Privacy Policy

1. Who We Are

SpotTradeJournal ("we", "us", "our") operates the trading journal platform at spottradejournal.com. We provide tools for traders to log, analyse, and improve their trading performance.

This Privacy Policy explains how we collect, use, and protect information when you use our website and services.

2. Data We Collect

Account information: When you register, we collect your first name, last name, and email address. Your password is stored as a one-way bcrypt hash — we cannot read it.

Trade data: All trade entries you log manually or import from brokers (IBKR, Binance, Coinbase, etc.) are stored in our database. This includes entry/exit prices, position sizes, P&L, dates, and any notes or screenshots you attach.

Usage data: We may log basic server access logs (IP address, browser type, pages visited) for security and debugging purposes. We do not use third-party analytics trackers.

Payment data: We do not store payment card details. Payments are processed by third-party payment providers who handle billing data under their own privacy policies.

Communications: If you contact us by email, we retain that correspondence to respond to you.

3. How We Use Your Data

We use your data exclusively to:

• Provide and operate the SpotTradeJournal service
• Authenticate your account and maintain your session
• Send transactional emails — account verification, password resets, billing notices
• Calculate and display your trading analytics and performance metrics
• Respond to support requests
• Detect and prevent fraud, abuse, or security incidents

We do not use your trade data for any purpose other than displaying it back to you. We do not analyse your trades for our own commercial benefit, share them with third parties, or use them to train AI models.

4. Data Storage & Security

Your data is stored on servers hosted in a secured environment. We implement the following security measures:

• Passwords: Hashed with bcrypt (cost factor 12) — never stored in plain text
• Sessions: PHP sessions with HttpOnly, SameSite=Lax cookies
• Transport: HTTPS enforced on all pages
• Database: Parameterised queries throughout — protected against SQL injection
• Tokens: Password reset and email verification tokens are SHA-256 hashed before storage and expire within 1 hour (reset) or 24 hours (verification)

Despite our efforts, no method of internet transmission is 100% secure. We encourage you to use a strong, unique password for your account.

5. Data Sharing

We do not sell, rent, or trade your personal data to any third party.

We may share data only in these limited circumstances:

• Service providers: Hosting and infrastructure providers who process data on our behalf under confidentiality agreements
• Payment processors: For billing purposes only — they receive no trade data
• Legal obligations: If required by law, court order, or to protect the rights and safety of our users

6. Cookies

We use one session cookie (PHPSESSID) to keep you logged in. This cookie is:

• Set only after you log in
• HttpOnly — inaccessible to JavaScript
• SameSite=Lax — protected against cross-site request forgery
• Deleted when you log out or close your browser

We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

7. Your Rights

You have the right to:

• Access: Request a copy of all personal data we hold about you
• Correction: Update your name and email in Settings at any time
• Deletion: Delete your account and all associated data — contact us and we will process this within 30 days
• Portability: Export all your trade data at any time using the Export feature in Trade History
• Objection: Object to any processing of your data that is not strictly necessary for the service

To exercise any of these rights, email us at privacy@spottradejournal.com.

8. Data Retention

We retain your account and trade data for as long as your account is active. If you delete your account, we will permanently delete all associated data within 30 days, except where we are required to retain it by law (e.g. financial records for tax purposes).

Server access logs are retained for a maximum of 90 days.

9. Children's Privacy

SpotTradeJournal is not directed at children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users by email at least 14 days before any material changes take effect. Continued use of the service after that date constitutes acceptance of the updated policy.

The "Last updated" date at the top of this page always reflects the most recent revision.

11. Contact Us

For privacy-related questions, data requests, or to report a security issue:

• Email: privacy@spottradejournal.com
• Website: spottradejournal.com

We aim to respond to all privacy requests within 5 business days.