Privacy Policy

1. Introduction

Trade Noted ("we," "us," "our") is a trading journal platform operated by S and A Marketing FZ-LLC. This Privacy Policy explains what personal and non-personal data we collect, how we collect it, how we use it, and who we share it with — across our web application (app.tradenoted.com), our mobile application (Trade Noted for iOS and Android), and our marketing website (tradenoted.com).

We do not sell, rent, or monetize your personal data or your trading data in any form. By using any Trade Noted product, you agree to the practices described in this policy.

2. Information We Collect

2.1 Account & Identity Information

Account creation and authentication is handled by Clerk (clerk.com), a third-party identity provider. When you sign up, Clerk collects and processes:

• Email address (required)
• Password (hashed and managed entirely by Clerk — we never see your plain-text password)
• Display name (optional, set after sign-up)
• Profile avatar image (optional)
• OAuth tokens if you sign in via a third-party provider (e.g. Google)
• Session tokens, device fingerprint, and IP address (used by Clerk for fraud prevention and active session management)

Clerk acts as a data processor under a Data Processing Agreement. Their privacy practices are governed by the Clerk Privacy Policy.

2.2 Trading & Journal Data

This is the core data you enter into Trade Noted. It is stored in our database and never shared with third parties except as required to operate the service:

• Trade entries: instrument, direction (long/short), entry and exit prices, position size, P&L, commissions, fees
• Trade metadata: strategy label, setup grade, execution quality score, confidence level, notes
• Emotional state logs: pre-trade and post-trade emotions you optionally record per trade
• Rules: trading rules you configure and rule compliance records per trade
• Trading accounts: account name, broker name, account number, base currency, timezone, starting balance
• Journal entries: free-text daily notes and reflections
• Watchlist items: instruments you are monitoring
• Saved filters and queries
• CSV trade history files you upload (parsed and stored; the original file is not retained)
• Public portfolio sharing settings and the link you generate

2.3 Usage & Analytics Data

We use Google Analytics 4 (GA4) and Microsoft Clarity on all three products to understand how users interact with our platform. These services may collect:

• Pages and screens visited, and the order in which they were visited
• Features and buttons clicked
• Forms submitted (form ID and method — not the content of form fields)
• Scroll depth (in 25% increments)
• Approximate geographic location derived from IP address (country and region level only)
• Browser type, version, and language
• Device type and operating system
• Referrer URL and UTM campaign parameters (first-touch and last-touch attribution)
• Session duration and engagement time
• JavaScript errors and unhandled promise rejections (non-identifiable)

Microsoft Clarity additionally records session replays and generates heatmaps of user interactions. Clarity automatically masks sensitive input fields. You can opt out of Clarity by using the "Do Not Track" browser setting.

On the mobile app, analytics events are sent directly to Google Analytics using the GA4 Measurement Protocol. A random client ID and session ID are generated locally and stored on-device in AsyncStorage to maintain session continuity. These IDs are not linked to your account.

2.4 Error & Diagnostic Data

On the web application, we use Sentry (sentry.io) for error monitoring. When an error occurs, Sentry captures:

• Error message and stack trace
• Your IP address (to detect distributed errors; not stored long-term)
• HTTP request headers at the time of the error
• Browser and OS context
• A sanitized snapshot of application state at the time of the error

Sentry is configured with a 5% performance trace sample rate in production. We have enabled "Send Default PII" which means request headers (which may include your IP) are transmitted to Sentry. Sentry data is used exclusively for debugging and improving reliability. Sentry's privacy practices are governed by the Sentry Privacy Policy.

2.5 Email Communications

We send transactional emails using an SMTP email provider. The following emails may be sent to the email address on your account:

• Welcome email upon account creation
• Account deletion confirmation
• Important security or service notices

We do not send marketing or promotional emails.

2.6 Cookie & Local Storage Data

We and our third-party providers store the following data in your browser or device:

• Session cookies (Clerk): authenticate your session
• CSRF token: prevent cross-site request forgery attacks
• Cookie consent preference: remember whether you accepted optional cookies
• Theme preference: remember your light/dark mode setting
• Analytics cookies (Google Analytics): anonymous client ID and session ID for usage measurement
• Clarity cookies (Microsoft): session replay and heatmap data
• Attribution data (mobile app, AsyncStorage): first-touch and last-touch UTM parameters to understand which campaigns drive installs

See our Cookie Policy for the full list and opt-out instructions.

