Privacy Policy

1. What Data We Collect

We collect only what is necessary to provide and improve the Thesio service. This includes:

Account information: Your email address and any name or profile information you provide when creating an account.
Watchlist and ticker selections: The stock tickers, sectors, and themes you add to your watchlist. This is core to the service — we need this data to deliver your signal analysis.
Usage data: Pages viewed, features used, analysis requests, and general interaction patterns with the Service. This helps us understand how users engage with Thesio so we can improve it.
Payment information: Handled entirely by Stripe. We do not store your credit card number, bank account details, or billing address on our servers.
Cookies and analytics data: Browser cookies for session management and anonymous usage analytics (see Cookies & Analytics below).

We do not collect sensitive personal data such as government ID numbers, financial account credentials, or health information.

2. How We Use Your Data

We use the data we collect for the following purposes:

Providing the Thesio service: To deliver daily signal digests, AI-synthesized implications for your watchlist tickers, and personalized analysis based on your selected tickers and sectors.
Service improvement: To understand aggregate usage patterns, identify bugs, measure feature adoption, and prioritize product development.
Communication: To send you trial reminders, billing notifications, and product updates. You can opt out of non-essential communications at any time.
Aggregated, anonymized insights: To generate and commercialize aggregate sentiment indices and anonymized usage pattern data (see Aggregated Data & Data Rights below).

We do not use your data for purposes that are incompatible with the ones listed above without obtaining additional consent.

3. Aggregated Data & Data Rights

Our Right to Use Aggregated Data

Thesio retains the right to use, analyze, and commercialize aggregated, anonymized data derived from platform usage. This includes aggregate market sentiment trends, popular ticker patterns, anonymized usage frequencies, and statistical summaries of signal engagement — but never individual user portfolios, watchlists, or personal information.

This aggregated data cannot be reverse-engineered to identify any individual user. It is statistical in nature and does not contain personally identifiable information.

For example, we may publish a "Thesio Sentiment Index" showing aggregate bullish/bearish sentiment across all tracked tickers for a given period. This index is derived from anonymized, aggregated data — it tells you what the market is thinking in aggregate, not what any specific user is doing.

Aggregated data is stored and processed using industry-standard anonymization techniques. We do not link anonymized datasets to identifiable user records.

4. We Do Not Sell Your Individual Data

We do not sell, rent, or trade your personal information or individual watchlist data to advertisers, data brokers, or third parties — ever.

This is the most important statement in this policy. Your personal data — your email, your watchlist, your usage history, your subscription status — will never be sold to advertisers, analytics companies, financial data vendors, or any other third party.

The only data we may commercialize is aggregated, anonymized data as described above. That aggregated data cannot identify you.

Stripe processes your payment information under Stripe's own privacy policy. We recommend reviewing Stripe's Privacy Policy to understand how they handle your payment data. Meta receives anonymized event data (page views, signups, purchases) through Meta Pixel for ad measurement — see Meta's Privacy Policy.

5. California Consumer Privacy Act (CCPA) Compliance

If you are a California resident, you have the following rights under the CCPA:

Right to Know: You may request disclosure of what personal information we collect, use, and disclose about you.
Right to Delete: You may request deletion of your personal information, subject to certain exceptions (e.g., for legal obligations, security, or service functionality).
Right to Opt Out of Sale: We do not sell your personal information, so there is nothing to opt out of. If this changes, we will update this policy and provide a clear opt-out mechanism.
Right to Non-Discrimination: We will not discriminate against you for exercising any of these rights.

How to exercise your CCPA rights: Email us at hello@thesio.polsia.app with the subject line "CCPA Request." We will respond within 30 days. We may need to verify your identity before processing your request.

6. General Data Protection Regulation (GDPR) Compliance

If you are located in the European Economic Area (EEA), the following applies:

Lawful basis for processing: We process your personal data on the basis of (a) consent — you consent to account creation and service use, and (b) legitimate interest — service provision, fraud prevention, and security.
Right of access: You may request a copy of all personal data we hold about you.
Right to rectification: You may correct inaccurate or incomplete personal data.
Right to erasure: You may request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements.
Right to data portability: You may receive your data in a structured, machine-readable format.
Right to object: You may object to processing based on legitimate interest, and we will assess your request in good faith.
Right to lodge a complaint: You have the right to file a complaint with your local data protection authority.

Data retention: We retain your personal data for as long as your account is active or as needed to provide services. Upon account cancellation, we retain data for up to 90 days before deletion, except where legally required to retain it longer (e.g., for tax compliance or legal disputes). Aggregated anonymized data that cannot be linked back to you may be retained indefinitely.

Exercising GDPR rights: Email hello@thesio.polsia.app with the subject line "GDPR Request." We will respond within 30 days. We may need to verify your identity before processing your request.

7. Cookies & Analytics

Thesio uses the following types of cookies and tracking:

Essential cookies: Required for session management and authentication. These cannot be disabled without impacting service functionality.
Analytics cookies: Anonymous usage tracking that helps us understand which features are used, how users navigate the service, and where drop-offs occur. This data is aggregated and does not identify you.
localStorage: We use browser localStorage to store trial state, onboarding progress, and anonymous visitor identifiers. This data stays on your device and is not transmitted to our servers.

Meta Pixel: We use Meta Pixel (formerly Facebook Pixel) to measure the effectiveness of our advertising campaigns on Meta platforms. Meta Pixel collects page view events, signup events (when you join the waitlist), and purchase events (when you subscribe). This data is sent to Meta and may be used to serve you relevant ads on Facebook and Instagram. You can opt out of Meta's ad targeting at facebook.com/adpreferences. We do not use Google Analytics or other third-party ad network trackers. The other third-party services we use are Stripe (payment processing), OpenAI (AI analysis processing), and our own analytics infrastructure.

You can manage cookie preferences through your browser settings. Disabling analytics cookies will not prevent you from using the service, though it will limit our ability to improve it based on your usage patterns.

8. Data Security

We take data security seriously and use industry-standard measures to protect your data:

Encryption: All data transmitted between your browser and Thesize servers is encrypted using TLS 1.2 or higher. Data at rest in our database is encrypted using industry-standard methods.
Access controls: Internal access to user data is restricted to authorized personnel only, governed by role-based access controls.
Payment security: All payment processing is handled by Stripe. Thesio never sees or stores your raw payment credentials. Stripe is PCI DSS compliant.
Data isolation: User watchlist and personal data is logically isolated per account.

No security measure is 100% effective. If you become aware of a security vulnerability affecting Thesio, please contact us immediately at hello@thesio.polsia.app.

9. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:

Update the "Last updated" date at the top of this page
Post the revised policy at thesio.polsia.app/privacy
Notify you via email for significant changes that affect your rights or data handling

Continued use of the Service after changes are posted constitutes acceptance of the revised Privacy Policy. If you do not agree to the revised policy, you must cancel your subscription and stop using the Service.

10. Contact Us

For any questions, requests, or concerns about this Privacy Policy or your personal data:

Email: hello@thesio.polsia.app
Website: thesio.polsia.app

We aim to respond to all data-related inquiries within 5 business days.