Your trading journal is yours. This page states plainly what we collect, why, who processes it, how long we keep it, and the controls you have.
Updated 2026-07-11 · Operator: Demetra (see Contacts & owner)
In cloud mode your journal is protected by several layers:
The honest limit: cloud mode is not zero-knowledge. Your journal is stored in a form the service can read so that analytics, the AI assistant and sharing can work. That means the operator, with server/database access, is technically able to read your data. We don't — our policies and the "what we never do" section below bind us — but we won't pretend it is cryptographically impossible.
Demetra Private / Local Vault reduces what reaches us: the journal stays on your machine and is not uploaded to Demetra Cloud. The journal databases are encrypted at rest with SQLCipher. A random 256-bit database key, cached credentials and the signed access lease are protected for the current Windows user with Windows DPAPI. Local backups preserve SQLCipher encryption and include a DPAPI-protected key envelope; cloud backup and cross-account key recovery are not included.
| Cloud Demetra | Private / Local Vault | |
|---|---|---|
| Where data lives | On our server | On your machine |
| Current protection | TLS + auth + policies (not zero-knowledge) | SQLCipher database encryption; DPAPI-protected key and access secrets |
| Operator can read trades | Technically yes | Not through the service — the journal is not uploaded |
| Network use | Normal service traffic | Entitlement/token refresh and update checks; never journal content |
| Analytics · AI · sharing | Yes | Local analytics; AI and sharing off |
| Use on another device | Sign in normally | Separate device activation required |
| Best for | Convenience & connected features | Keeping the journal off our servers |
Private / Local Vault is free during the current early-access stage and is issued manually after a request. The current build uses local-only storage with a signed, device-bound offline lease. Encrypted backup is planned separately.
A few infrastructure providers process data only to make the app work. We do not provide your data to them for resale or to train Demetra models; their own service terms and privacy notices also apply.
| Provider | What they get | When |
|---|---|---|
| AWS (Lightsail) | Everything the server stores (hosting) | Always |
| Resend | Your email address + code/link | Verification / password reset |
| Discord | Your Discord ID | Membership check |
| Anthropic | Your question, up to 12 recent chat messages and summary trading statistics (not individual trades), or prop-firm catalog information | Only when you use the AI assistant |
| Sentry | Error reports (bodies/locals scrubbed) | On an error, if enabled |
In local-only mode AWS processes account and entitlement metadata, and Discord processes the server-side membership check. The journal itself is not sent to these providers; AI and sharing are off.
Cloud account and journal data are kept while your account exists. Private access and entitlement metadata are also kept with the account. When you delete your account, that server-side data is permanently removed. A Private journal stored on your device remains under your control and must be deleted locally. A registration code is valid for 10 minutes, an account email-verification code for 30 minutes, and a password-reset link for 60 minutes. Sentry error reports may be retained for up to 90 days. Server logs are kept until log rotation or container replacement and are not archived separately. Trade content is not intentionally written to error logs.
Local-only / Private desktop: your journal lives on your machine, so export and deletion are local too — and even if access lapses, your on-device data and export stay available.
We use only strictly-necessary cookies — no advertising or tracking pixels, no third-party analytics:
Because these are essential to run the service, they don't require a consent banner. If we ever add analytics or ad pixels, we'll add a cookie-consent choice first.
Local-only is a free, request-based desktop mode during the current early-access stage. Your journal lives on your computer: trades, backtests, screenshots and notes are stored in a local SQLite database and are not sent to Demetra Cloud; there is no background journal upload or sync.
At activation and normally at startup, the desktop calls Demetra's entitlement endpoint. It sends authentication credentials and a one-way device identifier; the server checks the access grant and the Discord role already linked to the account, and returns a signed device-bound lease. Token refresh and app-update checks may also use the network. These calls contain no trades, notes, screenshots or backtests.
A valid lease permits offline use for up to 7 days, or until the granted early-access period ends, whichever comes first. After that the app locks Private journaling until it reconnects and access is extended. Local data is kept and backup/export remains available.
You don't have to take our word for it — you can check it yourself:
Current encryption boundary: journal databases are encrypted with SQLCipher; credentials, the lease cache and database key are protected with Windows DPAPI. While Private is running, the key exists in process memory. Local encrypted backups can be restored by the same Windows user. Cloud backup, synchronization and a separate cross-device recovery key are not shipped.
Private local-only is free during early access and is issued manually after a request. Availability depends on approval, Discord access and a supported desktop build. Any future pricing will require separate notice and updated terms.