Privacy Policy

What we touch. And what we never will.

Effective: June 23, 2026 · Version: 1.0

This document is operator-approved. Counsel review is pending.

The short version
  • Local-first. Your trade records, journal entries, attachments, exports, and encrypted local database all live on your Device, encrypted at rest with AES-256 via SQLCipher. We do not host a copy. We could not produce them in response to a subpoena because we do not have them.
  • Limited server-side data. Account, billing (via Stripe — we never see card numbers), session metadata, tier-enforcement telemetry, acceptance log, and your support emails. That's it.
  • No selling. No AI training. No retargeting. We don't sell or rent your data. We don't use it to train any machine-learning model. No ad pixels in the desktop Software.
This Privacy Policy applies to the Trade Cortex Public Edition. In the event of any inconsistency between this Privacy Policy and Section 13 of the Terms of Service, the Terms of Service controls.

1. Who We Are

We are Ceylon Analytics Corp, a corporation organised under the laws of the State of New York, United States of America. In this Privacy Policy we refer to ourselves as “Ceylon Analytics,” “the Company,” “we,” “us,” or “our.” You can reach us at ceylonanalytics@gmail.com.

The Company is the data controller (in the European-and-UK sense) for the personal data we collect through your use of the Software and Services.

2. Scope

This Privacy Policy describes how we collect, use, store, share, and protect personal data of users of:

  • the Trade Cortex Public Edition desktop application;
  • the Ceylon Analytics website at https://ceylonanalytics.com and any subdomain thereof; and
  • the Services (license verification, billing, support, etc.) that support the Software.

This Privacy Policy does not describe the privacy practices of any third-party service the Software interacts with (Polygon.io, Yahoo Finance, Stripe, Twilio, Resend, Cloudflare, Google Drive, or your broker-dealer). Your use of those services is governed by their own privacy policies, which we have linked in Section 8.

3. The Local-First Design — What We Do Not Have

Most of what you put into the Software stays on your Device. The Software is built on a local-first architecture: your trade records, journal entries, attachments, broker-file uploads, processed daily logs, exported reports, encrypted local database, and configuration files all live on your computer, encrypted at rest with AES-256 via SQLCipher.

As a direct consequence, we do not have and cannot access:

  • the contents of your trade journal, including individual trade records, P&L figures, sub-account balances, or notes;
  • broker-account credentials (we do not connect to any broker on your behalf);
  • the contents of any attachment, screenshot, chart image, or exported PDF you create within the Software;
  • the contents of your encrypted local database;
  • your master password; or
  • the cleartext of your 12-word BIP39 recovery phrase.

This is not a promise we make and could break by changing our minds. It is an architectural property: the data never leaves your Device in a form we could read. We could not produce your trade journal in response to a subpoena because we do not have it.

4. The Data We Do Collect

We collect only what we need to operate the Software and Services. The categories are listed below; each category links to the lawful basis (for GDPR / UK GDPR purposes) and the retention period that applies.

4.1 Account and License Information

  • Your username (chosen by you at activation).
  • Your email address (provided by you at activation and used for licensing, billing, and support).
  • Your License Key (issued by us).
  • Your Subscription Tier (Trial, Scout, Alpha, or Ace).
  • Your subscription status (active, paused, expired, deactivated).
  • Your billing-cycle dates (next renewal, last invoice date).
  • Where the Software is bound to a phone number, the phone number on file.

Lawful basis: contract (Art. 6(1)(b) GDPR). Retention: for the duration of your active subscription plus three (3) years after termination (longer if required for tax, audit, or legal-hold purposes).

4.2 Authentication Artefacts

  • A one-way PBKDF2-HMAC-SHA256 hash of your password (with per-account salt). We never store the password itself, in any form that can be reversed.
  • A one-way salted SHA-256 hash of your 12-word BIP39 recovery phrase, used only to verify the phrase during password reset. We never store the cleartext phrase, in any form.
  • Recovery-phrase change events (timestamp + IP, no phrase content).

Lawful basis: contract. Retention: for the duration of your active subscription plus three (3) years.

