Stock MarketROI
Closed

Privacy Policy

Last updated: June 14, 2026

This Privacy Policy describes how Stock Market ROI (stockmarketroi.com) collects, uses and protects information when you use our platform. We comply with the LGPD (Lei nº 13.709/2018), GDPR (EU Regulation 2016/679) and the California Consumer Privacy Act (CCPA).

We do not sell your personal data. Without an account, no data leaves your browser. When signed in, only your account email, portfolio transactions, watchlist and price alerts are stored — securely in Supabase — and deleted permanently when you delete your account.

1. Data Controller

The controller responsible for processing your personal data is:

Name: Ivan Lima

Email: contato@ivanlimadev.com

Site: stockmarketroi.com

2. Data We Collect

We collect the minimum data necessary to provide our service:

2.1 Automatically collected (server side)

  • IP address (anonymized — last octet zeroed — for security and abuse prevention)
  • Browser type and version (User-Agent header)
  • Pages visited and HTTP status codes (aggregate, non-personal access logs)
  • Referrer URL

2.2 Stored locally in your browser only (no account required)

  • Cookie consent preference
  • UI preferences (selected chart period, theme)
  • Recently viewed assets

This data never leaves your device. Clear it any time via browser settings → Clear site data.

2.3 Stored in our database when you create an account

Account features (Portfolio, Watchlist, Price Alerts) require sign-in. When you use them, the following data is stored securely in Supabase (our infrastructure provider, hosted on AWS):

  • Email address — used for authentication only, never shared or used for marketing
  • Portfolio transactions — symbol, quantity, price, date you entered
  • Watchlist items — assets you chose to follow
  • Price alerts — target prices you set per asset

All this data is protected by Row-Level Security (RLS) — only you can read or modify your own records. It is permanently deleted when you delete your account via Settings → Delete Account.

2.4 Data we do NOT collect

  • Name, phone number or any identifier beyond email (for account holders)
  • Payment or financial account credentials
  • Brokerage account data
  • Precise geolocation
  • Biometric data

3. Cookies and Local Storage

KeyTypePurpose
smroi-cookie-consentEssentialStores your cookie consent choice. No expiry.
theme (localStorage)FunctionalSaves light/dark mode preference in your browser.
Supabase session (cookie)FunctionalKeeps you signed in across sessions. Set only when you create an account and sign in. Cleared on sign-out.

Withdraw consent at any time by clearing your browser local storage or choosing "Essential only" in the cookie banner. No third-party tracking cookies are used.

4. Purpose and Legal Basis

Legitimate Interest — LGPD Art. 7, IX / GDPR Art. 6(1)(f)

Operating the platform, providing market data, preventing abuse and fraud, maintaining security logs.

Consent — LGPD Art. 7, I / GDPR Art. 6(1)(a)

Non-essential cookies and analytics, only when explicitly accepted via the cookie banner. Freely withdrawable at any time.

5. Data Sharing — We Do Not Sell Your Data

We do not sell, rent, trade or share your personal data with third parties for their own commercial purposes. Data may be disclosed only:

  • When required by a valid court order, law or government authority
  • To protect the rights, property or safety of our users or the public
  • In the event of a business transfer (merger, acquisition) — you will be notified

Market data is fetched from Yahoo Finance and Marketstack via server-side API calls. These requests include no personal identifiers from your session.

Account data (email, portfolio, watchlist, alerts) is stored in Supabase (supabase.com), which acts as our infrastructure sub-processor. Supabase is hosted on AWS and complies with SOC 2 Type II and GDPR. Their privacy policy is available at supabase.com/privacy.

6. Data Retention

Server access logs

Retained for a maximum of 90 days, then permanently deleted.

Account data (email, portfolio, watchlist, alerts)

Retained for as long as your account is active. When you delete your account via Settings → Delete Account, all associated data is permanently deleted from our database within 30 days.

