Legal

Privacy Policy

Effective: April 20, 2026

At NSTACK AI Inc., doing business as Wealthstack AI ("Wealthstack," "we," "us," or "our"), we are committed to protecting the privacy and security of the information entrusted to us. This Privacy Policy describes how we collect, use, share, and protect personal information when you use the Wealthstack platform, website, and related services (collectively, the "Services").

We recognize that as a platform serving wealth management professionals, we handle sensitive financial data that demands the highest standards of care. This policy is designed to be transparent about our practices and to comply with applicable privacy laws, including the California Consumer Privacy Act (CCPA/CPRA), the General Data Protection Regulation (GDPR), SEC Regulation S-P, and the Gramm-Leach-Bliley Act (GLBA).

Important Notice

Wealthstack is a technology platform provider, not a registered investment adviser, broker-dealer, or financial planner. We process financial data on behalf of licensed professionals to power technology tools. We do not provide investment advice, make investment recommendations, or exercise discretionary authority over any client accounts.

The data we collect and process is used solely to provide and improve our technology Services. We do not use your Client Data to train general-purpose AI models, and we do not sell, rent, or share your personal information or financial data with third parties for their independent commercial purposes.

1. Scope of This Policy

This Privacy Policy applies to all personal information collected through the Services, including our website at wealthstack.ai, our platform applications, APIs, and any related communications. This policy does not apply to third-party websites, services, or applications that may be linked from our Services, each of which is governed by its own privacy policy.

When we process data on behalf of our clients (for example, end-client financial data submitted by a wealth management firm), we act as a data processor. Our handling of such data is governed by the applicable service agreement with that client. You, as the advisory firm, remain the data controller with respect to your end-client data and are responsible for obtaining any necessary consents or authorizations from your clients.

2. Information We Collect

2.1 Information You Provide

CategoryExamples
Account InformationName, email address, phone number, company name, job title, CRD number, account credentials
Financial DataPortfolio data, custodial account information, CRM records, client lists, transaction histories, account balances, holdings data, and other data submitted through integrations
CommunicationsSupport requests, feedback, survey responses, and correspondence with our team
AI Interaction DataQueries submitted to NAIA, prompt history, AI-generated outputs you save or share, and feedback you provide on AI responses
Billing InformationPayment card details, billing address, and transaction records (processed by our PCI-compliant payment processor; we do not store full card numbers)

2.2 Information Collected Automatically

CategoryExamples
Device and Browser DataIP address, browser type and version, operating system, device identifiers, screen resolution
Usage DataPages visited, features used, click patterns, time spent on pages, search queries within the platform
Log DataAccess timestamps, referring URLs, error logs, and API call records

2.3 Information from Third Parties

We may receive information from third-party integrations that you authorize, including custodial platforms (e.g., Schwab, Fidelity, Pershing), CRM systems, market data providers, and compliance tools. We process this data solely in accordance with the permissions you grant and the terms of our service agreement. We do not independently solicit or collect data from your end clients.

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, and maintain the Services, including generating AI-powered insights, analytics, and reports
  • Authenticate your identity and manage your account
  • Process your financial data through our AI systems to generate portfolio analytics, compliance summaries, client communication drafts, and other outputs as part of the Services
  • Process transactions and send related information, including confirmations and invoices
  • Respond to your requests, comments, and questions and provide customer support
  • Monitor and analyze usage patterns to improve the Services, develop new features, and enhance user experience
  • Detect, prevent, and address fraud, security incidents, and technical issues
  • Comply with legal obligations, including regulatory reporting and audit requirements
  • Send you technical notices, updates, security alerts, and administrative communications

We do not use your information to provide investment advice, make investment recommendations, or exercise discretionary authority over any accounts. All data processing is performed solely to power the technology tools you use in your professional capacity.

4. AI and Automated Processing

Our Services employ artificial intelligence and machine learning to analyze financial data and generate actionable insights. We want to be transparent about how this works:

4.1 How AI Processes Your Data

When you use the Services, your data may be processed by AI models to generate portfolio analytics, compliance summaries, client communication drafts, natural language responses, and other outputs. This processing occurs within our secure infrastructure and is subject to the same security controls as all other data processing. Your data is processed in isolated, tenant-specific environments and is not commingled with data from other clients during AI processing.

4.2 AI Output Limitations

AI-generated outputs are informational and decision-support tools only. They may contain errors, omissions, or inaccuracies. AI outputs do not constitute investment advice, financial planning recommendations, or any form of professional guidance. You are solely responsible for reviewing, validating, and approving all AI-generated content before relying on it or sharing it with clients.

