Privacy Policy

How White Stallion AI handles your data.

Last updated: April 18, 2026

1. Data we do NOT collect

White Stallion AI is a client-side application. The following NEVER leaves your device:

• Portfolio amounts — your holdings, cost basis, profit/loss, total net worth
• Specific stock identifiers — ISIN numbers, DP-ID, folio numbers
• Personal financial records — insurance policy numbers, loan account numbers, bank details
• Broker credentials — we don't ask for login credentials to any broker
• Contact information in imported files — phone numbers, addresses within CAS/CSV files

All calculations (WSS scores, technicals, risk profile, strategy payoffs) run locally in your browser.

2. Anonymous usage analytics

We use PostHog (EU-hosted, GDPR-compliant) to understand how White Stallion is used in aggregate.

What we capture

• Event names — e.g., import_committed, tour_completed, stock_detail_opened
• Bucketed properties — e.g., holdings-count range (0, 1–10, 10–50, 50+), portfolio size bucket (≤5L, 5L–25L, 25L–1Cr, 1–5Cr, 5Cr+)
• Feature usage markers — which tabs you visit, how often you run AI queries, whether you use Strategy Lab
• Anonymous ID — a random UUID stored in your browser's localStorage. Not linked to any real-world identity.

What we do NOT capture

• Your name, email, or Google profile (except a hashed ID when you sign in with Google)
• Exact portfolio values — values are always bucketed
• Specific stock names paired with weights
• Any transaction amounts
• Content of your AI queries

Where it's stored

PostHog Cloud EU (Frankfurt, Germany). Data is processed in accordance with GDPR Article 28. You can request deletion any time by contacting whitestallionai@gmail.com.

How to disable

Open White Stallion → Settings → Analytics → toggle off. Once disabled, no events will be sent. Already-captured data can be deleted on request.

3. Google Sign-In (optional)

If you choose to sign in with Google:

• We receive your name, email, and profile picture from Google's OAuth response
• Your portfolio data is synced to your own Google Drive in a private app folder — not to our servers
• Signing out does not delete your Drive data (you control that through your Google account)

3.5. Broker connections (optional)

White Stallion supports connecting your broker account for live prices, option chains, and portfolio sync. Supported brokers are listed inside the app and change over time. This is fully optional — every core feature works without a broker connection using free price feeds.

When you connect a broker, here's exactly what happens:

• OAuth flow runs in your browser. You log in directly on the broker's site. We never see your username or password.
• The access token returns to your browser only. We use a server-side OAuth callback to exchange the authorization code for a token, then return that token to your browser. We do not persist it on our servers.
• Tokens are encrypted at rest. Inside your browser, broker tokens are AES-GCM encrypted in localStorage. The encryption key is derived per-session, never transmitted.
• All broker API calls fire from your browser. Live price requests, option chain fetches, portfolio reads — every one of them goes from your device directly to your broker. We don't proxy this traffic.

What we ask brokers for

• Read-only scopes only. We request quote, market depth, holdings, and orders read permissions. We never request order-placement, fund-transfer, or profile-modification scopes.
• You can review the exact scopes on the broker's consent screen before approving the connection.

What we never do with broker access

• Place trades on your behalf
• Move funds in or out of your account
• Modify your broker profile or settings
• Share or sell your broker data to anyone

Token expiry and disconnection

• Broker tokens expire on the broker's schedule (usually daily). When they expire, you'll be prompted to reconnect.
• You can revoke our access at any time from your broker's app or website (usually under Account Settings or Connected Apps).
• Clicking Disconnect in White Stallion's Settings → Broker Connections deletes the token from your browser storage. We have nothing to delete server-side because we never had it.

If you sync to Google Drive

If you've enabled Google Drive sync (see §3), portfolio snapshots derived from broker data are saved to your own Drive in a private app folder. Broker tokens themselves are never synced to Drive.

4. Third-party data services

The app makes real-time requests to third-party data services to fetch market data for the stocks, funds, and indices you view. Specific providers change over time as we optimize for reliability and cost; categories below are durable:

Category of service	Purpose	Data sent
Market data providers	Stock and index prices, OHLCV history	Ticker symbol or ISIN
Mutual fund data providers	NAV lookups for the schemes you view	Scheme code
Fundamentals providers	P/E, P/B, ROE, and company financials	Stock symbol
AI providers	Responses for the "Ask Stallion" feature	Your query text; portfolio summary only if you opt in
Broker APIs	Live quotes, option chains, holdings sync (when you connect a broker)	See §3.5 above

We do not send portfolio amounts, personal identifiers, or financial account numbers in any of these requests.

4.5. Infrastructure providers

The app runs on standard cloud infrastructure. The following categories of providers may process request metadata (IP address, request path, timestamp) in the normal course of serving the site:

• Hosting and serverless compute — serves the site and runs our thin API proxy layer
• Edge caching and DNS — routes traffic and caches public assets
• Transient request caching — short-lived key-value store used to cache public market quotes (so the same quote isn't fetched 100 times)
• Web font delivery — loads the typefaces used for the interface

None of these providers receive your portfolio data, broker tokens, or personal financial information. They handle only the normal request metadata any website generates.

5. Advertising

We use Google AdSense to display ads. AdSense may use cookies to serve relevant ads. You can manage ad personalization via Google Ads Settings.

6. Your rights (GDPR + DPDP Act)

• Right of access — request all data we hold about you
• Right of erasure — request deletion of your PostHog data and anonymous ID
• Right to object — opt out of analytics at any time
• Right of portability — your portfolio data is already exportable (it's in your browser's localStorage or your Google Drive)

To exercise any right, email whitestallionai@gmail.com. We'll respond within 30 days.

7. Cookies

White Stallion uses browser localStorage (not cookies) for its own state. AdSense and PostHog may set cookies as described above. PostHog's cookie usage can be disabled entirely by opting out of analytics in Settings.

8. Children's privacy

White Stallion is not directed at children under 18. If you are under 18, please do not use the service. If we become aware that personal data of a minor has been collected, we will delete it promptly.

9. Changes to this policy

We may update this policy. Material changes will be announced via in-app banner. The "Last updated" date at the top of this page always reflects the current version.

10. Contact

For any privacy question, email whitestallionai@gmail.com.