Privacy Policy

Last updated: 2026-05-02

StockClub ("we", "us", "the Service") is operated by Halyard Systems. This policy describes what information we collect, how we use it, and the choices you have.

What we collect

Account information

  • Email address (required to create an account).
  • Hashed password, if you sign in with a password.
  • Provider identifier, if you sign in with Google, Microsoft, or Apple.
  • Multi-factor authentication factors you enroll: TOTP secret (encrypted), bcrypt-hashed recovery codes, and registered passkey credentials.

Brokerage information

When a club admin connects a brokerage account through Plaid, we receive and store:

  • The brokerage institution name.
  • A Plaid Item identifier.
  • An encrypted access token issued by Plaid.
  • Read-only investment holdings (positions, share counts, market values, security identifiers) when you or another club member loads a page that displays them.

We do not receive your brokerage login credentials. We do not initiate trades, transfers, or any other actions on your brokerage account. Our access is read-only.

Usage information

  • IP address, browser, and request timestamps in our server logs.
  • Session and authentication cookies necessary to keep you signed in.

How we use it

  • To authenticate you and protect your account.
  • To display your club's brokerage holdings.
  • To send transactional email related to your account (verification, magic link, MFA codes, club invites).
  • To investigate security incidents and comply with the law.

We do not sell your information. We do not use it for advertising. We do not share it with third parties except as listed below.

Who we share it with

  • Plaid Inc. — Plaid acts as our service provider for retrieving brokerage data. Plaid's handling of your data is governed by their own privacy policy at plaid.com/legal.
  • Email service provider — outbound email is delivered through Brevo.
  • OAuth providers — if you sign in with Google, Microsoft, or Apple, those providers know that you authenticated to our Service.
  • Hosting provider — our infrastructure runs on a virtual private server; the operator may have technical access to data at rest, which is encrypted.
  • Government or legal requests — we will respond to lawful requests when we are legally required to.

Where we store it

The Service runs on infrastructure located in the United States. By using the Service, you consent to your information being processed there.

How long we keep it

  • Account data is retained for as long as your account is active.
  • Brokerage connection data is retained while the connection exists; disconnecting a brokerage immediately removes the access token and stops further data retrieval.
  • Server logs are retained for up to 90 days.
  • Account deletion requests are honored within 30 days.

Security

  • All passwords are hashed with bcrypt.
  • TOTP secrets and brokerage access tokens are encrypted at rest with AES-256-GCM.
  • Recovery codes are bcrypt-hashed and single-use.
  • Production traffic is served over TLS.
  • Access to systems handling consumer financial data requires phishing-resistant multi-factor authentication.

No security system is perfect. If you suspect a security issue, please email contact@halyard.systems.

Cookies

We set strictly necessary cookies:

  • A session cookie that keeps you signed in.
  • An optional remember-me cookie (14 days) if you check the box at login.
  • An optional remember-this-device cookie for MFA (30 days, SameSite=Strict, HttpOnly) if you check the box at the MFA challenge.

We do not use analytics, tracking, or advertising cookies.

Your choices

  • Disconnect a brokerage: any club admin can disconnect their club's brokerage at any time from the Club Management page.
  • Remove an MFA factor: from the Two-factor authentication settings page.
  • Change your email: from the Settings page.
  • Delete your account: email contact@halyard.systems with the subject line "Delete account". We will confirm the request and complete deletion within 30 days.
  • Object, restrict, or request a copy of your data: same email contact.

Children

The Service is not directed to anyone under 18. We do not knowingly collect information from children.

Changes

We may update this policy. The "last updated" date at the top reflects the current version.

Contact

Halyard Systems
contact@halyard.systems