Privacy Policy | TradeJournal

1. Introduction

This Privacy Policy explains how Tapnet Solutions (Pty) Ltd (“Tapnet Solutions”, “we”, “us”, “our”), a company registered in the Republic of South Africa (registration number 2023/135522/07) and the operator of the TradeJournal service at tradejournal.co.za, processes your personal information.

Tapnet Solutions is the responsible party under the Protection of Personal Information Act 4 of 2013 (“POPIA”). Our Information Officer is Wynand de Beer, reachable at privacy@tradejournal.co.za.

What TradeJournal is

TradeJournal is a personal record-keeping and analytics tool for forex traders. You manually log trades you have already made with your own broker. We do not execute, manage, or facilitate any trade. We do not connect to any broker, handle any money, or provide financial advice. All analytics shown in the app are summaries of data you entered yourself.

2. Information We Collect

The categories of personal information we process are set out below.

Category	Examples	Source
Account information	Full name, email address, hashed password, avatar URL	Directly from you at signup
Age declaration	Your confirmation that you are 18 years or older	Directly from you at signup
Consent records	Version, timestamp, IP address, and user agent for each legal consent you give (Privacy Policy, Terms of Service, FAIS disclaimer, psychological data consent)	Automatically recorded when you accept
Trade journal entries	Currency pair, direction (buy/sell), lot size, entry/exit price, entry/exit date and time, profit/loss, tags, free-text notes, screenshot URLs, trade grades	Manually entered by you
Trading account metadata	Broker name, account type (demo/live/funded), account nickname, user-supplied account number, starting/current balance, currency	Manually entered by you
Psychological / mindset data (SPECIAL PERSONAL INFORMATION - see Section 5)	Mood or mindset scores on a 1–10 scale, free-text psychological notes, pre-trade checklist responses, mindset session type and duration	Optional, manually entered by you
Daily trading plans	Market bias, key levels, session notes, strategy selection	Manually entered by you
Dashboard and preferences	Theme, currency default, timezone, date format, dashboard widget layout, notification preferences	Directly from you
Session and technical data	Supabase session cookies, IP address, browser type, device information, server and application logs	Automatically collected when you use the app
Subscription data	Plan type (Free/Basic/Pro), billing cycle, payment status, payment processor reference (when we add a payment processor)	From you and from our future payment processor
Support correspondence	Emails and messages you send to us	Directly from you

3. Why We Process Your Information and Our Legal Basis

POPIA requires us to process personal information only for a specific, explicitly defined and lawful purpose, and only on a lawful basis listed in section 11. The table below maps each activity to its purpose and legal basis.

Purpose	POPIA legal basis	Data used
Create and operate your TradeJournal account	Contract - s11(1)(b)	Account information, consent records
Verify you are 18 or older	Legal obligation - s11(1)(c), POPIA ss34–35	Age declaration
Store, display and analyse your self-reported trade journal	Contract - s11(1)(b)	Trade entries, trading-account metadata, daily plans, preferences
Provide mindset tracking (mood scores and checklists)	Explicit consent - s27(1)(a) - separately requested	Psychological / mindset data
Subscription billing and fraud prevention	Contract - s11(1)(b) / legitimate interests - s11(1)(f)	Subscription data, technical data
Send service, security and transactional emails	Contract - s11(1)(b)	Account information
Direct marketing (product updates, promotional content)	Consent - s69 (opt-in only)	Account information, notification preferences
Security, abuse prevention, incident response	Legitimate interests - s11(1)(f) / legal obligation - s11(1)(c)	Session and technical data, logs
Tax and accounting records	Legal obligation - s11(1)(c), Tax Administration Act 28 of 2011	Subscription data
Responding to a data subject request, complaint or legal process	Legal obligation - s11(1)(c)	Any data relevant to the request

We do not use your trade entries, psychological data, or any other personal information to train artificial-intelligence models, and we never sell your personal information.

