Privacy Policy

This Privacy Policy is issued by Stable Income Strategy("Stable Income Strategy", "we", "us", or "our"), the entity that operates the website and service available at our domains and applications (collectively, the "Service").

For purposes of GDPR and the UK GDPR, we are the "controller" of your personal data. For purposes of CCPA, we are the "business."

Contact: privacy@simplyflows.com. For data-protection requests, please use this email and include "Privacy Request" in the subject line.

EU / UK Representative.If we are required under Article 27 of the GDPR or UK GDPR to designate a representative in the European Union or United Kingdom, we will appoint one and publish their contact details here. Until then, data subjects in those regions may contact us at the email above; we will respond in accordance with Section 10.

Notice at Collection.This Privacy Policy serves as the "notice at collection" required by California Civil Code §1798.100(b) and analogous notice requirements in other jurisdictions. The categories of personal information we collect, the purposes for which we use them, and our retention practices are described in Sections 3, 5, and 9.

This Privacy Policy applies to personal data we process when you visit our website, register for or use the Service, communicate with us, or otherwise interact with us. It does not apply to third-party websites, services, or providers (such as your broker) that are linked from or referenced by the Service; those have their own privacy policies, which we encourage you to read.

We collect the following categories of personal data:

What we do not collect. We do not knowingly collect: government identifiers (Social Security number, driver's license, passport), financial account numbers, payment card data, brokerage credentials or balances, biometric information, precise geolocation data, sensory data (audio/video recordings), health information, racial or ethnic origin, religious or philosophical beliefs, union membership, sexual orientation, or any other category of "sensitive personal information" as defined under CPRA Cal. Civ. Code §1798.140(ae). The Service is not designed to handle or solicit such data.

• Directly from you — when you create an account, log a trade, configure a ticker, send us a message, or toggle a position public.
• Automatically — through your device and browser when you access the Service (server logs, cookies, similar technologies).
• From service providers — for example, an email-delivery provider that confirms whether your magic-code email was delivered, or our hosting/database providers that route requests.

Where processing is based on legitimate interests, we have balanced our interests against your rights and freedoms. You may object to such processing as described in Section 10.

We do not collect, process, infer, sell, or share "sensitive personal information" as defined in Cal. Civ. Code §1798.140(ae) or special categories of personal data as defined in GDPR Art. 9. Because no such data is processed, no CPRA right to limit the use of sensitive personal information applies to us.

We do not sell or rent your personal data, and we do not share it for cross-context behavioral advertising. We disclose personal data only as described below, and only to the extent necessary for the relevant purpose. We require third parties handling personal data on our behalf to enter into agreements obligating them to maintain appropriate technical and organizational measures.

No sale or sharing. Stable Income Strategy has not in the past 12 months sold, and does not currently sell or share, personal data within the meaning of CCPA. We do not knowingly sell or share the personal data of any consumer, including consumers under 16 years of age.

We are based in, and primarily process personal data in, the United States. If you access the Service from outside the U.S., your personal data will be transferred to and processed in the U.S. or other jurisdictions whose data protection laws may differ from those in your country.

Where we transfer personal data of individuals in the European Economic Area ("EEA"), the United Kingdom, or Switzerland to countries that have not been recognized as providing an adequate level of data protection, we rely on appropriate safeguards under GDPR Arts. 44–50, including:

• the European Commission's Standard Contractual Clauses(Commission Implementing Decision (EU) 2021/914), using the Module appropriate to the transfer (typically Module 2 for controller-to-processor transfers);
• the United Kingdom International Data Transfer Addendum to the EU SCCs (issued under section 119A of the UK Data Protection Act 2018) for transfers from the UK;
• the addendum recognized by the Swiss Federal Data Protection and Information Commissioner for transfers from Switzerland;
• where applicable, the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF (each adopted by the European Commission, UK Secretary of State, and Swiss Federal Council respectively) where we or a recipient is or becomes self-certified;
• supplementary technical and organizational measures where appropriate to address the legal landscape of the destination country.

You may request a copy of the relevant safeguards (with redactions for confidentiality) by emailing us at the address in Section 1.

