Privacy Policy

Last updated: 24 March 2026

1. Who We Are

FundVault is operated from Sweden. As a Swedish company serving EU users, we comply with the General Data Protection Regulation (GDPR) and applicable Swedish data protection law.

Data controller: FundVault, Sweden
Contact: [email protected]

2. What Data We Collect

Account data

• Email address and display name
• Password (stored as a secure hash — we never see your plain-text password)
• Subscription plan and status

Trade and journal data

• Trade records: symbol, date, P&L, entry/exit times, side, contracts
• Journal entries, session notes, and trade reviews
• Screenshots attached to trade reviews
• Tags, ratings, and custom rules

Technical data

• IP address (collected automatically by our hosting infrastructure)
• Browser type and version
• Basic usage data and feature interactions

Integration data (only if you connect these services)

• Discord webhook URL — if you enable Discord integration
• Broker account identifiers — if you connect Tradovate or NinjaTrader

3. Legal Basis for Processing

• Contract performance — processing necessary to provide the Service
• Legitimate interests — improving the Service, security monitoring, fraud prevention
• Legal obligation — compliance with applicable laws
• Consent — for optional integrations such as Discord

4. How We Use Your Data

• Provide, maintain, and improve the Service
• Authenticate your identity and secure your account
• Process subscription payments via Stripe (we never store card data)
• Send transactional emails (confirmations, security alerts)
• Respond to support requests
• Monitor for and prevent fraudulent or abusive activity
• Comply with legal obligations

We do not sell your data. We do not use your trade data for advertising.

5. Data Sharing

We share your data only with:

• Supabase — database and authentication (EU-based data processor)
• Railway — backend hosting (data processor)
• Vercel — frontend hosting (data processor)
• Stripe — payment processing (independent controller for payment data)
• Discord — only if you enable the Discord integration
• Tradovate / NinjaTrader — only if you connect broker sync; read-only access

6. Data Retention

We retain your personal data for as long as your account is active. If you delete your account, we delete your personal data within 30 days, except where legally required to retain it. Trade data and journal entries are retained until you delete them or close your account.

7. Security

• All data encrypted in transit via HTTPS/TLS
• Passwords stored using industry-standard cryptographic hashing
• Row-level database security — users can only access their own data
• Access controls on all production systems

No system is completely secure. We cannot guarantee absolute security and are not liable for unauthorised access resulting from circumstances beyond our reasonable control.

8. Your Rights Under GDPR

To exercise any right, contact us at [email protected]. We will respond within 30 days. You may also lodge a complaint with the Swedish Authority for Privacy Protection at imy.se.

9. Cookies

We use only essential cookies required for authentication and security. We do not use advertising, tracking, or analytics cookies.

10. Children

The Service is not intended for anyone under 18. We do not knowingly collect data from children. Contact us at [email protected] if you believe we have collected data from a child.

11. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes by email or through the Service. Continued use after such changes constitutes acceptance of the updated policy.