4.3 Session and Telemetry Metadata

  • Session start and end times, IP address, user-agent, software version, operating system, and country derived from IP.
  • A derived “Device installation identifier” that we use only to render the “current Session” display and to detect simultaneous-Session abuse. This is not a hardware fingerprint and is not stable across reinstalls.
  • The subscription-gated features exercised in a given Session (“Features-Used Reports”). This contains feature identifiers (for example, smart_categorizer, strategy_lab) — not the contents, parameters, or outputs of those features.
  • A cryptographic hash of the Software's running executable, used to detect tampering of the Software binary.
  • Where the Software was activated through the marketing website, the referrer URL (where you came from), and the first-touch UTM parameters.

Lawful basis: legitimate interest (Art. 6(1)(f) GDPR) — operating the Services, enforcing the licensing model, and detecting abuse. You may opt out of the Features-Used Reports and binary-integrity hashes only by ceasing to use the Software (these telemetry streams are integral to the licensing model). Retention: eighteen (18) months in granular form; longer in aggregated, anonymised form for product-improvement purposes.

4.4 Terms-of-Service Acceptance Log

For each time you accept this Privacy Policy or the Terms of Service:

  • your username;
  • the document version accepted (we keep the immutable hash of the document you saw at the moment you accepted);
  • the IP address and user-agent at the moment of acceptance; and
  • the timestamp.

Lawful basis: contract (proof of acceptance) + legitimate interest (proof in dispute). Retention: the duration of your active subscription plus seven (7) years after termination.

4.5 Billing Artefacts

The Software's billing is processed through Stripe, which is the data controller for cardholder data. We never see and never store full card numbers, CVV codes, full bank-account numbers, or full ACH details. On the Company side we keep, per subscription:

  • the Stripe customer identifier and subscription identifier;
  • the most recent invoice identifier;
  • the last four digits of the payment method, the card brand, and the expiry month/year;
  • the billing address if you provided one (used for sales-tax determination); and
  • the chargeback / dispute history.

For payments processed through any future payments processor (PayPal, etc.) we store analogous identifiers and only the last-four / brand of the underlying method.

Lawful basis: contract + legal obligation (tax recordkeeping). Retention: seven (7) years (the federal tax-recordkeeping default).

4.6 Trial-Wipe Receipts (Public Edition Only)

At the moment the Trial-Expiry Wipe described in Section 5 of the Public Terms of Service fires, the Software sends us a small “wipe receipt” file containing:

  • the timestamp of the wipe;
  • the License Key (so a future support enquiry can confirm which License Key wiped this Device); and
  • a checksum of the deletion ledger.

The wipe receipt contains no User Data. It contains no enumeration of the files that were wiped.

Lawful basis: contract + legitimate interest (operational audit of the wipe mechanism). Retention: eighteen (18) months.

4.7 Support Correspondence

When you contact us at ceylonanalytics@gmail.com:

  • your email address;
  • the body of your email and any attachment you send;
  • our reply; and
  • any subsequent correspondence in the same thread.

Lawful basis: contract + legitimate interest (we have to read your email to answer it). Retention: the longer of three (3) years or the duration of your active subscription. Support attachments containing sensitive trade data will be deleted on request — see Section 13.

4.8 Optional Cloud Sync (Google Drive Backup)

If you enable the optional Google Drive backup, the Software writes encrypted backups to your Google Drive account using credentials you supply. We do not:

  • store, mirror, or read those backups;
  • have ongoing access to your Google account;
  • receive a copy of the OAuth refresh token (the token is stored locally on your Device by Qt's secure-storage and is used only by the Software running on your Device);
  • write to any folder of your Google Drive that you did not explicitly approve.

Lawful basis: consent (Art. 6(1)(a) GDPR) — opt-in only. Retention: we hold no copy; retention is governed entirely by Google's own policies and your settings.

4.9 Marketing-Email Recipient List (Opt-In Only)

If you affirmatively opt into our product-update mailing list (either at the time of activation or on the marketing website), we store:

  • your email address;
  • the date and IP of opt-in;
  • your opt-in / opt-out preferences per category; and
  • a hash of bounce / unsubscribe events.