We retain personal data only for as long as needed for the purposes described in this Policy, unless a longer period is required or permitted by law. Specifically:

• Account data (email, account record): for the lifetime of your account and for up to 30 days after account deletion (to allow account recovery and to satisfy any pending legal obligations).
• Journal data (trades, configurations, notes): until you delete the data or close your account.
• Server logs and security logs: typically 30–90 days, longer if relevant to a security incident or legal matter.
• Backups: overwritten on a rolling schedule of up to 35 days.
• Records relevant to legal claims, regulatory, or tax obligations: for the period required under applicable law (typically up to seven years).
• Public positions: retained while public; once toggled non-public or deleted, removed from our active systems but may persist in third-party caches outside our control.

When data is no longer needed, we delete or irreversibly anonymize it.

If you are in the EEA, the United Kingdom, or Switzerland, you have the following rights, subject to applicable conditions and exemptions:

• Right of access — confirmation whether we process your personal data and, if so, a copy together with the information required by Art. 15.
• Right to rectification — to have inaccurate or incomplete data corrected.
• Right to erasure ("right to be forgotten") — to have personal data deleted in the circumstances of Art. 17.
• Right to restriction of processing — under Art. 18.
• Right to data portability — to receive a copy of personal data you provided to us in a structured, commonly used, machine-readable format, and to transmit it to another controller.
• Right to object — to processing based on legitimate interests or for direct marketing purposes.
• Right to withdraw consent — at any time, where processing is based on consent (this does not affect the lawfulness of processing before withdrawal).
• Right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects (Art. 22).
• Right to lodge a complaint with a data-protection supervisory authority — in particular in the EU/EEA Member State of your habitual residence, place of work, or place of the alleged infringement; in the UK, the Information Commissioner's Office (ico.org.uk).

To exercise these rights, email us at the address in Section 1. We will respond within the timeframes required by applicable law (generally one month under GDPR, extendable by two months for complex requests). We may need to verify your identity before responding.

If you are a California resident, the CCPA gives you the following rights, subject to certain exceptions:

• Right to know the categories and specific pieces of personal information we have collected about you, the categories of sources, the business or commercial purposes for collection, and the categories of third parties to whom we have disclosed the information.
• Right to delete personal information we have collected from you, subject to statutory exceptions.
• Right to correct inaccurate personal information.
• Right to opt out of the sale or sharing of personal information. We do not sell or share personal information; nevertheless, you may make this request and we will confirm the same in writing.
• Right to limit the use and disclosure of sensitive personal information. We do not collect sensitive personal information.
• Right to non-discrimination for exercising any CCPA right.
• Right to designate an authorized agent to make a request on your behalf. We may require the agent to provide written authorization and may verify your identity directly.

How to exercise your CCPA rights. Send a request by email to privacy@simplyflows.com or through any web form we make available. We will verify your request by matching information you provide against the information we already hold (typically your account email and information about your activity on the Service). For sensitive categories or high-risk requests we may ask for additional verification.

Response timelines. We will acknowledge receipt of a verifiable consumer request within ten (10) business days of receipt and respond substantively within forty-five (45) calendar days, as required by Cal. Civ. Code §1798.130(a)(2). Where reasonably necessary, we may extend the response period by up to an additional 45 days with notice to you of the reason for the extension.

Right to appeal. If we deny your privacy request in whole or in part, you may appeal that decision by replying to our denial email within sixty (60) days. We will respond in writing to your appeal within sixty (60) days, explaining any action taken or not taken and (in jurisdictions that require it, such as Virginia, Colorado, Connecticut, Minnesota, and similar states) providing information on how to contact your state attorney general or supervisory authority if you remain dissatisfied.

Global Privacy Control. Where required, we honor opt-out preference signals such as the Global Privacy Control (GPC). Because we do not sell or share personal information, the GPC will simply be acknowledged.

Categories disclosed for a business purpose in the prior 12 months. Identifiers, internet/network activity, and user-generated content, disclosed to the recipient categories listed in Section 7. Categories sold or shared in the prior 12 months: none.

California Shine the Light (Cal. Civ. Code §1798.83). We do not disclose personal information to third parties for their own direct-marketing purposes.

