule 1 of that Act. Additional jurisdiction-specific rights apply depending on where you are located — see Section 11 (GDPR, EU/EEA users), Section 13 (CCPA, California/US users), and Section 14 (PDPO, Hong Kong users).

We operate the Pocket Investor app and website (collectively, the “Service”). The Service is available on iOS, Android, and via the web at pocketinvestor.app.

2. What information we collect

We collect only the information needed to operate the Service. Here is a complete list of everything we collect and why.

2.1 Account information

Data	Why we collect it	Where it is stored
Email address	To create and manage your account, allow you to sign in, and to contact you about your account if needed	Supabase (database and authentication service)

2.2 App content you create

Data	Why we collect it	Where it is stored
Watchlist tickers	To show you news, analysis, and market data relevant to the stocks you follow	Supabase
Portfolio names	To organise your watchlists into named groups. We do not store actual holdings, quantities, cost basis, or portfolio values — only the name you give to a group	Supabase

2.3 Usage and analytics data

Data	Why we collect it	Where it is stored
App usage data (which screens you visit, which features you use)	To understand how the app is being used so we can improve it	Internal analytics (not linked to your email address)
Device information (device type, operating system version, browser)	To ensure the app works correctly on your device and to diagnose technical issues	Internal analytics logs
Referral or campaign source (UTM parameters — e.g. how you found the app)	To understand which marketing channels bring users to Pocket Investor	Supabase (user profiles table)
IP address	Standard server logging for security, abuse prevention, and network diagnostics	Cloudflare server logs (retained for up to 24 hours, then deleted automatically)

2.4 Subscription and purchase data

Data	Why we collect it	Where it is stored
Subscription status and entitlement (e.g. active Pro subscriber, plan tier, expiry date)	To determine which features you are entitled to access within the app	RevenueCat (San Francisco, CA) — synced to our Supabase database
Purchase history (e.g. transaction dates, plan purchased, renewal events)	To validate and restore your purchases and to resolve billing disputes	RevenueCat — linked to your device identifier or Supabase user ID
Device identifier (RevenueCat anonymous ID or Supabase user ID)	Used by RevenueCat to link your purchase receipts to your account	RevenueCat

We do not receive or store your payment card details. Payment processing is handled entirely by Apple (App Store) or Google (Google Play). RevenueCat receives only the purchase receipt and device identifier necessary to validate your entitlement.

2.5 What we do NOT collect

To be clear about the limits of what we store:

We do not collect financial account details, bank account numbers, or brokerage login credentials.
We do not collect real portfolio values, actual share quantities, or cost basis information.
We do not collect payment card details — those remain with Apple or Google.
We do not collect biometric data (fingerprints, face scans, etc.).
We do not collect your location (GPS or otherwise).
We do not collect your contacts.
We do not serve advertising and we do not use advertising trackers.

3. How we use your information

We use the information we collect for the following purposes:

To operate and deliver the Service — your email enables your account; your watchlist tickers power your personalised news feed and AI-generated analysis.
To improve the Service — aggregated, non-identifiable usage data helps us understand which features are valuable and where the app needs work.
To maintain security and prevent abuse — IP addresses and server logs help us identify and block malicious activity.
To understand how users discover the app — referral source data (UTM parameters) tells us which marketing efforts are working.
To contact you about your account — we may send transactional emails (e.g. password reset, account deletion confirmation). We will not send marketing emails unless you have separately opted in.

We do not use your data for automated decision-making that produces legal or similarly significant effects on you.

4. AI-generated content

Pocket Investor uses artificial intelligence to generate news summaries and market analysis. Specifically:

News summaries and stock analysis are generated using GPT-4o mini, an AI model provided by OpenAI (United States).
When the app generates AI content for a stock or news article, the stock ticker and relevant news text are sent to OpenAI's API. Your email address and personal account details are not sent to OpenAI.
OpenAI processes this data on servers in the United States. Per OpenAI's API data usage policy, API requests are logged for approximately 30 days for safety and abuse monitoring purposes. OpenAI does not use API data to train its models by default.
All AI-generated content is clearly labelled within the app as AI-generated.

AI content is not financial advice. AI-generated analysis, summaries, and insights are produced by an automated system and are provided for informational purposes only. They do not constitute personal financial advice, take into account your individual circumstances, or represent the views of any licensed financial adviser. Do not make investment decisions based solely on AI-generated content. Always do your own research.

News content is sourced from publicly available third-party RSS feeds and Google News. Market data (prices, fundamentals) is sourced from EODHD. Neither news sources nor market data providers receive your personal information.

