Privacy Policy

Table of Contents

1. Scope and Who We Are
2. Information We Collect
3. Sources of Information
4. How We Use Information (Purposes & Legal Bases)
5. Cookies, localStorage, and Similar Technologies
6. How We Share Information
7. Data Retention
8. Your Rights and Choices
9. Security
10. International Data Transfers
11. Children's Privacy
12. Do Not Track and Global Privacy Control
13. Automated Decision‑Making and Profiling
14. State‑Specific Notices (California and Others)
15. Changes to this Policy
16. Contact Us

1. Scope and Who We Are

This Policy applies to personal information processed by Polyform Holdings LLC ("Polyform," "we," "us," or "our") in connection with your use of Hero Scout at heroscout.app and related interfaces. Polyform acts as the controller of personal information for this Service.

2. Information We Collect

We collect information directly from you, automatically when you use the Service, and from third parties (e.g., Google OAuth). We group the information as follows:

2.1 Personal Information (Account & Identity)

• Email address (via Google OAuth) — required for Account creation;
• Name (via Google OAuth) — optional display within the app;
• Profile picture (via Google OAuth) — optional display;
• Newsletter email (optional; may differ from Account email).

2.2 User‑Generated Content

• Watchlists (interested stocks, tickers);
• Notes and qualitative assessments;
• Custom metrics (user‑defined formulas);
• Comparison sessions (weights, ratings, scoring across metric groups).

2.3 Usage and Interaction Data

• Companies/tickers viewed or researched;
• Feature usage patterns (e.g., Discover, Learn, Compare flows);
• Time spent, interaction events, and session metadata;
• Clickstream within the Service (page views, navigation).

2.4 Technical and Device Data

• IP address, approximate location at the city/region level;
• Browser type/version, device type, and operating system;
• Session cookies and similar identifiers;
• localStorage values such as theme and UI state (client‑side preferences);
• Diagnostic logs and error reports.

2.5 Administrative & Access Control Data

• Invite codes and their status/history;
• Account status (active, suspended), authentication events (success/failure).

2.6 Financial Data from Third Parties (Non‑Personal)

Corporate fundamentals, filings extracts, and derived analytics obtained from third-party services and/or other future providers. We do not collect or store your brokerage or trading account information. We do not display real‑time market prices in the UI.

3. Sources of Information

• You (when you create an Account, use features, or contact us);
• Your device and browser (through automated data collection as above);
• Google OAuth (email, name, profile image for authentication);
• Third‑party data providers for non‑personal fundamentals.

4. How We Use Information (Purposes & Legal Bases)

We process information for the following purposes:

4.1 Service Delivery and Operations

Authenticating users (Google OAuth), maintaining sessions, and saving user configurations (watchlists, comparisons, custom metrics, preferences).

Legal bases (EEA/UK): Contract performance; legitimate interests in providing a reliable Service.

4.2 Product Improvement and Research

Understanding feature usage; measuring performance; fixing bugs; developing new features (e.g., future Monitoring module); running A/B evaluations; creating aggregated analytics.

Legal bases: Legitimate interests in improving and securing the Service; consent where required.

4.3 Security and Abuse Prevention

Detecting suspicious activities, rate‑limit abuse, and unauthorized access attempts; logging diagnostics; protecting the Service and users.

Legal bases: Legitimate interests; compliance with legal obligations.

4.4 Communications

• Sending administrative messages (e.g., changes to terms, security notices).
• Sending newsletter updates only if you opt in.

Legal bases: Contract; legitimate interests; consent for marketing communications.

4.5 Compliance and Legal

Complying with applicable laws, regulations, legal process, and enforceable governmental requests; enforcing our Terms.

Legal bases: Legal obligations; legitimate interests.

We do not provide personalized investment advice, and we do not use your information to make decisions about your eligibility for financial products.

5. Cookies, localStorage, and Similar Technologies

5.1 Session Cookies (Required)

Used for authentication and session continuity. You cannot use the Service without these cookies.

5.2 localStorage (Preferences)

We use localStorage to store theme and client‑side UI preferences. These values generally remain on your device and are not transmitted unless needed for functionality.

5.3 No Third‑Party Advertising Cookies

We do not use third‑party advertising cookies or cross‑site tracking pixels.

5.4 Cookie Controls

Browser settings may allow you to block or delete cookies; the Service may not function properly if session cookies are disabled.

6. How We Share Information

We share personal information as described below:

6.1 Service Providers / Subprocessors

• Google OAuth (authentication only; we receive email, name, profile image).
• Neon Postgres (database hosting; encryption at rest).
• AWS App Runner (application hosting).

These providers process personal information on our behalf under appropriate agreements and security measures.

6.2 Business Transfers

If we engage in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction, subject to continued protection and, where required, notice to you.

