Privacy Policy

Scope and who we are

This Privacy Policy explains how Pro Trading Journal (“we,” “us,” “our”) collects, uses, and protects your information when you use the Pro Trading Journal web application, located at www.protradingjournal.com (the “Service”).

Pro Trading Journal is a self-hosted SaaS built for active crypto, forex, and stock traders. This policy applies to everyone who signs up, visits the landing page, or interacts with any part of the product.

Data we collect

Account information (provided by you via Clerk)

• Email address
• Name (if provided via Google sign-in)
• Profile photo (if provided via Google sign-in)
• Unique user identifier issued by Clerk

We use Clerk as our authentication provider. Clerk processes your sign-in credentials and session tokens. See Clerk's Privacy Policy.

Trading data (provided by you)

• Trade entries: symbol, side, size, entry price, exit price, date, P&L, R-multiple, notes
• Portfolio snapshots: holdings, cost basis, allocation over time
• Psychology journal entries: pre-trade plans, post-trade reviews, emotion tags, rule compliance
• Trading rules, goals, and compounding targets
• Badge and achievement progress

Exchange API credentials (optional, provided by you)

If you choose to connect an exchange (e.g. Binance, Bitget), you provide read-only API key and secret pairs. These are encrypted with AES-256-GCM before being written to our database. They are decrypted in-memory only when fetching trades on your behalf, and never returned to the client after the initial save.

Billing information (processed by Stripe)

• Stripe customer ID
• Subscription status, plan, and renewal dates
• Payment method fingerprint (for fraud prevention on free trials)

We do not store your card number, CVV, or bank details. All payment processing is handled by Stripe. See Stripe's Privacy Policy.

Usage and diagnostic data (collected automatically)

• Pages visited, features used, and timing (via PostHog)
• Error reports and stack traces (via Sentry)
• Approximate geographic location (derived from IP, not stored as IP)
• Browser type, device type, screen size
• Vercel Analytics: Core Web Vitals and anonymized pageview data

Market data (fetched from third parties on your behalf)

When you view live prices, we request data from CoinGecko. These requests are anonymized — CoinGecko does not know which user triggered them.

How we use your data

We use your data only for these purposes:

• To run the Service: display your trades, calculate metrics, sync with exchanges, and show live prices
• To authenticate you: verify your identity and keep your session secure
• To bill you: process subscription payments and manage trials
• To improve the product: understand which features are used so we can prioritize what to build next
• To debug errors: trace failures and fix them
• To communicate: send service emails (receipts, password resets, security alerts) — never marketing without consent
• To comply with the law: respond to lawful requests from authorities

We do not:

• Sell, rent, or trade your personal data to third parties
• Use your trading data to train any model
• Share your positions with any exchange, broker, or market participant
• Display ads inside the application

Legal basis for processing

If you are in the European Economic Area (EEA) or the United Kingdom, we rely on the following legal bases under the GDPR:

• Contract: to provide the Service you signed up for
• Legitimate interests: to secure the Service, prevent fraud, improve the product, and analyze usage
• Consent: where you explicitly opt in (e.g. for optional marketing emails)
• Legal obligation: where we must process data to comply with applicable law

Who we share data with

We share your data only with the specific sub-processors needed to run the Service. Each one is bound by a data-protection agreement and processes your data only on our instructions.

We may also disclose data when required by law, when enforcing our Terms, or when necessary to protect the rights, property, or safety ofPro Trading Journal, our users, or others.

How long we keep data

• Account data: for as long as your account is active, plus 30 days after deletion request
• Trading and journal data: retained until you delete individual entries or the entire account
• Exchange API keys: retained until you remove the exchange connection; you can revoke at any time
• Billing records: retained for 7 years to meet tax and accounting obligations
• Error logs: 90 days in Sentry, then automatically purged
• Analytics events: aggregated after 12 months; individual events are retained for 13 months in PostHog

How we protect data

• All traffic encrypted in transit via TLS 1.2 or higher
• Database encrypted at rest by our hosting provider
• Exchange API keys encrypted field-level with AES-256-GCM before being written
• Authentication handled by Clerk with secure session tokens and CSRF protection
• Stripe webhook payloads verified cryptographically
• Rate limiting on sensitive endpoints to mitigate brute-force and scraping
• Principle of least privilege for all internal access to production systems

No system is perfectly secure. If we detect a breach that affects your personal data, we will notify you without undue delay and in any case within 72 hours where required by law.

Your rights

Depending on where you live, you may have the following rights:

• Access: request a copy of the personal data we hold about you
• Rectification: correct inaccurate or incomplete data
• Erasure: request deletion of your account and associated data
• Portability: export your trades and journal entries in a structured format (CSV / JSON)
• Restriction: ask us to limit how we process your data
• Objection: object to processing based on legitimate interests
• Withdraw consent: where processing is based on consent
• Complain: lodge a complaint with your local data protection authority

If you are a California resident, you also have rights under the CCPA: the right to know what we collect, the right to delete, the right to opt out of sale (we do not sell data), and the right to non-discrimination for exercising these rights.

To exercise any right, email probittrader@hotmail.com from the address linked to your account. We respond within 30 days.

International transfers

Your data may be processed in countries other than the one you live in — most notably the United States, where several of our sub-processors are based. Where required, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission to ensure an equivalent level of protection.

Cookies and tracking

We use a minimal set of cookies and similar technologies:

• Strictly necessary: session cookies set by Clerk to keep you signed in
• Analytics: PostHog uses first-party cookies to measure feature usage (no cross-site tracking)
• Performance: Vercel Speed Insights uses a lightweight identifier for Core Web Vitals

We do not use third-party advertising cookies or any cross-site tracking pixels. Your browser's Do Not Track (DNT) setting is respected where applicable.

Children

Pro Trading Journal is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with data, contact probittrader@hotmail.com and we will delete it immediately.

Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and update the “Last updated” date at the top of this page. Continued use of the Service after changes take effect means you accept the revised policy.

Contact us

For any question, request, or complaint about this Privacy Policy, or to exercise any of your rights, contact us at:

Pro Trading Journal
Email: probittrader@hotmail.com
Jurisdiction: Pakistan