4.3 Third-Party AI Providers

To the extent that our AI Features incorporate models or services built or provided by third parties ("AI Providers"), your data shared with AI Providers is subject to contractual obligations that prohibit those providers from using your data for model training, marketing, or any purpose other than processing your specific request. We carefully vet all AI Providers for security, privacy, and compliance standards.

4.4 Human Oversight

All AI-generated outputs are designed to be reviewed by qualified professionals before action is taken. We maintain human oversight of our AI systems and regularly audit their performance for accuracy, bias, and reliability. Consistent with SEC guidance on the use of AI in investment management, we do not deploy AI systems that operate autonomously without human review in any context that could affect investment decisions or client outcomes.

5. AI Model Training and Your Data

We take the following commitments regarding AI model training and your data:

  • No general-purpose model training. We do not use your Client Data, financial data, portfolio information, or AI interaction data to train general-purpose AI or machine learning models.
  • No cross-client data sharing. Your data is never used to generate insights, analytics, or outputs for other clients. Each client's data is processed in isolation.
  • Aggregated analytics only with consent. We may use aggregated, de-identified usage patterns (stripped of all personally identifiable information and financial data) to improve the accuracy and performance of our domain-specific models. You may opt out of this usage by contacting us at [email protected].
  • Third-party AI provider restrictions. All third-party AI providers we use are contractually prohibited from using your data for model training, improvement, or any purpose other than processing your specific request.
  • Prompt and output data. Queries you submit to NAIA and the responses generated are retained solely to provide the Services to you (e.g., conversation history) and are not used for model training. You may request deletion of your AI interaction history at any time.

6. Information Sharing and Disclosure

We do not sell, rent, or share your personal information or financial data with third parties for their independent commercial purposes. We disclose information only in the following limited circumstances:

RecipientPurpose
Service ProvidersCloud infrastructure, payment processing, analytics, and customer support providers who process data on our behalf under strict contractual obligations prohibiting independent use
AI ProvidersThird-party AI model providers who process data solely to generate outputs for you, under contractual restrictions against model training or data retention
Legal ComplianceWhen required by law, regulation, subpoena, court order, SEC examination, FINRA inquiry, or governmental request
Safety and SecurityTo protect the rights, property, or safety of Wealthstack, our users, or the public
Business TransfersIn connection with a merger, acquisition, or sale of assets, with notice provided to affected users and subject to the same privacy protections

All third-party service providers are contractually required to maintain the confidentiality and security of your information and are prohibited from using it for any purpose other than providing services to us. We conduct due diligence on all service providers and require them to maintain security standards consistent with industry best practices.

7. Data Security

We implement industry-standard technical and organizational measures to protect your information, including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Role-based access controls with the principle of least privilege
  • Tenant-level data isolation to prevent cross-client data access
  • Regular security assessments, penetration testing, and vulnerability scanning
  • Comprehensive audit logging of all access to sensitive data, including AI processing events
  • Incident response procedures with defined notification timelines consistent with SEC, state, and federal breach notification requirements
  • Employee security training and background checks for personnel with data access

While we take extensive measures to protect your data, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security but are committed to promptly addressing any security incidents in accordance with applicable law. In the event of a data breach affecting your information, we will notify you within the timeframes required by applicable law and provide information about the nature of the breach and steps taken to mitigate it.

8. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Services. After account termination, we retain data for a period necessary to comply with legal obligations, resolve disputes, and enforce our agreements. Specifically:

  • Account information is retained for 90 days after termination to allow for data export
  • Financial records are retained for the period required by applicable regulations (typically 5 to 7 years, consistent with SEC Rule 204-2 recordkeeping requirements)
  • AI interaction data (prompts and outputs) is retained for the duration of your account and deleted within 90 days of termination, unless you request earlier deletion
  • Usage logs are retained for up to 24 months for security and analytics purposes
  • Aggregated, de-identified data may be retained indefinitely

9. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

  • Access: Request a copy of the personal information we hold about you
  • Correction: Request correction of inaccurate or incomplete information
  • Deletion: Request deletion of your personal information, subject to legal retention requirements
  • Portability: Request your data in a structured, machine-readable format
  • Restriction: Request that we limit the processing of your information in certain circumstances
  • Objection: Object to processing based on legitimate interests
  • AI-Specific Rights: Request deletion of your AI interaction history, opt out of aggregated analytics, and request information about how AI processes your data
  • Withdrawal of Consent: Withdraw consent at any time where processing is based on consent

To exercise any of these rights, please contact us at [email protected]. We will respond to verified requests within the timeframes required by applicable law (typically 30 to 45 days).

