LEGAL

Privacy Policy

Last updated: 24 March 2026

Summary: We collect only what we need to run the Service. We never sell your data. You own your trade data. We comply with GDPR. Contact us at [email protected] for any data requests.

1. Who We Are

FundVault is operated from Sweden. As a Swedish company serving EU users, we comply with the General Data Protection Regulation (GDPR) and applicable Swedish data protection law.

Data controller: FundVault, Sweden
Contact: [email protected]

2. What Data We Collect

Account data

Email address and display name
Password (stored as a secure hash — we never see your plain-text password)
Subscription plan and status

Trade and journal data

Trade records: symbol, date, P&L, entry/exit times, side, contracts
Journal entries, session notes, and trade reviews
Screenshots attached to trade reviews
Tags, ratings, and custom rules

Technical data

IP address (collected automatically by our hosting infrastructure)
Browser type and version
Basic usage data and feature interactions

Integration data (only if you connect these services)

Discord webhook URL — if you enable Discord integration
Broker account identifiers — if you connect Tradovate or NinjaTrader

3. Legal Basis for Processing

Contract performance — processing necessary to provide the Service
Legitimate interests — improving the Service, security monitoring, fraud prevention
Legal obligation — compliance with applicable laws
Consent — for optional integrations such as Discord

4. How We Use Your Data

Provide, maintain, and improve the Service
Authenticate your identity and secure your account
Process subscription payments via Stripe (we never store card data)
Send transactional emails (confirmations, security alerts)
Respond to support requests
Monitor for and prevent fraudulent or abusive activity
Comply with legal obligations

We do not sell your data. We do not use your trade data for advertising.

5. Data Sharing

We share your data only with:

Supabase — database and authentication (EU-based data processor)
Railway — backend hosting (data processor)
Vercel — frontend hosting (data processor)
Stripe — payment processing (independent controller for payment data)
Discord — only if you enable the Discord integration
Tradovate / NinjaTrader — only if you connect broker sync; read-only access

6. Data Retention

We retain your personal data for as long as your account is active. If you delete your account, we delete your personal data within 30 days, except where legally required to retain it. Trade data and journal entries are retained until you delete them or close your account.

7. Security

All data encrypted in transit via HTTPS/TLS
Passwords stored using industry-standard cryptographic hashing
Row-level database security — users can only access their own data
Access controls on all production systems

No system is completely secure. We cannot guarantee absolute security and are not liable for unauthorised access resulting from circumstances beyond our reasonable control.

8. Your Rights Under GDPR

Access

Request a copy of the data we hold about you

Rectification

Request correction of inaccurate data

Erasure

Request deletion of your personal data

Restriction

Request that we restrict processing

Portability

Receive your data in a machine-readable format

Object

Object to processing based on legitimate interests

To exercise any right, contact us at [email protected]. We will respond within 30 days. You may also lodge a complaint with the Swedish Authority for Privacy Protection at imy.se.

9. Cookies

We use only essential cookies required for authentication and security. We do not use advertising, tracking, or analytics cookies.

10. Children

The Service is not intended for anyone under 18. We do not knowingly collect data from children. Contact us at [email protected] if you believe we have collected data from a child.

11. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes by email