← Back to app
Privacy Policy

What we store — and what we never do with it

Your trading journal is yours. This page states plainly what we collect, why, who processes it, how long we keep it, and the controls you have.

Updated 2026-07-11 · Operator: Demetra (see Contacts & owner)

🗄️ What we collect

  • Account & access: email, password (processed over TLS at registration/login but stored only as an Argon2 hash), Discord ID/username, Private access status and expiry.
  • Your journal (cloud mode): trading accounts, trades, backtests, screenshots, notes and tags you add.
  • AI requests (only when used): your question, up to 12 recent chat messages, and summary statistics for the period you selected — for example trade count, profit/loss, win rate, drawdown and results by setup, trading session and instrument. Individual trades are not sent to the AI. For prop-firm questions, the relevant catalog information is sent instead. The server does not save the assistant conversation in the journal database; the current tab keeps up to 30 messages in session storage until you clear it or close the browser session.
  • Private access metadata: user/tenant identifiers, access and lease expiry, and a one-way SHA-256 device identifier. We do not receive the underlying Windows MachineGuid.
  • Technical: IP address and user-agent at sign-up/login, session & CSRF cookies, error logs. No trade content is put in error logs.

🎯 Why we process it (purpose & legal basis)

  • Run the service — accounts, login, the journal, analytics (performance of the contract with you).
  • Security & abuse prevention — IP/user-agent, rate limits, error monitoring (our legitimate interest).
  • Access control — Private access, device and Discord-role checks (performance of the contract / your consent).
  • AI assistant — process the question and context you choose to send when invoking it (your request/consent).
  • Transactional email — verification codes and password resets (performance of the contract).

🔐 How your cloud data is protected — and the honest limit

In cloud mode your journal is protected by several layers:

  • TLS (HTTPS) on every connection.
  • Authentication — Argon2 password hashing + signed JWT sessions.
  • Rate-limiting and abuse protection.
  • Strict access controls and internal policies.
  • Disk encryption at the hosting provider.

The honest limit: cloud mode is not zero-knowledge. Your journal is stored in a form the service can read so that analytics, the AI assistant and sharing can work. That means the operator, with server/database access, is technically able to read your data. We don't — our policies and the "what we never do" section below bind us — but we won't pretend it is cryptographically impossible.

Demetra Private / Local Vault reduces what reaches us: the journal stays on your machine and is not uploaded to Demetra Cloud. The journal databases are encrypted at rest with SQLCipher. A random 256-bit database key, cached credentials and the signed access lease are protected for the current Windows user with Windows DPAPI. Local backups preserve SQLCipher encryption and include a DPAPI-protected key envelope; cloud backup and cross-account key recovery are not included.

⚖️ Cloud vs Private — pick what fits you

 Cloud DemetraPrivate / Local Vault
Where data livesOn our serverOn your machine
Current protectionTLS + auth + policies (not zero-knowledge)SQLCipher database encryption; DPAPI-protected key and access secrets
Operator can read tradesTechnically yesNot through the service — the journal is not uploaded
Network useNormal service trafficEntitlement/token refresh and update checks; never journal content
Analytics · AI · sharingYesLocal analytics; AI and sharing off
Use on another deviceSign in normallySeparate device activation required
Best forConvenience & connected featuresKeeping the journal off our servers

Private / Local Vault is free during the current early-access stage and is issued manually after a request. The current build uses local-only storage with a signed, device-bound offline lease. Encrypted backup is planned separately.

🤝 Who else processes data (sub-processors)

A few infrastructure providers process data only to make the app work. We do not provide your data to them for resale or to train Demetra models; their own service terms and privacy notices also apply.

ProviderWhat they getWhen
AWS (Lightsail)Everything the server stores (hosting)Always
ResendYour email address + code/linkVerification / password reset
DiscordYour Discord IDMembership check
AnthropicYour question, up to 12 recent chat messages and summary trading statistics (not individual trades), or prop-firm catalog informationOnly when you use the AI assistant
SentryError reports (bodies/locals scrubbed)On an error, if enabled

In local-only mode AWS processes account and entitlement metadata, and Discord processes the server-side membership check. The journal itself is not sent to these providers; AI and sharing are off.

