Privacy

Short version: we collect email + chat id (if you provide) + basic session metadata (IP, user agent) + your own trading entries (if you use the journal). We don't sell it. We don't embed third-party analytics on authenticated pages.

What we store

Account: email, full name, role, preferred locale, timezone, optional Telegram chat id, optional avatar URL.
Authentication: SHA-256 hash of your session token (never plaintext), IP, user agent, last-activity timestamp. Sessions expire in 24 hours.
2FA: TOTP secret, encrypted at rest with Fernet; 10 backup-code SHA-256 hashes.
Trading data: the positions, signals, metrics and journal entries you create.
Audit: every admin mutation with before/after snapshots, redacting secrets.

What we don't do

No tracking pixels on authenticated pages. No reselling email addresses. No auto-debit before manual billing migrates to Stripe.

Deletion

Ask us at the support email and we'll hard-delete your account and all associated rows within 7 days.

Last updated: 2026-04-19. We'll revisit before Q1 2027 launch.