Privacy Policy

Last updated: February 2026

This Privacy Policy explains how StoX-Ray collects, uses, stores, and protects your personal data. It is governed by the Swiss Federal Act on Data Protection (nDSG, in force since 1 September 2023). For users located in the European Union or the United Kingdom, the equivalent provisions of the GDPR and UK GDPR also apply where those regulations have wider scope.

1. Data Controller

The data controller responsible for processing your personal data is the operator of StoX-Ray, a private individual based in Switzerland.

Contact: info@stox-ray.xyz

2. Data We Collect

We collect only the data necessary to provide the Service:

  • Account information — your email address and a securely hashed password (we never store your password in plain text)
  • Portfolio holdings — ticker symbols, number of shares or units, asset type, optional cost basis, and optional notes, as entered by you
  • Preferences — display currency, theme setting, and other interface preferences
  • Session data — a signed session cookie used to authenticate your requests (see Section 9 on cookies)

We do not collect browsing history, device fingerprints, location data, or any data beyond what is listed above. We do not use third-party analytics tools (no Google Analytics, no Mixpanel, no similar services).

3. Purpose and Legal Basis for Processing

We process your data for the following purposes:

  • Providing the Service — storing and displaying your portfolio holdings, calculating X-ray fundamentals, and delivering the features described in our product. Legal basis: performance of our contract with you (Art. 31 para. 2 lit. a nDSG; Art. 6(1)(b) GDPR for EU/UK users).
  • Account management — authentication, session management, and security. Legal basis: contract performance and legitimate interest.
  • Service improvement — understanding general usage patterns to fix bugs and improve features, using only non-identifiable server logs. Legal basis: legitimate interest (Art. 31 para. 2 lit. b nDSG).

We do not use your data for marketing, advertising, or profiling purposes.

4. No Analytics, No Advertising, No Data Selling

StoX-Ray does not use third-party analytics or tracking services, does not display advertising, and does not sell, rent, license, or share your personal data with any third party for commercial purposes. Your financial data is yours.

5. Third-Party Data Processors

We work with a limited number of third-party processors necessary to operate the Service:

Lemon Squeezy (Merchant of Record)

Lemon Squeezy, LLC processes payments on our behalf and acts as Merchant of Record for all transactions. When you purchase a subscription, your payment information (card details, billing address) is processed by Lemon Squeezy directly — we do not receive or store it. Lemon Squeezy is based in the United States. Data transfers are subject to appropriate safeguards under their privacy policy, available at lemonsqueezy.com/privacy.

Financial Data APIs (Yahoo Finance, Financial Modeling Prep, others)

StoX-Ray makes server-side requests to financial data providers to fetch publicly available fundamental data (revenue, EBITDA, share counts, etc.). These requests are made from our server and contain only ticker symbols — no personal data about you is transmitted to these providers.

VPS Hosting Provider (Server Infrastructure)

Your data is stored on a Virtual Private Server hosted in Germany/EU. The hosting provider has physical access to the server infrastructure but is contractually prohibited from accessing application data. Data stored in the EU benefits from GDPR-level protections.

We do not use any other third-party services that receive your personal data.

6. International Data Transfers

Your primary data (account information, portfolio holdings) is stored on servers in Germany/EU, which the Swiss Federal Council has recognised as providing an adequate level of data protection for purposes of cross-border data transfers under Swiss law.

Payment processing data is handled by Lemon Squeezy in the United States. Lemon Squeezy relies on standard contractual clauses and other transfer mechanisms compliant with GDPR requirements. For Swiss users, this transfer is conducted in accordance with Art. 16 nDSG.

7. Data Storage and Security

Your data is stored in a PostgreSQL database on a secured VPS. Passwords are cryptographically hashed using bcrypt and are never stored or transmitted in plain text. All connections to the Service are encrypted via HTTPS/TLS. Access to the server is restricted to the operator.

No security measure is absolute. While we apply appropriate technical and organisational safeguards, we cannot guarantee that unauthorised third parties will never be able to defeat those measures. In the event of a data breach affecting your rights and freedoms, we will notify you as required by applicable law.

8. Data Retention

We retain your personal data for as long as your account is active and for a reasonable period thereafter to comply with legal obligations or resolve disputes. If you delete your account, all personal data — including your email address, hashed password, portfolio holdings, and preferences — will be permanently and irreversibly deleted from our servers within 30 days.

Payment records maintained by Lemon Squeezy are subject to their own retention policies, which we do not control.

9. Cookies

StoX-Ray uses only one type of cookie: a signed session cookie used to authenticate your requests while you are logged in. This cookie is strictly necessary for the Service to function and is deleted when you log out or your session expires.

We do not use tracking cookies, advertising cookies, or any third-party cookies. No cookie consent banner is required because we use only essential, functional cookies.

10. Your Rights

Under the Swiss nDSG (and, where applicable, the GDPR), you have the following rights regarding your personal data:

  • Right of access (Art. 25 nDSG / Art. 15 GDPR) — request a copy of the personal data we hold about you
  • Right to rectification (Art. 32 nDSG / Art. 16 GDPR) — request correction of inaccurate or incomplete data
  • Right to erasure (Art. 32 nDSG / Art. 17 GDPR) — request deletion of your personal data (you can also do this directly by deleting your account in settings)
  • Right to data portability (Art. 28 nDSG / Art. 20 GDPR) — request your data in a structured, commonly used, machine-readable format
  • Right to restrict processing (Art. 17 GDPR) — request that we limit how we use your data (primarily applicable for EU/UK users)
  • Right to object (Art. 21 GDPR) — object to processing based on legitimate interest (primarily applicable for EU/UK users)

To exercise any of these rights, contact us at info@stox-ray.xyz. We will respond within 30 days. If you believe we have not handled your data lawfully, you have the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) at edoeb.admin.ch, or with the supervisory authority in your country of residence if you are in the EU or UK.

11. Children

StoX-Ray is not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will revise the "Last updated" date at the top of this page. For material changes — such as collecting new categories of data or sharing data with new third parties — we will notify you by email or via an in-app notice before the change takes effect.

13. Contact for Privacy Inquiries

For any questions or concerns about this Privacy Policy, your personal data, or to exercise your rights, please contact us at info@stox-ray.xyz. Please include "Privacy" in the subject line.