What we collect,
and what we don't.

The short version

We read your trading platform via a read-only token you generate. We store your trade history, your check-in answers, and the patterns we derive from them. We don't store your platform password. We don't sell your data. We don't share it with prop firms. You can export it as JSON or delete your account from settings at any time.

1. Who we are

PsyRule (the "service") is operated by the founder of PsyRule as a sole-trader-stage product. A registered company name will appear here when incorporation completes; we'll update this notice and email customers when that happens. For now, contact for any privacy matter is psyrule.app@gmail.com.

For GDPR purposes, we are the data controller for personal data you give us directly and the data we derive from your trade activity.

2. What we collect

Account data

• Email address
• Hashed password (we never see the plain text)
• Display name (optional)
• Subscription status and billing identifier from Stripe (we don't store your card)

Trading data (read-only sync)

• Trade records: timestamp, instrument, direction, size, entry, exit, P&L
• Account metadata: account ID, broker name, balance, equity
• The read-only API token you generate inside your platform (encrypted at rest; revocable by you at any time)

We do not collect: your platform login password, your card number, your government ID, your full bank statement, or anything outside the trading platform you connect.

Behavioral check-in data

• Mood, confidence, fatigue, and risk-temptation answers (1–5 scales)
• Free-text notes you choose to write
• Sleep hours and pre-session plan, if you log them

Derived data

• The patterns we name (e.g. "your revenge loop"), the triggers we detect, and the modeled cost of each pattern for you
• Your rules, overrides, and intervention responses
• Aggregated session statistics

Technical data

• IP address (truncated for analytics; full only for security/abuse logs, kept ≤ 30 days)
• Device type, browser, language
• Pages visited and timestamps

3. Why we collect it

Three reasons, in order of importance:

• To run the product. We can't name your patterns without your trade history, and we can't surface them in the moment without storing them between sessions.
• To support you. When you email us about a misfire or a billing question, we look at your account.
• To improve the product. We look at aggregated stats — false-positive rates, intervention adoption — to decide what to build next.

4. Legal basis (GDPR)

If you're in the EU/UK, here's the lawful basis for each kind of processing:

• Performance of contract — the trading data, check-ins, derived patterns, and account data, because we can't deliver the service without them.
• Legitimate interest — security logs, fraud prevention, and aggregated product analytics. We've considered the impact on you and use the minimum data necessary.
• Consent — optional marketing emails (you opt in; you can opt out from any email).
• Legal obligation — VAT records, where applicable.

5. Who we share it with

We use a small, named set of sub-processors. Each has a Data Processing Agreement and processes only the data needed for their task:

• Stripe — payments. They see your email and billing details. They don't see your trades.
• Vercel — application hosting (EU region).
• Supabase / Postgres — primary database (EU region).
• Resend — transactional email (receipts, password resets, weekly reports).
• Sentry — error logging. PII is stripped before send.

We do not share your data with prop firms, brokers, marketers, data brokers, or AI training datasets. We will share data only when legally compelled, and we will tell you unless legally prohibited from doing so.

6. Where it's stored

Primary database, application servers, and backups are located in the EU. Some sub-processors (e.g. Stripe, Sentry) may transfer limited data to the US under Standard Contractual Clauses and the EU-US Data Privacy Framework. We've chosen EU-region offerings wherever they exist.

7. How long we keep it

• Account data: while your account is active, plus 30 days after deletion (in case you change your mind).
• Trade and check-in data: same as account data. Deleted with your account.
• Aggregated analytics: indefinitely, in non-identifiable form.
• Billing records: 7 years (legal obligation in most jurisdictions).
• Security logs: 30 days, then deleted.

8. Your rights

If GDPR or UK GDPR applies to you, you have the right to:

• Access the data we hold about you
• Receive it in a portable format (we provide JSON export from settings)
• Correct inaccurate data
• Delete your data ("right to be forgotten")
• Restrict or object to certain processing
• Withdraw consent for anything you previously consented to
• Lodge a complaint with your supervisory authority (e.g. the ICO in the UK, or your local DPA in the EU) — though we'd appreciate the chance to put it right first

You can exercise most of these from Settings → Data. For anything else, email psyrule.app@gmail.com and we'll respond within 30 days.

9. Security

We do the basics, properly:

• TLS in transit, encryption at rest
• Read-only API tokens for trading-platform sync (you generate, you can revoke)
• Password hashing with bcrypt
• Two-factor authentication (optional, recommended)
• Daily encrypted backups, EU-region
• Principle of least privilege for internal access; access logged

If we ever suffer a breach affecting your data, we'll notify you within 72 hours of becoming aware, as GDPR requires.

10. Cookies & analytics

We use a single first-party session cookie to keep you logged in. We use privacy-friendly product analytics (Plausible, EU-hosted) that does not set cookies and does not track you across sites. We do not use Google Analytics, Facebook Pixel, or any advertising trackers.

11. Children

PsyRule is for adults trading with prop firms. We don't knowingly collect data from anyone under 18. If you believe a minor has registered, email us and we'll delete the account.

12. Changes to this notice

We'll update the date at the top whenever this notice changes. For material changes — anything that meaningfully affects what we do with your data — we'll email you at least 14 days before the change takes effect.

13. Contact

Privacy questions, requests, complaints, or things we got wrong:

Email: psyrule.app@gmail.com
Postal address: available on request (we'll add it here once incorporated).