Privacy Policy

    Last updated: July 11, 2026

    Introduction

    Welcome to Recall Vault. We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This Privacy Policy explains how we collect, use, and safeguard your personal data when you use our trading journal platform.

    Data Controller: Recall Vault

    Your Rights Under UK GDPR

    Under UK GDPR, you have the following rights regarding your personal data:

    • Right to Access: Request a copy of your personal data we hold
    • Right to Rectification: Correct inaccurate or incomplete data
    • Right to Erasure: Request deletion of your data (right to be forgotten)
    • Right to Restrict Processing: Limit how we use your data
    • Right to Data Portability: Receive your data in a machine-readable format
    • Right to Object: Object to certain types of processing
    • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent

    To exercise any of these rights, please contact us through the platform. We will respond within one month as required by UK GDPR.

    Information We Collect

    We collect only the minimum data required for Recall Vault to function as a private trading journal. Nothing here is used for advertising or sold to third parties.

    Account information

    • Email address (for authentication and account recovery)
    • Display name (optional, user-provided)
    • Subscription status and Stripe customer/subscription identifiers (for billing)

    Trading and journal data you submit

    • Trade records (symbol, entry/exit price, position size, dates, profit/loss)
    • Stop-loss, take-profit, risk amount and R-multiple values
    • Journal entries and free-text notes you choose to write
    • Emotional state tags you select and daily log entries

    MetaTrader 5 auto-sync data

    • If you enable MT5 auto-sync, the RecallVaultSync Expert Advisor sends trade metadata from your MT5 terminal to our servers
    • Data sent includes: symbol, trade direction, volume, entry/exit price, stop-loss, take-profit, profit/loss, commission, swap, timestamps, MT5 deal/position identifiers, and your MT5 account login number and broker name
    • We do not receive or store your MT5 password, trading account credentials, payment information, or any documents you hold with your broker
    • The EA is outbound-only: it sends data to us. It cannot receive commands back from Recall Vault and cannot execute trades on your account
    • Each connection uses a unique sync token that you can revoke or regenerate at any time from Settings

    Derived data we generate from your activity

    • Streaks, win rate and other statistics calculated from your own trades
    • Pattern and behavioural insights generated by AI from your own submitted data
    • 5-day fix plans and focus tasks tied to your account

    Operational data

    • Authentication session tokens (managed by Supabase Auth)
    • Bug reports you submit (route, console errors, optional description)
    • Optional in-app feedback (rating and comments you choose to send)
    • Registered admin device tokens (admin accounts only)

    Legal basis for processing (UK GDPR)

    • Contract: Storing your trades, journals and account is necessary to deliver the service (Art. 6(1)(b)).
    • Legitimate interests: Securing the platform and preventing abuse (Art. 6(1)(f)).
    • Consent: Optional AI analysis is enabled only when you choose to use it (Art. 6(1)(a)).

    How We Use Your Information

    Your data is used only to operate the features you use:

    • Authentication: Your email is used to verify your identity and secure your account.
    • Your private journal: Trades, journal entries and emotional tags are stored against your user ID and shown back to you in your dashboard, calendar and analytics.
    • AI insights: When you trigger an AI analysis, the relevant trades and notes from your own account are sent to our AI provider (via the Lovable AI Gateway, currently using OpenAI) to generate personalised feedback. No other user's data is mixed in.
    • Billing: Stripe processes payments and stores the subscription identifiers we use to grant access.
    • Support and safety: Administrators may access account metadata (email, plan, signup date) to provide support, investigate abuse or comply with legal requests. Private journal content is not browsed casually.

    What we do not do:

    • We do not sell your data.
    • We do not share your trades, journals, emotions or strategies with other users.
    • We do not build advertising profiles or run third-party ad/marketing pixels.
    • We do not use your trading data to train shared AI models. The AI provider operates under zero-data-retention terms for our requests.
    • We do not email you marketing without your consent.