We never auto-enrol you. The license-relationship transactional emails (renewal reminders, password-reset codes, security notices) are not marketing and are sent regardless of marketing opt-in status.

Lawful basis: consent. Retention: until you withdraw consent (an unsubscribe link is at the bottom of every marketing email).

5. What We Do Not Collect

We have intentionally designed the Software so that certain categories of data cannot be collected from you. We do not:

  • read the contents of your trade journal, attachments, screenshots, or charts;
  • read your master password or recovery phrase;
  • request, store, or have access to your broker-dealer credentials;
  • request, store, or have access to your bank-account information (Stripe handles payment-method storage on our behalf);
  • store cleartext credit-card numbers, CVVs, or magstripe data;
  • run any third-party advertising SDK or marketing pixel inside the desktop Software;
  • track your activity across other applications or websites;
  • sell or rent your personal data to anyone, ever; or
  • use your User Data to train any general-purpose machine-learning model. We may use anonymised, aggregated usage statistics for product-improvement purposes (e.g., “23% of active users opened the Strategy Lab in May”).

6. How We Use the Data

We use the data described in Section 4 only for these purposes:

PurposeData used
Verify your License Key and Subscription Tier4.1, 4.2
Process subscription payments and renewals4.1, 4.5
Detect and prevent fraud, abuse, and binary tampering4.1, 4.3, 4.4
Enforce tier entitlements4.1, 4.3
Operate the password-reset / recovery flow4.1, 4.2
Send renewal reminders, security notices, and other transactional emails4.1
Provide customer support4.1, 4.7
Comply with tax, audit, and legal obligations4.1, 4.5
Prove your acceptance of the Terms in case of dispute4.4
Audit the Trial-Wipe mechanism (Public Edition only)4.6
Send opt-in product updates (only with consent)4.9
Improve the Software (anonymised, aggregated only)4.3

We do not use your data for:

  • behavioural advertising or retargeting;
  • selling, renting, or sharing with data brokers;
  • training general-purpose machine-learning models;
  • profiling or automated decision-making with legal or similarly significant effects on you (Art. 22 GDPR).

7. Sharing — Who Else Touches the Data

We share the categories of personal data described in Section 4 only with:

7.1 Sub-Processors (Service Providers)

We rely on the following sub-processors to operate the Services. Each is contractually bound to use the data only on our instructions:

Sub-processorRoleWhat they see
CloudflareHosting Workers, KV, D1, R2 (back-end APIs and storage)Sessions, license records, telemetry, billing pointers, support data — encrypted in transit
StripePayment processingCard details, billing addresses, payment history
TwilioOne-time SMS codes for password reset and OTP verificationPhone numbers on file, one-time codes
ResendTransactional and (opt-in) marketing emailRecipient email, subject, body
Sentry (if enabled)Crash and error reportingStack traces, IP, software version — no User Data
GitHubSoftware-update binary hosting (signed installer)Anonymised download counts

7.2 Legal Compliance

We may disclose personal data when required to do so by valid legal process (subpoena, court order, regulatory request) or to protect (a) the safety of any person, (b) the security or rights of the Company, or (c) the integrity of the Services. Where lawful, we will notify you of the request before disclosing.

7.3 Business Transfers

If the Company is acquired, merges with, or sells substantially all its assets to another entity, your data may be transferred as part of that transaction. We will notify you (by email, in-product notice, or website notice) before any such transfer takes effect, and you will have the option to delete your account before the transfer.

7.4 Aggregated / De-Identified Data

We may share aggregated or de-identified statistics (e.g., “X% of users use Smart Categorizer monthly”) with prospective investors, employees, advisors, or in marketing materials. Such data cannot reasonably be re-identified as you.

