Equity Flow

Legal

Privacy Policy

The short version: we collect only what we need to run your Equity Flow account, we never sell your data, and everything is encrypted in transit and at rest.

Last updated April 19, 2026

On this page

Overview

Equity Flow (“we,” “us,” “our”) operates the Equity Flow options-flow and market-analytics platform at equityflow.io, app.equityflow.io, and the Equity Flow iOS application (the “Services”). This policy describes what we collect, why we collect it, and the controls you have over your data.

By using the Services you agree to this policy. If you disagree with any part, do not use the Services.

Information we collect

Information you provide

  • Account data — email address, display name, and (if you choose email/password sign-in) a salted password hash. We never store the plain-text password.
  • OAuth identifiers — when you sign in with Google or Apple, we receive a stable subject identifier, your email, and (for Apple) the name you share on first sign-in. We do not pull any further information from your Google or Apple account.
  • Passkey credentials — if you enrol a passkey we store its public key, credential ID, sign-count, and device label. We never see or store the private key — that stays on your device.
  • Optional SMS alerts — if you opt in, your phone number and carrier.
  • Market-data registration — see § Market-data registration for the extra fields required by the exchanges.

Information we collect automatically

  • Device & session data — device model, OS version, IP address, approximate region, session timestamps, and in the iOS app an APNs push token (if you grant notification permission).
  • Product-interaction logs — pages viewed, features used, crashes, and error traces. These are used for reliability engineering; we do not build advertising profiles from them.

Information we do not collect

  • Your brokerage credentials. Equity Flow does not connect to brokers.
  • Your positions, P&L, or trade history.
  • Payment card numbers — those are handled by Stripe; we store only a reference id and the receipt's last-four digits.

How we use information

  • To create and secure your account and sign you in.
  • To process subscription payments and restore purchases across devices.
  • To deliver real-time market data and notifications you have opted into.
  • To detect fraud, abuse, and security incidents.
  • To fix crashes and improve performance (reliability engineering only — not ad targeting).
  • To contact you about billing issues, security alerts, or material changes to the Services.

Market-data registration

Real-time options and equities data comes from regulated U.S. exchanges. Those exchanges require a per-user registration containing your legal name, date of birth, residential address, and an attestation of your professional/non-professional status. This information is:

  • Encrypted at rest using authenticated AES-GCM with a key stored separately from the database.
  • Forwarded to the exchange only in aggregate, in the format the exchange requires for its own auditing.
  • Deleted within 30 days of account deletion, except where regulations require a longer retention.

How we share information

We share information only as described below. We do not sell personal information.

  • Payment processing — Stripe. Card details are entered directly into Stripe's hosted form; we never receive them.
  • Authentication providers — Google and Apple validate your identity tokens. We do not share any data back to them beyond what is required for sign-in.
  • Apple App Store — in-app subscriptions are verified against Apple's signed StoreKit 2 receipts.
  • Infrastructure providers — Cloudflare for DNS and edge protection, and the server host that runs Equity Flow's backend. These parties only process data in transit on our behalf.
  • Exchanges — only the data described in § Market-data registration.
  • Legal compliance — if we are legally required to disclose information (subpoena, court order, or safety of a person), we will comply and, where lawful, notify the affected user.

Cookies and similar technologies

We use a small set of first-party cookies, all strictly functional:

  • auth_token — your signed JWT session. Set with the Secure, HttpOnly, and SameSite=Lax attributes; scoped to .equityflow.io.
  • stripe_redirected — a short-lived flag that lets us detect your return from Stripe Checkout.

We do not use third-party advertising cookies or cross-site trackers. We do not participate in ad networks, retargeting, or behavioural ad auctions.

Security

  • TLS 1.2+ on every request, with HSTS and SPKI certificate pinning in the iOS app.
  • Session tokens stored in the iOS Keychain with kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly; never written to iCloud Keychain.
  • Passwords salted and hashed (never stored in plain text).
  • WebAuthn passkeys verified against a pinned relying-party domain (equityflow.io) with signature and counter checks.
  • Least-privilege internal access; production secrets rotated on staff changes.

No system is perfectly secure. If you believe your account or our infrastructure has been compromised, email [email protected].

Data retention

Account data is retained for as long as your account is active. After account deletion we remove your personal data within 30 days, except:

  • Payment records required for tax and audit (retained up to seven years, per U.S. IRS guidance).
  • Exchange-mandated records related to market-data registration (retained per each exchange's requirements).
  • Security logs retained up to 90 days to investigate abuse.

Your rights and choices

  • Access and export — request a copy of the personal data we hold about you.
  • Correction — update your name, email, or phone directly in the app under Settings.
  • Deletion — delete your account from Settings → Account, or email us. Deletion is permanent.
  • Marketing opt-out — we only send account-related email by default. Any promotional email will include a one-click unsubscribe link.
  • California residents — you may also exercise CCPA / CPRA rights to know, delete, correct, and limit use of sensitive personal information.
  • EEA / UK residents — you have the right to access, rectify, erase, restrict, object to processing, and port your data, as well as the right to lodge a complaint with your supervisory authority.

Children's privacy

Equity Flow is not directed to children under 18 and we do not knowingly collect information from anyone under 18. If we learn we have collected such information, we will delete it.

International data transfers

Our servers and payment processors are located in the United States. If you access Equity Flow from outside the U.S., your information is transferred to, stored, and processed in the U.S. under appropriate safeguards — including, where applicable, the EU Standard Contractual Clauses.

Changes to this policy

We may update this policy from time to time. When we do, we update the "Last updated" date above, and for material changes we post a notice in the app and email active accounts. Continued use of the Services after a change means you accept the updated policy.

Contact us

Questions, data requests, or security reports — reach us at [email protected].

© 2026 Equity Flow. All rights reserved. · Terms · Privacy