Honest answers about what we store, how it is protected, and what we cannot yet claim.
§ What data we store
›Account: email address, bcrypt-hashed password (cost factor 12), plan tier, Stripe customer ID.
›Watchlists: ticker symbols, notes, price targets you set.
›Portfolios: tickers, share counts, cost basis you enter.
›Alerts: condition parameters, trigger history (retained per plan tier).
›Journal: trade notes and tags you write.
›We do not store brokerage credentials, bank details, or Social Security numbers.
§ Encryption
›All traffic: TLS 1.2+ enforced. HSTS enabled.
›Passwords: bcrypt, never stored in plaintext or reversible hash.
›Database: MongoDB Atlas with encryption at rest (AES-256).
›Sessions: HTTP-only, Secure, SameSite=Lax cookies. JWT-signed, not stored server-side.
›API keys (Master plan): stored as bcrypt hashes. The key is shown once on creation.
§ Third-party data access
›Stripe: receives email and billing details for subscription processing. We do not store card numbers.
›OpenAI: receives ticker symbols and a brief prompt when you run AI research. No personal data is sent.
›Yahoo Finance: public market data API. No user data is transmitted.
›Vercel: hosts the application. Infrastructure-level access only.
›MongoDB Atlas: hosts the database. Access restricted to application service account.
§ Broker connection model
›Thastock does not connect to your broker.
›Portfolio positions and cost basis are entered manually by you.
›We cannot read your brokerage account, place trades, or access your funds.
§ Compliance status
›SOC 2: Not certified. Thastock is an early-stage product and has not completed a SOC 2 audit.
›GDPR: We process EU user data. Email adelsherif8@gmail.com for data export or deletion requests.
›CCPA: California residents may request a list of data we hold. Same contact.
§ Incident response
›Affected users are notified by email within 72 hours of a confirmed breach.
›Notification includes: what was accessed, when, and what actions to take.
›Passwords are bcrypt-hashed — a database breach does not expose raw passwords.