Privacy Policy

1. Controller Identity

The controller responsible for data processing on this platform within the meaning of the General Data Protection Regulation (GDPR) is:

• Name: Benjamin Schwab
• Address: Geschäftsadresse — see Impressum for current address
• Email: support@traversejournal.com
• Phone: See Impressum

2. Data Protection Contact

We are not required to appoint a Data Protection Officer (DPO) under Art. 37 GDPR, as we employ fewer than 20 persons constantly engaged in automated data processing (cf. § 38 BDSG). For all data-protection inquiries, please contact us at support@traversejournal.com.

3. Purposes and Legal Bases of Processing

We process your personal data for the following purposes, each matched to its legal basis under Art. 6(1) GDPR:

Where processing is based on consent (Art. 6(1)(a)), you may withdraw your consent at any time with effect for the future. See Section 8 below for details.

4. What We Collect

• Account information: Email address and authentication credentials (managed by Supabase Auth). If you sign in with Google OAuth, we receive your email address and profile name.
• Trade data: Trade entries you log manually, import from CSV files, or sync from connected exchanges, including prices, quantities, timestamps, notes, tags, emotions, and process scores.
• Journal entries: Notes, tags, trade links, and annotations you create within the journaling feature.
• Behavioral data: Emotions, confidence ratings, daily check-ins, and daily plans you submit to track your trading psychology.
• Exchange API credentials: If you connect a cryptocurrency exchange, we store your API key and secret. These are encrypted at rest using AES-256-CBC with per-field random initialization vectors (IVs). We only request read-only access and never execute trades on your behalf.
• Gamification data: Levels, XP, achievements, cosmetics, badges, coins, and related progress data generated through your use of the platform.
• Server logs: Timestamps and request paths for debugging and security purposes. We do not use third-party analytics trackers.

5. Recipients and Sub-Processors

We share your data with the following third-party service providers only to the extent necessary to operate the platform:

• Supabase — Database hosting and user authentication (hosted on AWS infrastructure).
• Vercel — Application hosting and deployment.
• Anthropic, OpenAI, Google Gemini — AI Coach features. Your trade data is sent per-request for analysis. Data is not retained by these providers beyond the individual API request.
• Upstash — Rate limiting infrastructure for API endpoint protection.
• Resend — Transactional email delivery (account verification, password reset).
• CoinGecko / CryptoCompare — Market data APIs for price information. No user data is sent to these services.

6. International Data Transfers

Your data is transferred to and processed in the United States, where our sub-processors operate. We ensure adequate safeguards for these transfers in accordance with Chapter V GDPR:

• EU–US Data Privacy Framework (DPF): For sub-processors certified under the DPF (including Vercel, OpenAI, Google, and AWS/Supabase), we rely on the adequacy decision of the European Commission.
• Standard Contractual Clauses (SCCs): For providers not certified under the DPF, we rely on EU Standard Contractual Clauses pursuant to Commission Implementing Decision (EU) 2021/914.

Details regarding specific transfer safeguards are available upon request at support@traversejournal.com.

7. Data Retention

• Account and trade data: Retained for as long as your account is active.
• Server logs: Retained for 90 days, then automatically purged.
• After account deletion: All data is purged within 30 days of your deletion request. Database backups containing residual data are purged within 90 days.
• AI conversation data: Not retained by AI providers beyond the individual API request.

8. Your Rights Under GDPR

You have the following rights regarding your personal data. To exercise any of these rights, contact us at support@traversejournal.com or use the in-app controls described below.

• Right of access (Art. 15): You can export all your data via the Export feature in Settings. You may also request a complete copy of your personal data from us.
• Right to rectification (Art. 16): You can edit your trades and journal entries directly within the application at any time.
• Right to erasure (Art. 17): You can delete your account and all associated data from Settings > Legal & Privacy.
• Right to restriction of processing (Art. 18): You may request that we restrict the processing of your data in certain circumstances (e.g., while we verify accuracy of contested data).
• Right to data portability (Art. 20): Your trade data can be exported as CSV and JSON at any time via Settings.
• Right to object (Art. 21): You have the right to object to processing based on legitimate interest (Art. 6(1)(f)), in particular server log processing.
• Right to withdraw consent (Art. 7(3)): Where processing is based on your consent (AI Coach, leaderboard, shared trades), you may withdraw consent at any time in Settings. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.
• Right to lodge a complaint: You have the right to lodge a complaint with a supervisory authority. In Germany, this is the Landesbeauftragte(r) für Datenschutz und Informationsfreiheit of your Bundesland. You may also contact the supervisory authority in the EU/EEA member state of your habitual residence, place of work, or place of the alleged infringement.

9. Automated Decision-Making

The AI Coach feature analyzes your trading data to provide behavioral coaching insights and pattern recognition. This processing does not constitute automated decision-making with legal or similarly significant effects within the meaning of Art. 22 GDPR. All AI outputs are informational suggestions only — no decisions regarding your account, access, or any legal matter are made automatically.

10. Cookies and Local Storage

• Strictly necessary: Authentication cookies (Supabase session tokens) and security cookies required for the platform to function. These are set without consent as permitted under § 25(2) TTDSG.
• Functional: Theme preferences, UI state, and onboarding progress stored in localStorage. These are only set with your consent.
• No tracking or advertising: We do not use third-party tracking cookies, advertising cookies, or any form of cross-site tracking.

Details are provided in the cookie consent banner displayed on your first visit.

11. Data Security

We implement appropriate technical and organisational measures pursuant to Art. 32 GDPR to ensure a level of security appropriate to the risk:

• Encryption in transit: All data is transmitted over HTTPS with TLS 1.3.
• Encryption at rest: Exchange API credentials are encrypted using AES-256-CBC with per-field random initialization vectors. The encryption key is stored server-side only and never exposed to the client.
• Row Level Security (RLS): Enforced at the database level, ensuring each user can only access their own data.
• Authentication: All API routes require authentication. Admin operations require additional owner verification.
• Rate limiting: Sensitive API endpoints are rate-limited to prevent abuse.

12. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via email or in-app notification. Continued use of the platform after notification constitutes acceptance of the updated policy. We encourage you to review this page periodically.

13. Contact

For all privacy-related inquiries, data subject requests, or complaints, contact us at support@traversejournal.com.