Browser-stored data (localStorage)

Retained until you clear it via browser settings → Clear site data. We have no access to this data and cannot delete it on your behalf.

7. Security and Data Breach

We implement technical and organizational measures including HTTPS encryption, server hardening and access controls to protect server-side data.

What a breach could and could not expose

A hypothetical breach of our infrastructure could expose: email addresses and portfolio/watchlist/alert records of registered users. It could notexpose brokerage credentials, bank accounts, payment data or any financial account access — because we do not collect or store any of those. Row-Level Security (RLS) in Supabase ensures that even a compromised API key cannot read another user's data.

In the event of a data breach involving personal data, we will notify affected users and the relevant data protection authority within the timeframe required by applicable law (LGPD Art. 48 — 72 hours to ANPD; GDPR Art. 33 — 72 hours to supervisory authority).

8. Your Rights Under LGPD — Lei nº 13.709/2018 (Brazil)

As a data subject under LGPD Art. 18, you have the right to:

Confirmation

Know whether we process your personal data.

Access

Obtain a copy of personal data we hold about you.

Correction

Request correction of inaccurate or incomplete data.

Anonymization

Request anonymization, blocking or deletion of unnecessary data.

Portability

Receive your data in a structured, machine-readable format.

Deletion

Request deletion of data processed with your consent.

Objection

Object to processing based on legitimate interest.

Withdraw Consent

Withdraw consent at any time for consent-based processing.

Contact us at contato@ivanlimadev.com. We will respond within 15 business days. You may also file a complaint with the ANPD — Autoridade Nacional de Proteção de Dados.

9. Rights Under GDPR — EU Regulation 2016/679 (European Users)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):

  • Right of access — obtain a copy of personal data we hold (Art. 15)
  • Right to rectification — correct inaccurate data (Art. 16)
  • Right to erasure ("right to be forgotten") — request deletion (Art. 17)
  • Right to restriction of processing — limit how we use your data (Art. 18)
  • Right to data portability — receive data in a portable format (Art. 20)
  • Right to object — object to processing based on legitimate interest (Art. 21)
  • Rights related to automated decision-making — we do not use automated decision-making

You may lodge a complaint with your local EU data protection supervisory authority. A list of authorities is available at edpb.europa.eu.

10. California Consumer Privacy Act (CCPA) — California Residents

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) grant you the following rights:

  • Right to Know — know what personal information we collect, use, disclose or sell
  • Right to Delete — request deletion of personal information we have collected
  • Right to Correct — request correction of inaccurate personal information
  • Right to Opt-Out of Sale — we do not sell personal information; no opt-out required
  • Right to Non-Discrimination — we will not discriminate against you for exercising your rights
  • Right to Limit Use of Sensitive Personal Information — we do not collect sensitive personal information as defined by CCPA

Do Not Sell or Share My Personal Information: We do not sell or share personal information with third parties for cross-context behavioral advertising. No opt-out mechanism is required because this practice does not occur.

To exercise your CCPA rights, email contato@ivanlimadev.com with the subject line "CCPA Request". We will respond within 45 days as required by law.

11. Children and Minors

This platform is not directed at children under 16 years of age (or 13 in jurisdictions where 13 is the minimum age). We do not knowingly collect personal data from minors. If you believe a minor has accessed this platform, please contact us immediately and we will take appropriate action.

12. International Data Transfers

Our servers may be hosted outside Brazil or the EU. For transfers outside Brazil, we apply the safeguards required by LGPD Art. 33. For transfers outside the EEA, we rely on Standard Contractual Clauses (SCCs) or other approved mechanisms under GDPR Chapter V. Only minimal server log data is ever transferred — no financial or portfolio data.

13. Changes to This Policy

We may update this Privacy Policy periodically. The date of the last revision is shown at the top. Continued use of the platform after changes constitutes acceptance. For material changes, we will display a notice on the platform.

Questions about this policy? contato@ivanlimadev.com · See also our Terms of Use.