8. Third-Party Services the Software Talks to on Your Behalf

The Software, when running on your Device, may make outbound requests to third-party services on your instruction. The privacy practices of those services are governed by their own privacy policies. We have no control over them:

  • Polygon.io (now “Massive”) — market data, fetched directly from your Device using the API key you supply (Bring-Your-Own-Key); we do not receive or store the market data, and your key is held encrypted on your Device (massive.com/legal · polygon.io/legal/privacy-policy)
  • Yahoo Finance — supplementary / current-day market data. Unlike the above, these requests are made through our Cloudflare Worker (so they work in regions that block Yahoo and so one cached response serves multiple users); the security symbol you request transits our servers for that purpose. We do not associate the symbol with your identity or store it beyond transient edge caching. (legal.yahoo.com/us/en/yahoo/privacy/)
  • Google Drive — optional encrypted backup (policies.google.com/privacy)
  • Your broker-dealer — for log files you upload; we never connect to a broker on your behalf

If you do not want the Software to make outbound requests to any of these third parties, you can disable the relevant feature in Settings; the Software will continue to function for the local features that do not require an outbound call.

9. Where We Store the Data

The data we do collect is stored on infrastructure operated by Cloudflare. Cloudflare's data-storage infrastructure is globally distributed; the practical primary region for our deployments is the United States. Encryption-in-transit (TLS 1.2+) and encryption-at-rest are applied.

If you are located in the European Economic Area, the United Kingdom, or Switzerland, your personal data is transferred to and processed in the United States. We rely on Cloudflare's standard contractual clauses and supplementary measures (Article 28 GDPR Data Processing Addendum + EU-US Data Privacy Framework) as the lawful basis for the transfer.

10. Security

We protect personal data with administrative, technical, and physical safeguards designed to be proportionate to the sensitivity of the data:

  • TLS 1.2+ for all data in transit;
  • AES-256 encryption-at-rest for the local database (SQLCipher, on your Device);
  • PBKDF2-HMAC-SHA256 password hashing with per-account salts;
  • HMAC-signed session tokens server-side, rotated on password change;
  • Strict separation between back-end environments (production vs staging);
  • Least-privilege access for Company personnel; multi-factor authentication required for administrative operations;
  • A documented incident-response plan;
  • Annual review of access logs and sub-processor security posture.

No system is perfectly secure. If we become aware of a security incident affecting your personal data, we will notify you in accordance with applicable law (see Section 14).

11. Children's Privacy

The Software is not directed at children under the age of 13 (in the United States) or under 16 (in some other jurisdictions). We do not knowingly collect personal data from children. If we learn that we have collected personal data from a child without verified parental consent, we will delete it. If you believe a child has provided personal data to us, please contact us at ceylonanalytics@gmail.com.

12. Your Rights — General

You have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate personal data we hold about you.
  • Exporta machine-readable copy of your personal data (“data portability”).
  • Delete your account and personal data, subject to our right to retain (a) data for which we have a continuing legal obligation (e.g., tax records), (b) data necessary to defend against a legal claim, or (c) limited records of the fact and timestamp of the deletion itself.
  • Object to our processing of your personal data for purposes based on legitimate interest.
  • Restrict processing in certain circumstances.
  • Withdraw consent at any time for any processing based on consent.

To exercise any of these rights, email ceylonanalytics@gmail.com from the email address associated with your account. We will respond within thirty (30) days of receipt (we may extend by an additional 60 days for complex or voluminous requests, and we will tell you if we do). We may need to verify your identity before completing a request.

13. Your Rights — State-Specific (United States)

13.1 California (CCPA / CPRA)

If you are a California resident, in addition to the rights in Section 12, you have these specific rights under the California Consumer Privacy Act and California Privacy Rights Act:

  • Right to know the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share it.
  • Right to delete personal information we collected from you, subject to statutory exceptions.
  • Right to correct inaccurate personal information.
  • Right to limit use of sensitive personal information (we do not use sensitive personal information for any purpose other than as strictly necessary to provide the Software and Services).
  • Right to non-discrimination for exercising your rights.
  • Right to opt out of sale or sharing — we do not sell or share your personal information, but if our practice changes we will offer a “Do Not Sell or Share My Personal Information” link before that change takes effect.

To exercise any California right, email ceylonanalytics@gmail.com with the subject line “CCPA Request.” We will verify your identity before responding.