5. Who we share your information with

We do not sell your personal information to anyone. We do not share your data with advertisers. The only third parties who receive any of your data are the infrastructure providers necessary to run the Service:

Provider	Country	What they receive	Why
Supabase (supabase.io)	Australia (Sydney, ap-southeast-2)	Email address, watchlist tickers, portfolio names, referral source	Database hosting and user authentication. Supabase operates as a data processor under a Data Processing Agreement. Data is stored in Australia.
RevenueCat, Inc. (revenuecat.com)	United States (San Francisco, CA)	Device identifier (RevenueCat anonymous ID or Supabase user ID) and App Store / Google Play purchase receipt data	Subscription management and in-app purchase validation. RevenueCat validates your purchase receipt and determines your entitlement to Pocket Investor Pro features. RevenueCat does not receive your payment card details — those remain with Apple or Google. Privacy policy: revenuecat.com/privacy
Cloudflare (cloudflare.com)	United States (global edge network)	IP address, network traffic (in transit)	Content delivery, DDoS protection, and API routing. Network traffic passes through Cloudflare's infrastructure. IP addresses appear in standard server logs retained for up to 24 hours.
OpenAI (openai.com)	United States	Stock tickers and news article text (not your email or account details)	AI-generated analysis and news summaries. Only the content needed to produce the AI output is sent — not personal account information.
EODHD (eodhd.com)	European Union / United States	Stock ticker symbols (no personal data)	Market data (prices, fundamentals). No personal information is transmitted.

We may also disclose your information if required to do so by law, or to protect the rights, property, or safety of Pocket Investor, its users, or others.

Overseas disclosure notice (Australian Privacy Act, APP 8)

Your account data and watchlist information is stored in Australia (Supabase, Sydney). Some of your information is processed by overseas service providers — specifically Cloudflare (United States, for CDN and API routing), OpenAI (United States, for AI-generated summaries), and RevenueCat (United States, for subscription and purchase validation). No personal information (email or account details) is sent to OpenAI. RevenueCat receives your device identifier and purchase receipt data only; it does not receive your email address or payment card details. EODHD receives only ticker symbols with no personal data. We take reasonable steps to ensure overseas recipients handle data in a manner consistent with the Australian Privacy Principles.

6. How long we keep your information

Data type	How long we keep it
Account data (email, watchlist, portfolio names, referral source)	For as long as your account is active. If you delete your account, we will delete or de-identify this data within 30 days of your request.
Usage and analytics data	Up to 90 days in raw form; aggregated and de-identified data may be retained indefinitely for product analytics.
IP address (Cloudflare server logs)	Up to 24 hours, then deleted automatically as part of Cloudflare's standard log rotation.
OpenAI API logs	Approximately 30 days, per OpenAI's standard API data retention policy, then deleted by OpenAI.

7. Your rights

Under the Australian Privacy Act 1988, you have the right to:

Access — request a copy of the personal information we hold about you.
Correction — ask us to correct personal information that is inaccurate, incomplete, or out of date.
Deletion — request that we delete your personal information. We will comply unless we are required by law to retain it. Deletion of your account will remove your email address, watchlist data, portfolio names, and referral source from our systems within 30 days.
Complaints — if you believe we have breached the Australian Privacy Principles, you may lodge a complaint with us first (see Section 15). If you are not satisfied with our response, you may escalate to the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

8. Account deletion

You can request deletion of your account and all associated personal data at any time by contacting us at [email protected] with the subject line “Account Deletion Request”.

When we receive a deletion request, we will:

Confirm receipt within 5 business days.
Delete or permanently de-identify your email address, watchlist data, portfolio names, and referral source from Supabase within 30 days.
Send you a confirmation email once deletion is complete.

Some information may be retained after deletion where required by law or where it has already been anonymised and can no longer be linked back to you (for example, aggregated usage counts with no user identifier).

9. Cookies and tracking

The web version of Pocket Investor may use browser cookies or similar technologies for the following limited purposes:

Session management — to keep you signed in.
Analytics — to understand how users interact with the web app (device type, screen views).

We do not use advertising cookies or share cookie data with advertisers. We do not use cross-site tracking cookies.

UTM parameters (e.g. utm_source, utm_medium, utm_campaign) captured at the time you first access the app are stored in your user profile to help us understand how you discovered Pocket Investor. This data is linked to your account but is not used for advertising.

You can configure your browser to block or delete cookies. Note that blocking session cookies may prevent you from staying signed in.