How long we keep it

Cloud account and journal data are kept while your account exists. Private access and entitlement metadata are also kept with the account. When you delete your account, that server-side data is permanently removed. A Private journal stored on your device remains under your control and must be deleted locally. A registration code is valid for 10 minutes, an account email-verification code for 30 minutes, and a password-reset link for 60 minutes. Sentry error reports may be retained for up to 90 days. Server logs are kept until log rotation or container replacement and are not archived separately. Trade content is not intentionally written to error logs.

📋 Clear data policy — export, deletion & access end

  • Export anytime. Download everything — accounts, trades, backtests, notes, tags — as one JSON file from Settings → Data & privacy. No request, no waiting.
  • Delete anytime, permanently. One click in Settings removes your account and all its data from our servers right away — trades, backtests, screenshots, shares, everything. It can't be undone.
  • If Private early access ends: the local journal is not deleted. Private journaling locks until access is extended, while local backup/export remains available. Server-side account data follows the normal export/deletion controls.
  • No hostage-taking. Export and deletion are always yours to use.

Local-only / Private desktop: your journal lives on your machine, so export and deletion are local too — and even if access lapses, your on-device data and export stay available.

🍪 Cookies

We use only strictly-necessary cookies — no advertising or tracking pixels, no third-party analytics:

  • Session — keeps you logged in.
  • CSRF — protects forms from cross-site request forgery.
  • Language and short-lived sign-up flow cookies (email/Discord verification).
  • Browser local/session storage — interface preferences, calculator values, registration convenience and the current-tab AI chat history. It is not used for advertising or cross-site tracking.

Because these are essential to run the service, they don't require a consent banner. If we ever add analytics or ad pixels, we'll add a cookie-consent choice first.

🛡️ What we never do

  • We do not sell your data. Not to brokers, not to prop firms, not to anyone.
  • We do not train AI models on your trades. Your journal is not a dataset.
  • We do not publish your journal. It becomes visible to others only when you create a share link.

🔒 Local-only mode — and how to verify it

Local-only is a free, request-based desktop mode during the current early-access stage. Your journal lives on your computer: trades, backtests, screenshots and notes are stored in a local SQLite database and are not sent to Demetra Cloud; there is no background journal upload or sync.

At activation and normally at startup, the desktop calls Demetra's entitlement endpoint. It sends authentication credentials and a one-way device identifier; the server checks the access grant and the Discord role already linked to the account, and returns a signed device-bound lease. Token refresh and app-update checks may also use the network. These calls contain no trades, notes, screenshots or backtests.

A valid lease permits offline use for up to 7 days, or until the granted early-access period ends, whichever comes first. After that the app locks Private journaling until it reconnects and access is extended. Local data is kept and backup/export remains available.

You don't have to take our word for it — you can check it yourself:

  • Turn on airplane mode / unplug the internet — journaling keeps working and your trades still save locally (within the 7-day window).
  • Watch the traffic with a network monitor — Wireshark, Fiddler, or your OS firewall/connection log — and verify that entitlement/update traffic contains no journal data.

Current encryption boundary: journal databases are encrypted with SQLCipher; credentials, the lease cache and database key are protected with Windows DPAPI. While Private is running, the key exists in process memory. Local encrypted backups can be restored by the same Windows user. Cloud backup, synchronization and a separate cross-device recovery key are not shipped.

⚙️ Your rights & controls

  • Access & export — download all your data as one JSON file, anytime (Settings → Data & privacy).
  • Erasure — one click deletes your account and all its data permanently.
  • Rectification — edit your profile and journal in the app.
  • Object / complain — reach us via Contacts; you may also complain to your local data-protection authority.

Private local-only is free during early access and is issued manually after a request. Availability depends on approval, Discord access and a supported desktop build. Any future pricing will require separate notice and updated terms.