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:

  • Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you
  • Right to Delete: You may request deletion of your personal information, subject to certain exceptions
  • Right to Opt Out: You may opt out of the "sale" or "sharing" of your personal information. We do not sell personal information. We do not share personal information for cross-context behavioral advertising
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
  • Right to Correct: You may request correction of inaccurate personal information
  • Right to Limit Use of Sensitive Personal Information: You may limit the use and disclosure of sensitive personal information to purposes necessary to provide the Services

To submit a request, contact us at [email protected] or call us at the number listed in the Contact section. We may verify your identity before processing your request.

11. European Privacy Rights (GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, the following additional provisions apply:

Legal Bases for Processing. We process your personal data based on one or more of the following legal bases: (a) your consent; (b) the performance of a contract with you; (c) our legitimate business interests, such as improving the Services and ensuring security; or (d) compliance with a legal obligation.

Automated Decision-Making. Our AI features process data to generate outputs, but these outputs are designed as decision-support tools for qualified professionals. We do not make automated decisions that produce legal effects or similarly significant effects on individuals without human review.

Data Protection Officer. You may contact our data protection team at [email protected].

Supervisory Authority. You have the right to lodge a complaint with your local data protection supervisory authority if you believe your data has been processed unlawfully.

12. Financial Data Privacy (Regulation S-P and GLBA)

As a platform that processes financial data on behalf of registered investment advisors and broker-dealers, we adhere to the principles of SEC Regulation S-P (17 CFR Part 248) and the Gramm-Leach-Bliley Act (GLBA) where applicable. Specifically:

  • We maintain administrative, technical, and physical safeguards designed to protect nonpublic personal information ("NPI") as defined under Regulation S-P
  • We limit access to NPI to authorized personnel who need it to perform their duties, consistent with the principle of least privilege
  • We do not disclose NPI to nonaffiliated third parties except as permitted by law or as necessary to provide the Services
  • We maintain an incident response plan that includes notification procedures consistent with SEC requirements and the updated Regulation S-P breach notification rules
  • We conduct periodic risk assessments of our information security program and update our safeguards as necessary
  • We maintain written policies and procedures reasonably designed to ensure the security and confidentiality of customer records and information

Your Compliance Obligations. Our clients who are registered investment advisors or broker-dealers remain responsible for their own Regulation S-P and GLBA compliance obligations, including providing initial and annual privacy notices to their clients. We provide tools and documentation to support your compliance efforts, but the responsibility for compliance with applicable privacy regulations remains with you.

13. Third-Party Data Sources

The Services may integrate with or display data from third-party sources, including custodians, CRM platforms, market data providers, and other financial data services. You acknowledge and agree that:

  • Third-party data may contain errors, omissions, or inaccuracies. Wealthstack is not responsible for the accuracy, completeness, or timeliness of any third-party data
  • You are responsible for authorizing and managing third-party integrations and for ensuring that your use of such integrations complies with the third party's terms of service
  • We implement reasonable security measures when connecting to third-party systems, but cannot guarantee the security practices of third-party providers

14. Cookies and Tracking Technologies

We use cookies and similar technologies to operate the Services, remember your preferences, and analyze usage patterns. The types of cookies we use include:

TypePurpose
EssentialRequired for authentication, security, and core functionality
AnalyticsHelp us understand how the Services are used and identify areas for improvement
PreferencesRemember your settings, such as theme preference and language

We do not use advertising or cross-site tracking cookies. You can manage cookie preferences through your browser settings. Disabling essential cookies may affect the functionality of the Services.

15. Children's Privacy

The Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child, we will take steps to delete it promptly. If you believe a child has provided us with personal information, please contact us at [email protected].

16. International Data Transfers

Your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate. When we transfer data outside your jurisdiction, we implement appropriate safeguards, including Standard Contractual Clauses approved by the European Commission, to ensure your data receives an adequate level of protection.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will post the updated policy on our website and update the "Effective" date. For material changes, we will provide notice through the Services or via email at least 30 days before the changes take effect.

18. Contact Information

If you have questions about this Privacy Policy or our data practices, please contact us:

NSTACK AI Inc.

Privacy inquiries: [email protected]

Data protection: [email protected]

Website: wealthstack.ai

This Privacy Policy was last updated on April 20, 2026. Prior versions are available upon request. This document does not constitute legal advice. We recommend that you consult with qualified legal counsel regarding your specific privacy obligations and circumstances.