3. How We Use Your Information

• To create and maintain your account via Clerk
• To store, display, and calculate analytics from your trading data
• To enforce trading rules you configure and generate compliance reports
• To run Monte Carlo simulations and statistical analyses on your trade history (performed on our servers, results displayed only to you)
• To display your public portfolio page if you opt in to portfolio sharing
• To send transactional emails (account creation, deletion confirmation, security alerts)
• To detect, investigate, and prevent fraud, abuse, and security incidents
• To identify and fix bugs via error logs and Sentry diagnostics
• To understand which features are used and how, so we can prioritize improvements (via GA4 and Clarity, anonymized)
• To measure the effectiveness of our marketing campaigns (via UTM attribution)

We do not use your trading data for advertising, model training, benchmarking, or any purpose other than operating the service for you.

4. Third-Party Services We Use

The following third-party services receive data as part of normal platform operation:

5. Public Portfolio Sharing

Portfolio sharing is entirely opt-in. If you choose to generate a public portfolio link, anyone with that link can view the data you have enabled. By default, a public portfolio shows:

• Your display name or initials
• Equity curve (percentage-based, not dollar amounts by default)
• Performance metrics: return, drawdown, expectancy, profit factor, win rate
• Monthly performance breakdown

The following are hidden by default and must be explicitly enabled by you:

• Actual dollar P&L values
• Instrument names
• Individual trade list

You can revoke or deactivate your public link at any time from your account settings. Deactivating the link immediately makes it inaccessible to others. We are not responsible for data that was viewed or copied before you deactivated the link.

6. Data Retention

• Active accounts: All data is retained for as long as your account exists.
• Deleted accounts: All personal data, trading records, journal entries, and associated content are permanently deleted within 30 days of account deletion. Your email address and account record are also deleted from Clerk within the same window.
• Error logs (Sentry): Retained for 90 days per Sentry's default retention policy.
• Analytics data (GA4): Retained for 14 months per our GA4 configuration, after which it is automatically deleted by Google.
• Session replays (Clarity): Retained per Microsoft Clarity's default policy (typically 30 days).
• Aggregated, anonymized analytics (e.g., total active user counts) may be retained indefinitely as they contain no personal data.

7. Data Security

We implement the following technical and organizational measures to protect your data:

• All data is transmitted over HTTPS (TLS encryption in transit)
• Passwords are hashed and never stored in plain text (managed by Clerk)
• Database access is restricted to our application servers via network-level controls
• API endpoints require a valid Clerk session token on every request
• CSRF protection is enforced on all state-changing requests
• Rate limiting is applied to all API endpoints to prevent abuse
• Environment secrets are stored in server-side environment variables, never exposed to the client

No method of internet transmission or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security.

8. Your Rights & Choices

You have the following rights over your data:

• Access: You can view all your trading data, account settings, and journal entries within the application at any time.
• Export: You can export your trading data in CSV format directly from the application.
• Correction: You can edit or delete any trade entry, journal entry, or account setting directly in the application.
• Deletion: You can delete your account at any time via the profile settings page (or via our profile deletion page). This permanently deletes all your data within 30 days.
• Portability: Exported CSV data is in a standard, machine-readable format.
• Opt out of analytics: You can opt out of Google Analytics by installing the Google Analytics Opt-Out Browser Add-on. You can opt out of Microsoft Clarity by enabling "Do Not Track" in your browser.
• Cookie preferences: You can manage cookie consent via our cookie banner. Revoking consent for analytics cookies will stop new analytics data from being collected.

For requests that cannot be fulfilled within the application (e.g., a full data export for GDPR compliance), contact us via the contact page. We will respond within 30 days.

9. Children's Privacy

Trade Noted is intended for users who are 18 years of age or older. We do not knowingly collect personal information from anyone under 18. If we become aware that a user under 18 has provided us with personal data, we will delete that account and its data promptly. If you believe a minor has created an account, please contact us immediately.

10. International Data Transfers

Trade Noted is operated by S and A Marketing FZ-LLC, a company based in the UAE. Our third-party service providers (Clerk, Google, Microsoft, Sentry) may process your data in the United States or other countries. These providers maintain appropriate safeguards (Standard Contractual Clauses, Privacy Shield successors, or equivalent mechanisms) for international transfers.

If you are located in the European Economic Area (EEA), United Kingdom, or a jurisdiction with data transfer restrictions, you acknowledge that your data may be transferred to and processed in countries outside your jurisdiction. We ensure such transfers are made under appropriate legal safeguards.

11. Cookies

We use essential cookies to keep you logged in and protect against CSRF attacks. We also use optional analytics and session-recording cookies from Google and Microsoft (subject to your consent). See our full Cookie Policy for a complete list, their purposes, and how to opt out.

12. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page and, where required, notify you by email or via an in-app notice. We encourage you to review this page periodically. Your continued use of Trade Noted after changes are posted constitutes your acceptance of the updated policy.

13. Contact Us

For privacy-related questions, data requests, or concerns, contact us via our contact page. We will respond within 30 days.

Data Controller: S and A Marketing FZ-LLC