Residents of other U.S. states with comprehensive privacy laws — including, as of the effective date of this Policy: Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Delaware (DPDPA), Iowa (ICDPA), Tennessee (TIPA), Indiana (INCDPA), New Jersey (NJDPA), Florida (FDBR), Maryland (MODPA), Minnesota (MCDPA), New Hampshire (NHPA), Rhode Island (RIDPPA), Kentucky (KCDPA), and others as their laws take effect — have rights similar to those described in Section 11. Depending on the state, these include the right to confirm and access personal data, correct inaccurate data, delete personal data, obtain a portable copy, opt out of targeted advertising, opt out of the sale of personal data, opt out of profiling for decisions producing legal or similarly significant effects, and appeal a denial of a request.

How to exercise. Send requests to privacy@simplyflows.com. We will respond within the timeframe required by applicable law (commonly 45 days, extendable by an additional 45 days where permitted). Our appeal process is described in Section 11.

Nevada (SB 220). Nevada residents may opt out of the sale of certain personal information. We do not sell personal information; you may submit a confirmatory request to the same email above.

Washington "My Health My Data" Act. We do not collect "consumer health data" as defined under that Act.

We use a small number of cookies and similar technologies. Where required by law, we obtain consent before placing non-essential cookies through a consent banner.

You can control cookies through your browser settings. Blocking strictly necessary cookies will impair the Service. We honor browser-based opt-out signals (such as GPC) where required.

The Service is intended for adults (see eligibility requirements in our Terms of Service). It is not directed to children, and we do not knowingly collect personal data from any child:

• under 13 years of age in the United States, in compliance with the Children's Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501–6506;
• under the age set by the relevant Member State under GDPR Article 8 (between 13 and 16; 16 by default if the Member State has not specified a lower age) for offers of information-society services to children;
• under 16 in California for purposes of the CCPA opt-in to sale or sharing (Cal. Civ. Code §1798.120(c)).

If you are a parent or guardian and believe a child has provided us personal data, please contact us at the email in Section 1 and we will promptly delete it.

We do not engage in automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you within the meaning of GDPR Art. 22 or analogous state-law provisions.

We implement reasonable and appropriate technical and organizational measures designed to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include encryption in transit (TLS), encryption at rest where applicable, access controls, the use of reputable hosting and database providers, principle-of-least-privilege access for personnel, and periodic review of our security posture.

No method of transmission or storage is completely secure. You are responsible for keeping your account credentials confidential and notifying us promptly of any suspected unauthorized access. In the event of a personal-data breach, we will notify the relevant supervisory authorities and affected individuals as required by applicable law (including, where applicable, within 72 hours under GDPR Art. 33).

The Service lets you mark a ticker position as "public." When you do, the following information about that position becomes accessible to anyone visiting the Service, including unauthenticated visitors and search-engine crawlers:

• the ticker symbol and any free-text notes you have attached to it;
• the trades you have logged for that ticker — including trade date, expiration date, strike, type (put/call/buy/sell), premium, and status;
• aggregate weekly statistics (e.g., weekly premium total, target progress, average per week, next expiry) derived from those trades;
• the total investment, target weekly premium, and similar configuration values you have set for the ticker.

We do not publish your email address, account identifier, broker account names, IP address, or any other personal identifier in connection with public positions; public positions are displayed in aggregate without attribution to a specific user.

You control the toggle. You can revert a public position to private at any time from the dashboard. Once reverted (or if you delete the ticker), the data is removed from public views; however, copies that were already cached, archived, or copied by third parties (such as search engines or web archives) may persist outside our control. Mark a position public only if you accept this consequence.

The Service may contain links to or references to third-party websites, services, or products (for example, brokers or external resources). We do not control and are not responsible for their privacy practices. We encourage you to read their privacy policies before providing any personal data.

We do not offer financial incentives in exchange for personal information within the meaning of CCPA Cal. Civ. Code §1798.125(b).

We do not respond to "Do Not Track" (DNT) browser signals because no common industry standard has been adopted. Where required by law, we honor opt-out preference signals such as the Global Privacy Control (GPC).

We may update this Privacy Policy from time to time. The "Last updated" date at the top of this page reflects the latest version. For material changes, we will use commercially reasonable efforts to provide additional notice (such as by email or in-product notice). Your continued use of the Service after the effective date of any change constitutes acceptance of the revised Policy.

If you have any question, request, or complaint regarding this Privacy Policy or our processing of your personal data, please contact us:

If you are in the EEA or UK and we have not satisfactorily addressed your concern, you may lodge a complaint with your local supervisory authority (see Section 10).