Privacy Policy

1. Introduction

This Privacy Policy explains how Edge Finder ("we", "us", "our", the "Service") collects, uses, stores, and discloses personal data when you use our trading journal and analytics application available at edge-finder.app.

Edge Finder is operated as a private, non-commercial project by an individual based in Switzerland. We comply with the Swiss Federal Act on Data Protection (revFADP / nDSG) and, where applicable, the EU General Data Protection Regulation (GDPR).

2. Data Controller

The controller responsible for the processing of your personal data is:

Edge Finder
Redingstrasse 24
4052 Basel
Switzerland
Email: support@edge-finder.app

3. Categories of Data We Process

Depending on how you use Edge Finder, we process the following categories of personal data:

a) Account data. When you create an account we process your email address, your chosen username, and an encrypted (hashed and salted) password.

b) Discord OAuth data. If you sign in or link your account via Discord, we receive your Discord username, display name, email address and avatar URL from Discord. We store the OAuth identity link so you can sign back in with Discord; you can disconnect it at any time in Settings.

c) Trading data you enter or import. Trades, orders, fills, profit and loss values, notes, tags, screenshots, journal entries, templates, playbooks, checklists and other content you create inside the application. You may also upload CSV exports from external broker platforms; for that import path we only process the file contents you upload.

d) Screenshots. Image files you upload to attach to your trades or journal entries. Screenshots are stored in object storage (Cloudflare R2) under a path tied to your user id.

e) AI insights data. When you request an AI insight, the relevant subset of your trade data is sent to a third-party AI provider to generate a written analysis. The generated insight is stored under your account. The AI provider and its retention are described in Section 6.

f) Community and mentor data. If you join a community or share trades for review, we store the community role assigned to you, the inviter who brought you in, the shared trade snapshots you publish, and any comments you write on other users' shared trades.

g) Push notification data. If you enable browser push notifications, we store your push subscription endpoint and authentication keys provided by your browser, so we can deliver notifications you have asked for.

h) Technical data. IP address, browser type, device type, operating system, language and similar information transmitted automatically when you visit the Service, together with session cookies and authentication tokens required to keep you signed in. Application errors are captured for debugging purposes.

i) Communication data. The content of any message you send us, for example via the support email address.

j) NinjaTrader connection data. If you connect a NinjaTrader account via OAuth in Settings, we receive and store your NinjaTrader user id, the names and identifiers of the trading accounts visible to you, and an OAuth access token. The access token is encrypted at rest with AES-256-GCM before it is written to our database. We use this connection to import your orders, fills and positions from the Tradovate API into your Edge Finder journal on your instruction. You can disconnect the integration at any time in Settings, which deletes the stored token immediately.

4. Purposes of Processing

We process your personal data for the following purposes:

• Providing and operating the Service (creating your account, importing and displaying your trades, calculating statistics, persisting your journal entries)
• Importing your trade history from NinjaTrader (via the Tradovate API) when you connect your account in Settings
• Generating AI insights from your trade data when you explicitly request them, using a third-party AI provider as described in Section 6
• Delivering push notifications you have opted in to receive
• Securing the Service against abuse, fraud and unauthorised access
• Responding to support requests and communicating with you about your account
• Improving the Service, including debugging and aggregated, non-identifying usage analysis
• Complying with statutory obligations and enforcing our Terms of Service

We do not sell your personal data and we do not use it for advertising or profiling unrelated to the Service.

5. Legal Basis (for users in the EU/EEA)

Where the GDPR applies, we rely on the following legal bases under Article 6(1) GDPR:

• Performance of a contract (lit. b) for creating your account, providing the Service and processing the trades and journal data you enter or upload
• Performance of a contract (lit. b) for the NinjaTrader OAuth connection and the resulting import of your trade history that you instruct by clicking Connect in Settings
• Consent (lit. a) for the optional Discord sign-in and account-linking, which you can withdraw at any time by disconnecting the integration in Settings or revoking access in your Discord account
• Performance of a contract (lit. b) for generating AI insights when you actively trigger them via the Generate AI Insight action; the click is an instruction to process within the contracted service rather than a separate consent act
• Consent (lit. a) for browser push notifications, which you can revoke at any time in your browser settings
• Legitimate interests (lit. f) for keeping the Service secure, preventing abuse and improving stability
• Compliance with legal obligations (lit. c) where applicable

