Skip to content

Privacy Policy

This policy explains what personal data My Trading Force collects, why we collect it, and the rights you have over it. We follow the EU General Data Protection Regulation (GDPR) as our baseline.

Last updated: 30 April 2026 · This document is currently under legal review and may change before the public launch.

1. Who we are

My Trading Force ("we", "us", "our") operates the journaling platform available at mytradingforce.com and its subdomains. For the purposes of GDPR we are the data controller for the personal data described below.

Privacy questions: [email protected]. The legal entity name and registered address will be added before public launch.

2. Data we collect

  • Account data — email, display name, hashed password, OAuth provider identifiers, optional two-factor authentication secrets. Lawful basis: contract performance (Art 6(1)(b) GDPR).
  • Journal content — trade entries, analyses, hashtags, uploaded chart images, AI prompts and AI-generated text you choose to save. Lawful basis: contract performance.
  • Usage analytics — anonymised page-view and event data via Google Analytics, sent only when you have granted analytics consent. Lawful basis: consent (Art 6(1)(a) GDPR).
  • Operational logs — IP address, user-agent, timestamps, rate-limit counters, authentication events. Used for security, debugging, and abuse prevention. Lawful basis: legitimate interest in keeping the service secure (Art 6(1)(f) GDPR).
  • Error reports — crash and error context captured by our error-tracking provider. Personal identifiers are minimised. Lawful basis: legitimate interest in diagnosing and fixing defects.
  • Communications — messages you send to support or feedback channels.

3. How we use your data

We use personal data only to:

  • Deliver and operate the journal and analysis features.
  • Authenticate you and protect accounts (e.g. lockout, 2FA).
  • Improve the product based on aggregate, consented usage signals.
  • Notify you about material changes, security alerts, and major releases.
  • Comply with legal obligations.

We do not sell personal data and do not run automated decision-making with legal effects.

4. Sub-processors

We rely on a small set of vetted providers to operate the service. Each is bound by a data-processing agreement and processes data only on our instructions:

  • DigitalOcean — application hosting and database (EU region).
  • Google Analytics — usage analytics (only after consent).
  • Sentry — error and exception tracking.
  • OpenAI / Anthropic — large-language-model inference for the AI features you opt into. Prompts are sent only when you trigger an AI action.
  • Email delivery provider — transactional emails (e.g. password reset, verification).

The current full list will be published and kept up to date here. Where a sub-processor is outside the EU/EEA, transfers are covered by Standard Contractual Clauses or an equivalent safeguard.

5. Cookies and similar technologies

A full breakdown of every cookie and browser-storage entry — including its purpose, duration, and lawful basis — is in our Cookie Policy.

6. Data retention

  • Account and journal data are retained while your account is active.
  • If you delete your account, we delete or irreversibly anonymise personal data within 30 days, except where law requires longer retention.
  • Operational logs are kept up to 90 days, then aggregated or deleted.
  • Error reports are retained up to 90 days.

7. Your rights

Under GDPR you have the right to:

  • Access — request a copy of the data we hold about you.
  • Rectification — correct inaccurate or incomplete data.
  • Erasure — ask us to delete your data ("right to be forgotten").
  • Restriction — pause certain processing while a dispute is resolved.
  • Portability — receive your journal entries in a machine-readable format (JSON).
  • Objection — object to processing based on legitimate interest.
  • Withdraw consent — at any time, with no effect on lawfulness of processing before withdrawal. Use the "Manage cookies" link in the footer to update analytics consent.

See our Data Rights page for the request workflow. We respond within one month (Art 12(3) GDPR).

If you believe we have mishandled your data, you may lodge a complaint with your local supervisory authority. A list of EU/EEA authorities is published at edpb.europa.eu.

8. Security

Details of how we protect data — encryption, access control, monitoring, incident response, and responsible-disclosure contact — are on the Security page.

9. Children

The service is not intended for users under 18. We do not knowingly collect data from children. If you believe a child has provided us data, contact us and we will remove it.

10. Changes to this policy

We will publish updates to this page and, for material changes, notify you via the changelog and (where appropriate) email. The "Last updated" date above always reflects the latest version.