Privacy Policy

This Privacy Policy describes how PnLStack ("we", "us", or "our") collects, uses, stores, and discloses information when you use our mobile application ("the App"). We are committed to protecting your privacy and being transparent about our practices.

1. Information We Collect

1.1 Information you provide

• Account information: When you create an account, we collect your email address and authentication credentials (or a token from Apple Sign In or Google Sign In if you use those methods).
• Trade data: Information you log about your trades, including ticker symbols, prices, quantities, dates, instrument types (stocks, options, futures, crypto), and computed P&L values.
• Journal notes: Free-form text notes you write about your trades. These notes are encrypted on your device before being transmitted to our servers.
• Tags: Mood and strategy tags you select when logging trades (e.g., "Disciplined", "FOMO", "Breakout").

1.2 Information collected automatically

• Device information: Device model, operating system version, app version, and a non-identifying device identifier used for crash reporting and performance monitoring.
• Usage information: Anonymous, aggregated metrics about how you interact with the App (e.g., which screens you visit, how often you log trades). We do not collect this in a way that identifies you personally.
• Crash data: Technical information about app crashes to help us fix bugs.

1.3 Information we do NOT collect

• We do not collect your real name, address, phone number, or government identification.
• We do not access your contacts, photos, location, microphone, or camera.
• We do not connect to your brokerage account or have access to your actual financial accounts.
• We do not collect or process payment information directly. Any future in-app purchases are handled entirely by Apple's App Store.

2. How We Use Your Information

We use the information we collect to:

• Provide, maintain, and improve the App's functionality.
• Authenticate you and manage your account.
• Sync your trade data across your devices (if you sign in on multiple devices).
• Compute statistics, charts, and visualizations from your trade data.
• Diagnose technical issues and improve performance.
• Communicate with you about important account or service updates.
• Comply with legal obligations.

3. End-to-End Encryption of Notes

Your journal notes contain potentially sensitive information about your trading psychology, strategies, and decisions. To protect this information:

• Notes are encrypted on your device using AES-256-CBC encryption before being transmitted to our servers.
• Encryption keys are derived from your password using PBKDF2-SHA256 with 100,000 iterations.
• Keys are stored in your device's iOS Keychain — a hardware-backed secure storage on your phone.
• We never have access to the unencrypted content of your notes. Even if our servers were compromised, your notes would remain unreadable.
• If you forget your password, your encrypted notes cannot be recovered by us. A recovery phrase is provided during account setup specifically for this purpose — please keep it safe.

4. How We Store Your Information

Your data is stored on servers operated by Supabase, located in Toronto, Canada (ca-central-1 region). Supabase provides:

• Encryption of data at rest (AES-256).
• Encryption in transit using TLS 1.2 or higher.
• Row-Level Security: each user's data is logically isolated and only accessible by that user.
• SOC 2 Type II compliance.

You can review Supabase's security and privacy practices at supabase.com/privacy.

5. How We Share Your Information

We do not sell, rent, or trade your personal information. We may share information only in these limited circumstances:

• Service providers: Third parties that help us operate the App (such as Supabase for backend infrastructure, and Apple/Google for authentication). These providers only access information necessary to perform their services and are bound by confidentiality obligations.
• Legal compliance: When required by law, court order, or valid government request, or to protect the safety, rights, or property of PnLStack, our users, or others.
• Business transfers: If PnLStack is acquired, merged, or sells assets, your information may be transferred as part of that transaction. You will be notified by email and/or a prominent notice in the App.
• With your consent: When you explicitly authorize us to share information.

6. Your Privacy Rights

You have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you.
• Correction: Update or correct inaccurate information through the App's Settings screen.
• Deletion: Delete your account and all associated data from within the App (Settings → Delete Account) or by emailing [email protected].
• Export: Export your trade data as a CSV file from within the App.
• Withdraw consent: Stop using the App at any time. Closing your account stops further data collection.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

7. Data Retention

We retain your information for as long as your account is active. When you delete your account:

• Your trade data, notes, and personal information are permanently deleted from our active databases within 7 days.
• Encrypted backups are purged within 30 days.
• Anonymized, aggregated analytics data may be retained indefinitely as it cannot be linked back to you.

8. Children's Privacy

PnLStack is not intended for children under the age of 18. We do not knowingly collect information from children under 18. If you believe a child has provided us information, please contact us at [email protected] and we will delete it.

9. International Users

PnLStack is operated from Canada. By using the App, you consent to the transfer, storage, and processing of your information in Canada and any other countries where our service providers operate. We ensure all transfers are protected by appropriate safeguards.

10. California Residents (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• The right to know what personal information we collect, use, and disclose.
• The right to delete your personal information.
• The right to opt-out of the sale of personal information (we do not sell personal information).
• The right to non-discrimination for exercising these rights.

To exercise CCPA rights, email [email protected] with "CCPA Request" in the subject line.

11. European Users (GDPR)

If you are in the European Economic Area, United Kingdom, or Switzerland, you have additional rights under GDPR including data portability, the right to object to processing, and the right to lodge a complaint with a supervisory authority. Our lawful basis for processing your data is your consent and the performance of our service contract with you.

12. Security

We implement reasonable technical and organizational measures to protect your information from unauthorized access, alteration, or destruction. These include encryption, access controls, secure authentication, and regular security reviews. However, no method of transmission or storage is 100% secure. We encourage you to use a strong, unique password and keep your recovery phrase safe.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (if we have your email address) or via a notice in the App. The "Effective date" at the top of this policy reflects the date of the most recent revision. Your continued use of the App after changes take effect constitutes acceptance of the updated policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your personal information:

Email: [email protected]
Mail: Ghanshyam Patel, Hamilton, Ontario, Canada
Web: pnlstack.com