VaultGate

Privacy Policy

Last updated: May 2026. Version 1.0.

1. Controller

The operator named in the Legal Notice is responsible for processing personal data.

2. What Data We Process

  • Account data: e-mail, name (optional), hashed password.
  • Trading data: trades, executions, notes, ratings, screenshots — entered by you or imported.
  • Journal data: strategy assignments, emotion fields, voice notes (if Voice is enabled).
  • Broker credentials: only if the Tradovate integration is active; the password is symmetrically encrypted (AES-256-GCM) with a server-side key and never stored in plaintext.
  • Technical data: httpOnly session cookie, request logs (IP, timestamp) for max. 30 days.

3. Purposes and Legal Bases

  • Providing the service (Art. 6 (1) (b) GDPR — contract performance).
  • Operational security / debugging (Art. 6 (1) (f) GDPR — legitimate interest).
  • AI-powered analysis of your own data (Art. 6 (1) (a) GDPR — consent; you can revoke it at any time in the settings).

4. AI Processing and Third-Country Transfers

VaultGate uses large language models (LLMs) to translate your journaled trading data into natural-language insights. Depending on configuration the following providers are used:

  • Ollama (EU self-hosted):inference on the operator's servers within the European Union. No third-country transfer.
  • Groq (USA):transfer of pseudonymised trading summaries to the USA. Legal basis: EU Standard Contractual Clauses (SCC). You can disable this transfer in the settings ("Disable AI processing").
  • Anthropic Claude (USA): same as Groq; SCC as legal basis for the third-country transfer.

Only aggregated, pseudonymised key figures are sent to AI providers (statistics about your own trades, optionally attached chart screenshots). We never send cleartext names, e-mail addresses, or broker credentials to AI providers.

AI providers process the data as processors under their respective DPAs and typically keep request logs for a maximum of 30 days for abuse prevention (varies by provider).

5. Retention

Your trading and journal data is stored until you delete your account. After deletion, all personal data is irrevocably removed within 30 days. Statutory retention obligations (tax law, commercial law) remain unaffected where applicable.

6. Your Rights

You have the right at any time to:

  • Access your data (Art. 15 GDPR) — via Settings → Data Export.
  • Rectification (Art. 16 GDPR) — editable directly in the app.
  • Erasure (Art. 17 GDPR) — via Settings → Delete Account.
  • Restriction of processing (Art. 18 GDPR).
  • Data portability (Art. 20 GDPR) — the export delivers JSON.
  • Object (Art. 21 GDPR) — especially against AI processing via the opt-out switch in the settings.
  • Lodge a complaint with the competent supervisory authority (Art. 77 GDPR).

7. Cookies

We use a single technically necessary session cookie for your login (httpOnly, SameSite=Lax, max. 30 days). No trackers, no analytics, no advertising cookies — hence no consent banner is required.

8. Contact

Data-protection requests: see Legal Notice.

Placeholder version. Review by a qualified professional recommended before public go-live.