This Privacy Policy explains how MRT Trading Journal collects, uses, stores, and protects your personal data. We comply with the EU General Data Protection Regulation (GDPR) and applicable data protection laws.
§ 1 — Data Controller
The data controller is the operator of MRT Trading Journal:
- Email: mrtbusinesscorp@gmail.com
- Phone: +48 533 800 759
- Website: mrtjournal.com
§ 2 — Data We Collect
2.1 Account Data
- Name (display name provided at registration)
- Email address
- Encrypted password (stored as a secure hash — we never see your actual password)
- Account creation date and last login
2.2 Trading Data (User Content)
- Trade logs: dates, instruments, direction, P&L, grades, session, model, notes
- Confluence selections, strategy definitions, pre/post-trade reflections
- Chart screenshots you choose to upload
- Onboarding preferences: experience level, trading style, sessions, goals
- Custom confluence lists, pre-trade checklists, and app preferences
2.3 Usage Data
- Pages visited and features used (anonymised)
- Session timestamps and approximate duration
- Error logs and performance data for service improvement
2.4 Payment Data
- Billing name and last 4 digits of payment card
- Payment history and subscription status
Full card data is processed exclusively by Stripe and is never stored by us.
2.5 AI Coach Interactions
Messages sent to the AI Coach are transmitted to Anthropic's API along with contextual trade data to generate responses. Anthropic processes this data subject to their privacy policy. We do not store AI conversation history beyond your active session.
§ 3 — How We Use Your Data
- To provide, maintain, and improve the Service.
- To authenticate you and keep your Account secure.
- To process payments and manage subscriptions.
- To send transactional emails (confirmation, password reset, billing).
- To send product updates you have opted in to receive.
- To analyse anonymised usage patterns to improve the Service.
- To comply with applicable legal obligations.
§ 4 — Legal Basis for Processing (GDPR)
- Contract performance — to provide the Service you signed up for (Art. 6(1)(b)).
- Legitimate interests — anonymised analytics, fraud prevention, security (Art. 6(1)(f)).
- Consent — marketing emails, withdrawable at any time (Art. 6(1)(a)).
- Legal obligation — where required by applicable law (Art. 6(1)(c)).
§ 5 — Sub-Processors and Data Sharing
We do not sell, rent, or trade your personal data. We share data only with trusted service providers strictly to operate the Service:
| Sub-Processor | Purpose | Location / Basis |
|---|---|---|
| Supabase | Database & authentication | EU/US — SCCs |
| Stripe | Payment processing | US — EU adequacy |
| Anthropic | AI Coach API | US — EU adequacy |
| Vercel | Hosting & CDN | Global — SCCs |
We also disclose data to law enforcement or regulatory authorities when required by applicable law.
§ 6 — Data Retention
- We retain your Account data and User Content for as long as your Account remains active.
- If you close your Account, all personal data is permanently deleted within 30 days.
- Anonymised analytical data (no personal identifiers) may be retained indefinitely.
- Backup copies may be retained up to 90 days for disaster recovery, then permanently destroyed.
§ 7 — Your Rights (GDPR)
- Right of access — request a copy of all personal data we hold about you.
- Right to rectification — correct inaccurate data via your Account settings.
- Right to erasure — delete your Account and all data via Settings → Account → Delete Account.
- Right to data portability — download your trade data via Settings → Export.
- Right to object — opt out of marketing communications at any time.
- Right to restrict processing — in certain circumstances, request limitation of processing.
- Right to lodge a complaint — file a complaint with your national data protection authority. France: CNIL (www.cnil.fr).
To exercise any right, contact: mrtbusinesscorp@gmail.com. We will respond within 30 days.
§ 8 — Cookies and Local Storage
- Session cookies — to keep you authenticated (essential, cannot be disabled).
- Local storage — to save app preferences, confluence settings, and checklists on your device.
We do not use advertising cookies, third-party tracking cookies, or personal analytics cookies.
§ 9 — Security
- TLS encryption for all data in transit.
- At-rest encryption of database contents.
- Passwords stored as bcrypt hashes — we cannot retrieve your plaintext password.
- Screenshots stored in encrypted object storage with access controls.
- Row-level security: users can only access their own data.
- Regular security reviews of our infrastructure.
§ 10 — Children
The Service is not intended for individuals under 18. We do not knowingly collect data from minors. Contact mrtbusinesscorp@gmail.com immediately if you believe a minor has registered.
§ 11 — Changes to This Policy
We may update this policy. We will notify you by email and in-app at least 30 days before material changes take effect. Continued use constitutes acceptance.
§ 12 — Contact
Get in touch
We respond to all privacy requests within 30 days.
This Privacy Policy was last updated March 2026. Version 1.0.