4. Everything in Your Journal Is Self-Reported

We do not verify your trade data

All analytics, charts, statistics, win rates, profit factors and performance metrics shown in TradeJournal are derived exclusively from data you have manually entered. We do not connect to your broker. We do not independently verify the accuracy of your entries. Inaccurate inputs will produce inaccurate analytics.

5. Special Personal Information (Psychological / Mindset Data)

POPIA section 1 defines health information - including information about a person’s physical and mental health - as special personal information. Processing special personal information is generally prohibited by section 26 unless a section 27 exception applies. We rely on section 27(1)(a): your explicit consent.

What psychological data we collect

Mood or mindset self-assessment scores on a 1–10 scale
Free-text psychological or emotional notes you choose to write
Pre-trade checklist responses that reference psychological state
Mindset session type and duration you log

How we handle it

Separate opt-in: We ask for a dedicated, explicit consent before you first access any mindset or psychological feature. Your consent to our general Privacy Policy does not, on its own, permit us to process this data.
Optional: You can use TradeJournal fully without ever logging any psychological data.
Granular deletion: In Settings → Privacy you can revoke your psychological-data consent at any time. Revocation triggers an immediate, cascading deletion of all mood scores, psychological notes, checklist psychological responses and mindset session records, while leaving your trade journal and account untouched.
Not shared: Psychological data is never shared with any third party other than the hosting infrastructure providers named in Section 6.
Access controls: Row-level security at the database level ensures that only your authenticated session can read your psychological data.

6. Third-Party Recipients (Operators)

POPIA calls third parties that process personal information on our behalf operators. Section 20 requires us to have a written agreement with every operator. The table below lists every operator currently in use. A full list is maintained on our Operator Agreements page.

Operator	Role	Data processed	Location	Agreement
Supabase Inc.	Database, authentication and real-time sync	All account data, trade entries, psychological data, consent records, session cookies	Ireland (EU)	Supabase DPA (GDPR/POPIA-equivalent)
Vercel Inc.	Web hosting and global edge network	HTTP requests, IP addresses, static assets, server logs	United States (with global edge)	Vercel DPA (GDPR/POPIA-equivalent)

We do not sell, rent or share your personal information with any third party for their own marketing or profiling purposes.

7. Cross-Border Transfers (POPIA s72)

Your personal information is stored outside the Republic of South Africa. Specifically:

Primary storage is in Ireland (European Union) with Supabase Inc.
Web traffic is served through Vercel’s United States origin with global edge caching. Request metadata (including your IP address) transits the edge network.

Under POPIA section 72 we rely on the following combination of lawful grounds:

s72(1)(a) - the recipient is subject to a binding written agreement (the Supabase and Vercel Data Processing Agreements) that upholds principles of reasonable protection substantially similar to POPIA’s eight conditions for lawful processing and provides enforceable rights and effective legal remedies for data subjects.
s72(1)(b) - your informed consent, given when you accept this Privacy Policy.
s72(1)(c) - the transfer is necessary for the performance of the contract between you and Tapnet Solutions.

Both Supabase and Vercel are subject to the General Data Protection Regulation (GDPR) and/or equivalent US frameworks, which the Information Regulator has publicly acknowledged as upholding comparable data-protection principles.

8. How Long We Keep Your Data

We retain your personal information only for as long as necessary for the purposes set out in Section 3. The detailed schedule is published on our Data Retention Policy page. A summary:

Data category	Retention period
Account information	Duration of your account + 30 days after deletion
Trade journal entries	Duration of your account + 30 days after deletion
Psychological / mindset data	Until you revoke consent - then hard-deleted immediately
Subscription and billing records	5 years from the transaction (Tax Administration Act 28 of 2011)
Consent records	Duration of account + 1 year (as evidence of POPIA compliance)
Server and application logs	90 days, then automatic rotation
Supabase infrastructure backups	7–30 days (as per Supabase default schedule)

On account deletion, personal information is removed from our live database within 30 days. Residual copies may persist in Supabase’s encrypted infrastructure backups for up to a further 30 days before they are automatically overwritten.