10. Security

We take reasonable steps to protect your personal information from misuse, interference, loss, unauthorised access, modification, and disclosure. These steps include:

All data in transit is encrypted using HTTPS/TLS.
Data at rest in Supabase is encrypted using AES-256.
Passwords are never stored in plain text — Supabase stores only a salted cryptographic hash.
Authentication tokens (JWTs) are stored in secure device storage on mobile.
Access to production infrastructure is restricted to authorised personnel.

No system is completely secure. In the event of a data breach that is likely to result in serious harm, we will notify affected users and the Office of the Australian Information Commissioner as required by the Notifiable Data Breaches scheme (Part IIIC of the Privacy Act). We will notify affected individuals as soon as practicable and within 30 days of becoming aware of the breach.

11. Your rights under GDPR (EU and EEA users)

If you are located in the European Economic Area (EEA), the General Data Protection Regulation (GDPR) applies to the processing of your personal data. In addition to the rights described in Section 7, you have the following rights under GDPR:

Right of access (Article 15) — obtain confirmation of whether we process your personal data and receive a copy of it.
Right to rectification (Article 16) — have inaccurate personal data corrected without undue delay.
Right to erasure (Article 17) — request deletion of your personal data where it is no longer necessary for the purpose it was collected, or where you withdraw consent and no other legal basis applies.
Right to data portability (Article 20) — receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
Right to object (Article 21) — object to processing of your data where we are relying on legitimate interests as the legal basis. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
Right to restriction of processing — ask us to restrict processing of your data in certain circumstances (for example, while the accuracy of data is contested).
Right to withdraw consent — where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.
Right to lodge a supervisory authority complaint — you have the right to lodge a complaint with the data protection supervisory authority in your EU member state. A list of EU supervisory authorities is available at edpb.europa.eu.

Legal bases for processing (Article 6 GDPR)

Our legal basis for processing your personal data under GDPR depends on the specific activity:

Performance of a contract (Article 6(1)(b)) — processing your email address and watchlist data is necessary to provide the Service you signed up for. Without this processing, we cannot create or maintain your account.
Legitimate interests (Article 6(1)(f)) — analytics and usage data help us improve the Service. Security logging (IP addresses, server logs) is necessary to protect the Service and our users. We have assessed that these legitimate interests are not overridden by your fundamental rights and freedoms.
Legal obligation (Article 6(1)(c)) — we may process or retain data where required to comply with applicable law (for example, responding to a lawful request from a public authority).

Automated decision-making

We do not carry out automated decision-making, including profiling, that produces legal effects or similarly significant effects on you, as described in Article 22 GDPR.

To exercise your GDPR rights, contact us at [email protected]. We will respond within one calendar month as required by GDPR Article 12. Where requests are complex or numerous, we may extend this by a further two months, and we will inform you of any such extension within the first month.

12. Children's privacy

Pocket Investor is not directed at children under the age of 13, and we do not knowingly collect personal information from anyone under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at [email protected] and we will delete that information promptly.

The Service involves financial content and market data. We recommend the Service for users aged 18 and over. Investing in financial products carries risk, including the risk of losing money.

13. Your rights under the CCPA (California and US users)

If you are a resident of California, the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act (CPRA), gives you specific rights regarding your personal information. This section describes those rights and how to exercise them.

Categories of personal information we collect

Under the CCPA's statutory categories, we collect the following:

Identifiers — email address (collected when you create an account).
Commercial information — watchlist ticker symbols and portfolio names you create within the app.
Internet or other electronic network activity information — usage data (screens visited, features used), device information (device type, OS version, browser), and IP address (retained for up to 24 hours via Cloudflare).
Inferences drawn from personal information — none. We do not draw inferences about your preferences, characteristics, psychological trends, predispositions, behaviour, attitudes, intelligence, abilities, or aptitudes.

Your CCPA rights

Right to Know — you have the right to request that we disclose: the categories of personal information we have collected about you; the categories of sources from which it was collected; our business or commercial purpose for collecting it; the categories of third parties with whom we share it; and the specific pieces of personal information we hold about you.
Right to Delete — you have the right to request deletion of personal information we have collected from you, subject to certain exceptions (for example, where we need to retain it to complete a transaction, detect security incidents, comply with a legal obligation, or for other lawful purposes set out in the CCPA).
Right to Opt-Out of Sale or Sharing — we do not sell your personal information to third parties, and we do not share your personal information for cross-context behavioural advertising. Because we do not engage in these activities, there is nothing to opt out of — but you have this right and we respect it.
Right to Non-Discrimination — we will not discriminate against you for exercising any of your CCPA rights. We will not deny you goods or services, charge you different prices, provide a different level or quality of service, or suggest that you may receive a different price or quality as a result of exercising your rights.
Right to Correct Inaccurate Personal Information — you have the right to request correction of inaccurate personal information we hold about you.