6.3 Legal and Safety

We may disclose information if required by law or legal process, or to protect rights, property, or safety of Polyform, users, or the public.

6.4 No Selling; No Advertising Sharing

We do not sell personal information and do not share it for cross‑context behavioral advertising.

6.5 Aggregated/De‑Identified Information

We may use and share aggregated or de‑identified information that cannot reasonably be used to identify you for analytics, research, and product improvement.

7. Data Retention

• Active Accounts: We retain personal information while your Account is active.
• Account Deletion: Upon verified deletion request, we delete personal information from active systems within 30 days.
• Backups: Residual data may persist in backups for up to 90 days, after which it is overwritten in the ordinary course.
• Newsletter: If you unsubscribe, we remove your email from mailing lists within 10 days.
• Invite Codes: Retained for audit and access‑control integrity.
• Logs: Security and diagnostic logs are retained for a limited period consistent with our security needs and legal obligations.

We may retain certain information as necessary to comply with law, resolve disputes, or enforce our agreements.

8. Your Rights and Choices

Depending on your location, you may have the following rights:

• Access — Request confirmation whether we process your personal information and obtain a copy.
• Correction — Request correction of inaccurate or incomplete personal information.
• Deletion — Request deletion of personal information, subject to lawful exceptions.
• Portability — Request a machine‑readable export (e.g., JSON/CSV) of certain personal information you provided.
• Restriction/Objection — Object to or request restriction of certain processing (e.g., for product improvement) where permitted by law.
• Marketing Opt‑Out — Unsubscribe from newsletters at any time.
• Appeal — Where applicable law provides an appeal right for denied requests, you may appeal by responding to our decision notice with "Appeal."
• Authorized Agent — In certain jurisdictions (e.g., California), you may designate an authorized agent to make requests on your behalf, subject to verification.

We will not discriminate against you for exercising privacy rights (e.g., denying the Service or offering a different level or quality of Service), provided that we may not be able to deliver certain features without necessary processing.

9. Security

We employ reasonable administrative, technical, and physical safeguards designed to protect information, including:

• HTTPS for all traffic;
• Encryption at rest for databases (Neon);
• OAuth 2.0 authentication (no password storage);
• Access controls and least‑privilege practices;
• Regular security updates and monitoring.

Vulnerability Reporting: If you believe you have found a security vulnerability, please email info@heroscout.app with details so we can investigate.

10. International Data Transfers

We primarily process data in the United States (e.g., AWS and Neon infrastructure). If you access the Service from outside the U.S., you understand that your information may be transferred to, stored, and processed in the U.S. and other countries with different data protection laws.

For EEA/UK users, where applicable, we rely on appropriate safeguards (such as Standard Contractual Clauses) for transfers and take steps to protect your information consistent with applicable law.

11. Children's Privacy

The Service is not intended for individuals under 18. We do not knowingly collect personal information from minors. If you believe a minor has provided personal information, contact us and we will take appropriate steps to delete it.

12. Do Not Track and Global Privacy Control

Some browsers offer Do Not Track (DNT) or Global Privacy Control (GPC) signals. We do not use third‑party advertising cookies or cross‑site tracking. Where legally required and technically feasible, we will treat a valid GPC signal as an opt‑out of "sale"/"sharing" (which we do not perform).

13. Automated Decision‑Making and Profiling

We do not use personal information for automated decision‑making that produces legal or similarly significant effects about you. We may analyze aggregate usage to improve features, security, and reliability.

14. State‑Specific Notices (California and Others)

14.1 California (CPRA) Notice at Collection

• Categories Collected: Identifiers (email); Internet/network activity (usage logs); Geolocation (approximate, from IP); Inferences (aggregate usage trends); User content (watchlists, notes, custom metrics); Professional information (if provided in communications).
• Sensitive Personal Information: We do not intentionally collect sensitive personal information as defined by CPRA (e.g., SSN, precise geolocation, financial account numbers).
• Purposes: See Section 4 (Service delivery, security, improvement, communications, compliance).
• Retention: See Section 7.
• Sale/Sharing: We do not sell or share your personal information for cross‑context behavioral advertising.
• Rights: Access, deletion, correction, portability, opt‑out of sale/sharing (not applicable), limit use of sensitive PI (not applicable), and non‑discrimination (see Section 8).

14.2 Virginia/Colorado/Connecticut/Utah

We process personal data for the purposes described in Section 4. You may have rights to access, delete, correct, or opt out of certain processing, and to appeal a denial (see Section 8).

14.3 "Shine the Light" (California Civil Code §1798.83)

We do not disclose personal information to third parties for their direct marketing purposes.

15. Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will notify you (e.g., via email or prominent notice in the Service). Continued use after the effective date constitutes acceptance of the updated Policy. The Last Updated date appears at the top.

16. Contact Us