13.2 Virginia, Colorado, Connecticut, Utah, Texas, and Other “Comprehensive Privacy Law” States

If you are a resident of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), or any other US state with a comprehensive privacy law in effect, you have rights analogous to those described in Section 12 — access, correction, deletion, opt-out of targeted advertising, and opt-out of profiling for legal or similarly significant decisions. Same email, same response time, same identity verification.

13.3 New York (NY SHIELD Act)

The Company complies with the data-security requirements of the New York Stop Hacks and Improve Electronic Data Security Act (Gen. Bus. Law § 899-bb). In the event of a breach affecting New York residents' personal information, the Company will notify affected individuals in accordance with the applicable statutory timelines.

13.4 Other States

Other US states have or are developing similar privacy laws. We will honour analogous rights in those states once the relevant law is in effect, even if not specifically enumerated here.

14. Your Rights — International (GDPR / UK GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the rights set out in Articles 12-22 of the GDPR (or its UK equivalent). These materially overlap with the rights described in Section 12. Where the GDPR provides additional or stronger rights, we honour those.

Lawful bases. Our lawful bases for each processing activity are noted alongside the corresponding category in Section 4.

International transfers. See Section 9.

Supervisory authority. You have the right to lodge a complaint with the supervisory authority in your country.

No EU representative. The Company does not have an establishment in the EU / UK and has not appointed a representative under Article 27 GDPR; the Company does not “target” the EU / UK market within the meaning of Article 3(2) GDPR, but we honour individual EU / UK user rights on request.

15. Cookies and Analytics on the Website

The marketing website at https://ceylonanalytics.com uses:

  • Strictly necessary cookies — required to operate the site (no consent needed).
  • Analytics cookies — Cloudflare Web Analytics (no third-party tracking, no fingerprinting, no cross-site profiling). If you are in the EU / UK we present a cookie banner and ask for consent.

The desktop Software itself does not use cookies — it is a Qt-based desktop application that communicates with our back-end via signed HTTPS requests, not cookies.

16. Marketing Communications

We send three categories of email:

  • Transactional emails (renewal reminders, password-reset codes, security notices). These are tied to your account and cannot be opted out of without closing your account.
  • Service announcements (significant outages, breaking changes, major release notes). Opt-out via the link at the bottom of each such email; opt-out does not affect your account.
  • Marketing emails (product updates, tips, promotional offers). Sent only with your prior opt-in consent. Opt-out via the link at the bottom of each marketing email.

If you participate in the Discord server, Discord is the controller for the data you submit there — see the Discord privacy policy.

17. Security Incident Notification

If we determine that a security incident has compromised your personal data, we will notify you without undue delay and in any event within the timeline required by applicable law (typically, within 72 hours of becoming aware of a breach affecting EU / UK residents, and in accordance with the applicable state breach-notification statute for US residents). The notice will include, to the extent we know at the time: the nature of the incident; the categories of data affected; the steps we have taken in response; and the steps we recommend you take.

18. Changes to This Privacy Policy

We may modify this Privacy Policy from time to time. The current version is published at https://ceylonanalytics.com/legal and is bundled with each new Software installer as PRIVACY_POLICY.md. If we make a material change (a change that materially affects what data we collect, how we use it, who we share it with, or your rights), we will notify you by:

  • an in-app notice on the next launch of the Software;
  • an email to the address on file; and
  • a banner on the marketing website.

Material changes take effect thirty (30) days after the notice is given, unless an earlier date is required by law. If you continue to use the Software after that date you are subject to the modified Privacy Policy. If you do not agree to the change, you may delete your account.

19. Contact Information

For any question about this Privacy Policy, to exercise any right, or to file a complaint:

Ceylon Analytics Corp
Registered in: State of New York, United States of America
General contact: ceylonanalytics@gmail.com
Privacy contact: ceylonanalytics@gmail.com (same mailbox; route the email with subject “Privacy Request”)
Legal page: https://ceylonanalytics.com/terms

We will respond within 30 days.

Ceylon Analytics Corp. All rights reserved.
Privacy Policy v1.0 — Effective June 23, 2026.
This document is operator-approved. Counsel review is pending.