California “Shine the Light” law

California Civil Code Section 1798.83 (the “Shine the Light” law) permits California residents to request information about disclosure of personal information to third parties for direct marketing purposes. We do not disclose personal information to third parties for their direct marketing purposes. Accordingly, there is nothing to disclose under this law.

Nevada SB 220

Nevada Senate Bill 220 grants Nevada residents the right to opt out of the sale of certain personal information. We do not sell personal information to any person. Nevada residents may still submit a verified opt-out request to [email protected] and we will record and honour it.

How to submit a CCPA request

To exercise your Right to Know, Right to Delete, or Right to Correct, send an email to [email protected] with the subject line “Privacy Request — California” (or “Privacy Request — US” if you are in another US state). Please include your email address and a description of your request so we can verify your identity and process it correctly.

We will confirm receipt of your request within 10 business days and respond in full within 45 days of receipt. Where reasonably necessary, we may extend our response by a further 45 days, and we will notify you of any such extension within the initial 45-day period.

We do not charge a fee for processing a verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded.

14. Your rights under the PDPO (Hong Kong users)

If you are located in Hong Kong, the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO) governs the collection and handling of your personal data. We comply with the PDPO and its six Data Protection Principles (DPPs).

The six Data Protection Principles

DPP 1 — Purpose and manner of collection: We collect personal data only for a lawful purpose directly related to our function of providing the Service. Collection is necessary and not excessive relative to that purpose. You are informed of the purpose at the time of collection.
DPP 2 — Accuracy and retention: We take reasonable steps to ensure that personal data is accurate and not kept longer than is necessary for the purpose for which it is used. See Section 6 for our retention periods.
DPP 3 — Use of data: Personal data is used only for the purpose for which it was collected, or a directly related purpose. We do not use your data for purposes incompatible with the original collection purpose without your consent.
DPP 4 — Data security: We apply technical and organisational security measures to protect personal data against unauthorised or accidental access, processing, erasure, loss, or use. See Section 10 for details of our security measures.
DPP 5 — Openness: We make this Privacy Policy available so that you can understand what personal data we hold, how it is used, and what your rights are. If you have questions, contact us at [email protected].
DPP 6 — Access and correction: You have the right to request access to personal data we hold about you and to request correction of any data that is inaccurate. See your rights below.

Your rights under the PDPO

Right of access: You may request access to the personal data we hold about you by submitting a Data Access Request (DAR) to [email protected] with the subject line “Privacy Request — Hong Kong”. We will respond within 40 days of receipt of your request.
Right to correction: If you believe that personal data we hold about you is inaccurate, you may submit a Data Correction Request (DCR) to the same address. We will correct the data, or note your claim of inaccuracy, within 40 days.

Cross-border data transfers

Your personal data is stored primarily in Australia (Supabase, Sydney region) and is processed in transit by Cloudflare (United States). Australia and the United States are both recognised as jurisdictions that maintain adequate data protection standards. We take contractual and technical steps to ensure that any cross-border transfer of your personal data is subject to appropriate safeguards consistent with the PDPO.

Regulatory oversight

The PDPO is administered by the Office of the Privacy Commissioner for Personal Data (PCPD), Hong Kong. If you are not satisfied with our handling of your personal data, you may contact the PCPD:

Website: www.pcpd.org.hk
Address: 12/F, Sunlight Tower, 248 Queen's Road East, Wan Chai, Hong Kong

15. How to contact us or make a privacy complaint

If you have a question about this policy, want to access or correct your information, request deletion of your account, or make a privacy complaint, please contact us:

Pocket Investor

Email: [email protected]

Response time: We will acknowledge your request within 5 business days and respond in full within 30 days (or within the jurisdiction-specific timeframe set out in Sections 11, 13, and 14 where applicable).

If you are not satisfied with our response to a privacy complaint, you may contact the relevant supervisory authority for your jurisdiction:

Australia: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au · Phone: 1300 363 992 · GPO Box 5218, Sydney NSW 2001
European Union / EEA: Your local EU data protection supervisory authority — edpb.europa.eu
Hong Kong: Office of the Privacy Commissioner for Personal Data (PCPD) — www.pcpd.org.hk

16. Changes to this policy

We may update this Privacy Policy from time to time. When we make a material change, we will update the effective date at the top of this page and, where appropriate, notify you by email. Your continued use of the Service after a change is posted constitutes your acceptance of the updated policy.

We recommend reviewing this policy periodically. Previous versions are available on request.

Pocket Investor · Privacy Policy · Effective 10 April 2026
Questions: [email protected]