Privacy Policy

Last updated: April 8, 2026

1. Data We Collect

We collect the following categories of data:

  • Account data: Name, email address, and profile image from Google OAuth authentication
  • Trading data: Trades imported from broker APIs or CSV uploads, including symbols, prices, dates, and P&L
  • Broker credentials: API keys and secrets required for broker connections (encrypted at rest)
  • Journal entries: Notes, emotions, setups, and tags you create
  • Usage data: Pages visited, features used, and error logs for platform improvement
  • Lead data: Name, email, and optional information submitted through our pre-launch form

2. How We Store Data

All data is stored in PostgreSQL databases hosted by Supabase with Row-Level Security (RLS) policies. Broker API credentials are encrypted using AES-256-CBC encryption before storage. Database connections use TLS encryption in transit. We follow industry-standard security practices for data protection.

3. How We Use Data

Your data is used to:

  • Provide trading analytics, metrics, and Edge Score calculations
  • Import and synchronize trades from connected brokers
  • Display your performance on the public leaderboard (only if you opt in)
  • Send account-related communications
  • Improve platform features and fix issues

4. Third-Party Services

We use the following third-party services:

  • Supabase: Database hosting and authentication infrastructure
  • Stripe: Payment processing for premium subscriptions
  • Google: OAuth authentication provider
  • Upstash: Rate limiting infrastructure (Redis)
  • Polygon.io: Market data for the scanner feature
  • Sentry: Error monitoring and performance tracking
  • Resend: Transactional email delivery

Each third-party service has its own privacy policy. We only share the minimum data necessary for each service to function.

5. Data Sharing

We do not sell your personal data or individual trading data to third parties. We do not share your data with advertisers. Aggregated, anonymized statistics may be used internally to improve the platform. If you opt into the public leaderboard, your selected performance metrics and handle are publicly visible.

6. Data Retention

Your data is retained for as long as your account is active. If you request account deletion, we will remove your data within 30 days. Some data may be retained longer if required by law or for legitimate business purposes (e.g., audit logs, financial records). Encrypted broker credentials are deleted immediately upon broker disconnection.

7. Your Rights

You have the right to:

  • Access your personal data
  • Request correction of inaccurate data
  • Request deletion of your account and data
  • Export your trading data
  • Opt out of the public leaderboard at any time
  • Withdraw consent for data processing

8. Security

We implement multiple layers of security: encrypted credentials at rest, TLS in transit, Row-Level Security on all database tables, 4-tier rate limiting, input validation on all endpoints, Content Security Policy headers, and regular security reviews. While we take security seriously, no system is completely immune to threats.

9. Cookies

We use essential cookies for authentication (session management via NextAuth). We do not use tracking cookies or third-party advertising cookies. No cookie consent banner is required as we only use strictly necessary cookies.

10. Changes to This Policy

We may update this privacy policy periodically. We will notify users of material changes via email. Continued use of the platform constitutes acceptance of the updated policy.

11. Contact

For privacy-related inquiries, contact us at privacy@grafion.app.