How We Handle Your Data

We know you’re trusting us with important information—including investment data. This page explains how we handle your data in plain language. For complete legal details, see our Privacy Policy.

Our Data Philosophy

Collect only what we need — No data hoarding “just in case”
Protect everything we have — Your security is a priority
Be transparent — You should understand what happens with your information

What Data We Collect

Data You Give Us

Data Type	Why We Need It
Email address	Account login, communications
Password	Secure access (stored encrypted)
Name (optional)	Personalization
Watchlists	Save and display your watchlists
Portfolio entries	Show holdings and performance
AI conversations	Provide research assistance
Support messages	Help you when needed

Data We Collect Automatically

Data Type	Why We Need It
Device type	Optimize experience
Browser info	Ensure compatibility
IP address	Security, fraud prevention
Usage patterns	Improve the product
Error logs	Fix bugs

Data from Connected Services

Brokerage via Plaid: [REVIEW REQUIRED: Confirm Plaid data fields]

Holdings/positions — Display portfolio
Cost basis — Calculate gains/losses
Transaction history — Track performance

Important: We NEVER receive or store your brokerage password.

What We DON’T Collect

Social Security numbers
Full credit card numbers (Stripe handles payments)
Brokerage login credentials
Bank account numbers
Tax identification numbers
Government IDs

How We Protect Your Data

Encryption

In Transit: TLS/HTTPS encryption (same as banks)
At Rest: AES-256 encryption in databases

Access Controls

Only authorized employees access user data
Access limited to job necessity
All access logged and audited

Infrastructure Security [REVIEW REQUIRED: List certifications]

Secure cloud infrastructure
Regular security audits
Automated threat detection
DDoS protection

Password Security

Never stored in plain text
Hashed using bcrypt
Two-factor authentication supported

How We Use Your Data

Provide Service: Display portfolios/watchlists, power AI, send alerts, process payments
Improve Service: Analyze usage (anonymized), fix bugs, develop features
Communicate: Updates, support, marketing (opt-in only), security alerts

AI Training [REVIEW REQUIRED: Legal review]

We may use anonymized conversation data to improve AI. Before training:

PII is removed
Data is aggregated
Safeguards prevent memorization

Opt out by emailing [email protected].

Who Can Access Your Data

Our Team

Customer support (to help you)
Engineering (to fix issues)
Security (to protect against threats)

Service Providers [REVIEW REQUIRED: List all processors]

Partner	Purpose	Access
Stripe	Payments	Billing info
Plaid	Brokerage	Auth tokens only
Cloud hosting	Infrastructure	Encrypted data
Email service	Notifications	Email addresses

All partners contractually required to protect your data.

We Never Sell Your Data

We do not sell, rent, or trade your personal information.

Brokerage Connection Security

How Plaid Works

You enter credentials directly with Plaid (not us)
Plaid verifies identity with your brokerage
Plaid gives us a secure token
We fetch read-only portfolio information

We never see your brokerage password.

What We CAN’T Do

Make trades in your account
Transfer money
Change brokerage settings
Access your password

Disconnecting

Disconnect your brokerage anytime in Portfolio settings. [REVIEW REQUIRED: Add link]

Payment Data Security

How Stripe Works

Card details go directly to Stripe
We only see last 4 digits
Stripe is PCI DSS Level 1 certified

What We Store

Billing name/address (for invoices)
Card type and last 4 digits (for display)
Transaction history

What We Don’t Store

Full card numbers
CVV/security codes
Bank account numbers

Your Data Rights

See Your Data: View in settings or download a copy
Correct Your Data: Update anytime in account settings
Delete Your Data: Delete your account anytime
Control Communications: Manage in notification settings

Data Retention [REVIEW REQUIRED: Verify periods]

Data Type	Retention After Deletion
Personal data	30 days
Backups	90 days
Anonymized usage	Indefinite (not linked to you)
Payment records	As required by law

International Users

Rallies is US-based. Data from outside the US is transferred to and processed in the US. [REVIEW REQUIRED: Add EU provisions if applicable]

Children’s Privacy

Rallies is for adults only (18+). Contact us if you believe a child created an account.

Questions?

Email: [email protected] Response time: Within 30 days.

Quick Reference

Question	Answer
Do you sell my data?	No, never
Can you see my brokerage password?	No
Is my data encrypted?	Yes, in transit and at rest
Can I delete my data?	Yes, anytime
Can I download my data?	Yes, through settings
Who accesses my data?	Only authorized team and necessary providers

Getting Started

Account

Billing & Subscription

AI Assistant

Research Tools

Watchlists

Portfolio

Data & Sources

Mobile App

AI Arena

Troubleshooting

Legal

Support

​How We Handle Your Data

​Our Data Philosophy

​What Data We Collect

​Data You Give Us

​Data We Collect Automatically

​Data from Connected Services

​What We DON’T Collect

​How We Protect Your Data

​Encryption

​Access Controls

​Infrastructure Security [REVIEW REQUIRED: List certifications]

​Password Security

​How We Use Your Data

​AI Training [REVIEW REQUIRED: Legal review]

​Who Can Access Your Data

​Our Team

​Service Providers [REVIEW REQUIRED: List all processors]

​We Never Sell Your Data

​Brokerage Connection Security

​How Plaid Works

​What We CAN’T Do

​Disconnecting

​Payment Data Security

​How Stripe Works

​What We Store

​What We Don’t Store

​Your Data Rights

​Data Retention [REVIEW REQUIRED: Verify periods]

​International Users

​Children’s Privacy

​Questions?

​Quick Reference

​Related Articles