9. Your Rights Under POPIA

You have the following rights in relation to your personal information. To exercise any of them, email privacy@tradejournal.co.za. We will respond within 30 days.

Access (s23) - confirmation that we hold your data, and a copy of it. You can download a JSON export from Settings → Data → Export All Data at any time.
Correction (s24) - have inaccurate or incomplete information corrected. Most fields are editable directly in Settings.
Deletion (s24) - have your personal information destroyed or deleted. Available in Settings → Account → Delete Account, or for psychological data only in Settings → Privacy.
Objection (s11(3)) - object to processing based on legitimate interests or for direct marketing.
Withdraw consent (s11(2)(b)) - withdraw any consent you previously gave. Withdrawal is as easy as granting consent.
Lodge a complaint (s74) - complain to the Information Regulator (details below).
PAIA access request - formal record access under the Promotion of Access to Information Act 2 of 2000. See our PAIA Manual.

10. How We Protect Your Data (POPIA s19)

We apply appropriate, reasonable technical and organisational measures. Full detail is on our Security page. Summary:

All connections are encrypted in transit with TLS (HTTPS, HSTS).
Passwords are hashed by Supabase Auth using bcrypt. We never see your plaintext password.
Data at rest is encrypted with AES-256 by Supabase.
Row-level security ensures no user can read or write another user’s data.
Strict Content Security Policy, X-Frame-Options DENY, X-Content-Type-Options nosniff.
Authentication rate limiting to defend against credential stuffing.
Supabase is SOC 2 Type 2 certified; Vercel is SOC 2 Type 2 and ISO 27001 certified.

11. Cookies and Tracking

TradeJournal uses only strictly necessary cookies at this time:

sb-* - Supabase session tokens (HttpOnly, Secure, SameSite=Lax). Without these you cannot stay signed in. They are exempt from opt-in consent because they are essential for the service you explicitly requested.
theme / preference cookies - local-storage entries used to remember your theme and minor UI preferences.

If we later add non-essential cookies (for example analytics, product telemetry or advertising pixels), we will introduce a granular cookie-consent banner first and no such cookies will be set before you opt in.

12. Children Under 18 (POPIA ss34–35)

TradeJournal is intended only for users who are 18 years or older. You confirm your age at signup. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child without the competent consent of a parent or guardian, we will delete that information immediately.

13. Direct Marketing (POPIA s69)

We will only send you direct marketing (product announcements, promotional content) if you opt in. You can withdraw consent at any time by clicking the unsubscribe link in any marketing email, by toggling preferences in Settings → Notifications, or by emailing privacy@tradejournal.co.za. Service, security and billing emails are not marketing and are not subject to opt-out while you hold an active account.

14. Data Breach Notification (POPIA s22)

If a security compromise occurs that has led to, or may reasonably lead to, the unauthorised acquisition of your personal information, we will notify the Information Regulator as soon as reasonably possible (our target is 72 hours from discovery) and notify you directly with a description of the incident, the categories of data affected, the steps you can take, and the steps we have taken. Full procedure is on our Breach Response page.

15. Information Regulator

You have the right to lodge a complaint with the Information Regulator if you believe we have not handled your personal information lawfully:

JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001
Enquiries: enquiries@inforegulator.org.za
Complaints: complaints.IR@justice.gov.za
Web: inforegulator.org.za

We ask that you contact us first so that we can try to resolve your concern directly.

16. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to you by email and by a blocking in-app notice the next time you sign in, and you will be asked to re-consent. The version number at the top of this page indicates the current version. We keep an internal log of all prior versions for audit purposes.

17. Contact Us

For any privacy-related question or request, please contact our Information Officer:

Information Officer: Wynand de Beer
Email: privacy@tradejournal.co.za
Alternative email: wynand@tapnet.co.za
Phone: +27 79 174 8357
Postal address: 594 Bombani Street, Elarduspark, Gauteng, 0181, South Africa
Target response SLA: 30 days from receipt of your request