    We avoid promises we cannot technically guarantee. Recall Vault is not "zero-data" or "fully anonymous" — running a trading journal requires storing the trades and journal entries you write. We store the minimum required to make the product work, and protect it as described below.

    Data Security

    We take data security seriously and implement industry-standard protections:

    Encryption

    • In Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3 (HTTPS)
    • At Rest: All data stored in our Supabase database is encrypted using AES-256 encryption

    Access Control

    • Row Level Security (RLS): All database tables are protected with RLS policies ensuring users can only access their own data
    • Authentication: Secure token-based authentication with automatic session management
    • API Protection: All API endpoints require valid authentication tokens

    Security Best Practices

    • Input Validation: All user inputs are validated and sanitized to prevent injection attacks
    • XSS Protection: Content is properly escaped to prevent cross-site scripting attacks
    • CSRF Protection: All state-changing requests are protected against cross-site request forgery
    • Webhook Verification: All external webhooks (Stripe) are cryptographically verified before processing
    • Error Handling: Internal error details are never exposed to clients

    Admin Access

    Administrative access to user data is strictly limited and logged. Admin functions are protected by role-based access control and device registration requirements.

    Your Rights and Data Control

    You have full control over your data:

    • Access: You can view all your data at any time through the platform
    • Edit: You can modify your trades, journal entries, and profile information
    • Delete: You can delete individual trades, journal entries, or community messages
    • Export: Data export functionality is planned for future release
    • Account Deletion: You can request full account deletion by contacting support

    Third-Party Services & International Transfers

    We use the following third-party services to operate our platform:

    • Supabase (US-based): Database hosting and authentication. Supabase complies with GDPR and uses Standard Contractual Clauses (SCCs) for international transfers. (Privacy Policy: supabase.com/privacy)
    • OpenAI (US-based): AI-powered trading insights. Your trading data may be processed by OpenAI's API to generate insights. We use zero-data-retention mode; OpenAI does not train on your data. OpenAI has committed to GDPR compliance. (Privacy Policy: openai.com/policies/privacy-policy)
    • Stripe (US/EU): Payment processing for subscriptions. Stripe is PCI-DSS compliant and GDPR compliant. (Privacy Policy: stripe.com/privacy)

    International Data Transfers: Your data may be transferred to and processed in countries outside the UK/EEA, including the United States. We ensure adequate safeguards are in place through Standard Contractual Clauses (SCCs) or adequacy decisions.

    These services have their own privacy policies and data handling practices. We recommend reviewing them to understand how they protect your information.

    Data Retention

    We retain your personal data only for as long as necessary to provide our services and comply with legal obligations:

    • Account Data: Retained while your account is active
    • Trading Data: Retained while your account is active and for 30 days after deletion
    • Financial Records: Retained for 6 years as required by UK tax law
    • Marketing Communications: Until you unsubscribe or object

    If you delete your account, all associated personal data will be permanently removed from our systems within 30 days, except where we are required to retain it for legal, tax, or regulatory purposes (e.g., financial records).

    Data Breach Notification

    In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will notify you and the Information Commissioner's Office (ICO) within 72 hours as required by UK GDPR.

    Changes to This Privacy Policy

    We may update this Privacy Policy from time to time. We will notify users of any material changes by updating the "Last updated" date at the top of this policy. Your continued use of the platform after changes are posted constitutes acceptance of the updated policy.

    Contact Us & Complaints

    Data Controller: Recall Vault (also at recall-vault.com)
    Contact Email: support@recall-vault.com

    If you have any questions or concerns about this Privacy Policy, how we handle your data, or wish to exercise your GDPR rights, please contact us at the email address above.

    Right to Lodge a Complaint: You have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe we have not handled your personal data properly:

    Information Commissioner's Office
    Wycliffe House, Water Lane
    Wilmslow, Cheshire SK9 5AF
    Phone: 0303 123 1113
    Website: ico.org.uk