6. Third-Party Services and Processors

We work with a small number of carefully selected service providers who process personal data on our behalf under written data processing agreements:

• Supabase Inc. (United States, with primary database storage in Switzerland, AWS region eu-central-2 in Zurich) provides our database, authentication and storage infrastructure
• Vercel Inc. (United States, with edge delivery across the EU and worldwide) hosts the web application and runs the serverless functions that handle your requests
• Cloudflare, Inc. (United States) provides object storage for the trade screenshots you upload, via its R2 product
• Anthropic, PBC (United States) provides the Claude API that processes your trade data when you request an AI insight. Anthropic retains API logs for 30 days under their default policy and does not use API data to train their models. They do not currently expose a programmatic per-user deletion endpoint; if you want a stronger deletion guarantee, contact us at support@edge-finder.app and we will submit a manual deletion request to their privacy team
• Resend, Inc. (United States) delivers the transactional emails we send to you (account creation, deletion notifications, mentor invitations)
• Functional Software, Inc. (Sentry) (United States) captures application errors and stack traces to help us diagnose bugs. PII fields are stripped where reasonably possible
• NinjaTrader, LLC and Tradovate, LLC (United States) operate the trading platform we connect to via OAuth when you authorise the integration in Settings. We retrieve your trading account list, orders, fills and positions from the Tradovate API on your behalf. NinjaTrader is an independent controller for the data it holds about you under its own privacy policy

We do not transfer your personal data to any other recipients except where required by law or where you have explicitly asked us to do so.

7. International Data Transfers

Several of the processors listed in Section 6 (Vercel, Cloudflare, Anthropic, Resend, Sentry, NinjaTrader, and Supabase's US parent company even though the database itself sits in Switzerland) are established in the United States. Where personal data is transferred outside Switzerland or the European Economic Area, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses (with the Swiss addendum issued by the Swiss Federal Data Protection and Information Commissioner) and, where available, certifications under the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework.

When you sign in via Discord, your authentication round-trip involves Discord servers in the United States.

8. Storage Duration

We store your personal data only for as long as it is necessary for the purposes described above:

• Account data and trading data are stored for as long as your account is active
• When you delete your account, the operational deletion process described in Section 9 applies
• The Discord OAuth identity link is removed when you disconnect Discord in Settings
• The NinjaTrader OAuth access token is removed immediately when you disconnect the integration in Settings or if our automated renewal detects that NinjaTrader has revoked it
• Server logs containing technical data are typically kept for up to 90 days for security and debugging purposes
• Communication data is kept for as long as needed to handle your request and to document the case

9. How we handle account deletion

The legal basis for deletion is Art. 6 Abs. 4 nDSG (personal data must be destroyed or anonymised once it is no longer required for the processing purpose), enforced via Art. 32 Abs. 1 lit. c nDSG (judicial claim for destruction or anonymisation), and Art. 17(1) GDPR for users in the EU/EEA. The operational flow is as follows:

• Immediate (within seconds): when you confirm deletion in Settings, your account is locked, all active sessions and refresh tokens are revoked, and the email address on your account is replaced with a placeholder so it cannot be reused for sign-in. You will receive a confirmation email with a cancel link.
• Grace period (30 days): the cancel link in that email lets you reverse the deletion any time within 30 days. During this window your data is preserved on our servers. You cannot access it because you are signed out and locked out, and we do not access it either, except where required by law.
• Hard deletion (after 30 days): an automated daily process removes your trades, journal entries, AI insights, screenshots (Cloudflare R2), settings, profile, and finally your sign-in credentials.
• Anonymisation (instead of deletion):content that is part of another user's view, namely comments you wrote on another user's shared trades and shared trades of yours that others have engaged with, is anonymised rather than deleted. Your name and account link are removed; the content stays attributed to "Deleted user". This is permitted under Art. 6 Abs. 4 nDSG (anonymisation is equivalent to destruction) and balances proportionately against the legitimate interests of the other users (Art. 6 Abs. 2 nDSG).
• Backups:the project is currently on Supabase's free plan, which does not maintain database backups, so database deletion is final at the row level once the hard-deletion step completes. If we move to a paid plan in the future, we will update this policy with the actual backup-rotation window.
• External processors:
  • Cloudflare R2 (screenshots): objects under your user prefix are deleted directly by our deletion process.
  • Anthropic(AI insights): when you request an AI insight we send the relevant trade data to Anthropic's API. Anthropic retains API logs for 30 days under their default policy and does not use API data to train their models. Anthropic does not currently expose a programmatic per-user deletion endpoint; if you want a stronger deletion guarantee, contact us at support@edge-finder.app and we will submit a manual deletion request to their privacy team.
  • Sentry, Vercel: server logs and error traces rotate out under each processor's retention policy.
• Audit log: a single hashed log entry confirming the deletion (request id, hash of your user id, timestamps) is kept for 24 months. It cannot be used to reconstruct your identity. Legal basis: overriding private interest in being able to demonstrate compliance and defend against abuse claims (Art. 31 Abs. 1 nDSG) and, for users in the EU/EEA, legitimate interest under GDPR Art. 6(1)(f).

At the end of the hard deletion you receive a final confirmation email at the address that was on the account, containing a deletion reference id you can keep for your records.

10. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure or destruction. These measures include transport encryption (TLS), encryption of sensitive credentials at rest, role-based database access with row-level security, and regular review of access rights.

Despite these measures, no method of transmission or storage is completely secure. We will notify affected users and competent supervisory authorities of any data breach in accordance with applicable law.

11. Your Rights

Under the Swiss Federal Act on Data Protection and, where applicable, the GDPR, you have the right to:

• Request information about the personal data we hold about you (Art. 25 nDSG / Art. 15 GDPR)
• Request correction of inaccurate or incomplete data (Art. 32 Abs. 1 lit. a nDSG / Art. 16 GDPR)
• Request deletion of your data (Art. 32 Abs. 1 lit. c nDSG / Art. 17 GDPR). You can also initiate this yourself at any time via Settings → Delete Account
• Request restriction of processing (Art. 18 GDPR for users in the EU/EEA)
• Object to processing based on our legitimate interests (Art. 30 nDSG / Art. 21 GDPR)
• Receive your data in a structured, commonly used and machine-readable format (Art. 28 nDSG / Art. 20 GDPR). You can also export it yourself at any time via Settings → Export Your Data
• Withdraw any consent you have given, with effect for the future
• Lodge a complaint with a competent supervisory authority, in particular the Swiss Federal Data Protection and Information Commissioner (FDPIC, edoeb.admin.ch) or the supervisory authority of your country of residence in the EU/EEA

To exercise any of these rights that aren't available directly in Settings, contact us at support@edge-finder.app. We will respond within 30 days. We may ask you to verify your identity before acting on a request in order to protect your data.

12. Cookies and Similar Technologies

Edge Finder uses only strictly necessary cookies and local storage entries that are required for the Service to function. These include authentication session cookies, security tokens and user interface preferences. We do not use third-party advertising cookies, cross-site tracking, or analytics that profile individual users.

13. Children

Edge Finder is not directed to and may not be used by individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe that a minor has provided us with personal data, please contact us so we can delete it.

14. Automated Decision-Making

We do not use your personal data for automated decision-making that produces legal effects concerning you or similarly significantly affects you. The AI insights generated when you click the AI insight action are informational only: they describe patterns in your past trading and offer commentary; they do not place trades for you, do not change your account state, and you are not bound by their content.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes to our processing activities or to applicable law. Changes will be posted on this page with an updated revision date. Material changes that affect your rights will be communicated to active users by email or via an in-app notice.

16. Contact

For questions about this Privacy Policy or your personal data, contact us at support@edge-finder.app.