1. Introduction

Welcome to M1NDTR8DE ("we," "our," or "us"). We are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our trading psychology platform.

M1NDTR8DE is a trading psychology platform designed to help traders identify emotional patterns, improve trading discipline, and enhance mental performance through AI-powered insights and analytics.

2. Information We Collect

2.1 Account Information

When you create an account through our authentication provider (Clerk), we collect:

• Email address (required)
• First and last name
• Profile image (optional)
• Username (chosen by you for our referral system)
• Unique user identifier

2.2 Trading Data

You voluntarily provide trading information that may include:

• Trade history (entry/exit prices, volume, profit/loss)
• Trading timestamps and duration
• Instrument details (stocks, forex, options, etc.)
• Broker account names
• Personal notes and psychological reflections on trades
• Upload history from CSV/Excel imports

2.3 Subscription and Payment Information

For paid subscriptions, we collect:

• Subscription plan (Basic, Pro, Elite, Ultimate, Founding Member)
• Trial status and expiration dates
• Payment provider customer ID and subscription ID (Stripe or Paddle)
• Promo code redemption history

Note: Payment processing is handled by Stripe or Paddle, depending on your region. We do not store your credit card information on our servers. Paddle acts as our Merchant of Record for certain regions, handling VAT collection, invoicing, and payment processing. Please review their respective privacy policies:

• Stripe Privacy Policy
• Paddle Privacy Policy

2.4 Usage Data and Analytics

We use PostHog (EU Cloud, Frankfurt, Germany) for product analytics:

• Page views and navigation patterns
• Feature usage statistics
• User actions (upgrade clicks, checkout events)
• Session information (with input masking enabled)
• Device type and browser information
• General location data (country/region only, IP anonymized)

Privacy Measures: PostHog is configured with enhanced privacy settings including autocapture disabled (manual tracking only), input field masking, email/password sanitization, and IP anonymization. All data is stored on PostHog's EU Cloud infrastructure in compliance with GDPR.

We also use Plausible Analytics for privacy-focused traffic analytics:

• Aggregate page views and visitor counts
• Referrer sources (where visitors come from)
• UTM campaign parameters (marketing attribution)
• Outbound link clicks
• File downloads (CSV exports, etc.)
• Country-level location (no city/region data)

Privacy Measures: Plausible does not use cookies, does not collect personal data, and does not track individual users. All data is aggregated and anonymous. Plausible is EU-based and fully GDPR compliant without requiring a consent banner.

2.5 Referral and Fraud Prevention Data

To maintain the integrity of our referral program, we collect:

• Referral codes and relationships
• IP addresses (for fraud detection only)
• Device fingerprints (hashed, non-reversible)
• Referral status (pending, completed, fraud-flagged)
• XP points and leaderboard participation (opt-in only)

2.6 Communications

• Feedback submissions and feature requests
• Support communications via email
• Screenshots or attachments you provide with feedback

2.7 Email Preferences

We collect and store your email communication preferences:

• Marketing Consent: Your opt-in/opt-out preference for marketing emails (tips, feature updates, trading insights)
• Marketing Consent Timestamp: When you last changed your marketing preference
• Transactional Email Status: Always enabled for essential account communications

Note: You can update your email preferences at any time in your profile settings. Unsubscribing from marketing emails will not affect transactional emails (receipts, security alerts, account notifications).

3. How We Use Your Information

We use the collected information for the following purposes:

• Service Delivery: To provide, maintain, and improve our trading psychology platform
• AI Coach Insights: To generate personalized psychological insights (requires your consent via the coach consent flag)
• Analytics: To create trading performance metrics, charts, and pattern recognition
• Account Management: To manage your subscription, trial periods, and account preferences
• Payment Processing: To process subscription payments via Stripe
• Referral Program: To track and reward referrals, prevent fraud, and maintain leaderboard rankings
• Communication: To send service-related notifications, respond to support requests, and provide customer service
• Product Improvement: To analyze usage patterns and improve features
• Security: To detect, prevent, and address fraud, abuse, or security issues

4. Third-Party Services

We use the following third-party services to operate our platform:

5. Cookies and Tracking Technologies

We use the following cookies:

Note: Plausible Analytics does not use cookies or any form of persistent client-side storage. It operates entirely without cookies, making it GDPR compliant without requiring user consent for analytics.

You can control cookies through your browser settings. However, disabling cookies may limit your ability to use certain features of our platform.

6. Data Retention

• Account Data: Retained until you delete your account
• Trading Data: Retained until you delete your account or manually delete trades
• PostHog Analytics Events: Retained for up to 7 years for business analytics
• PostHog Session Recordings: Retained for 3 weeks, then automatically deleted
• Referral Tracking Cookies: Cleared after 1 hour or upon successful conversion
• Backup Data: May persist in backups for up to 90 days after deletion

7. Data Security

We implement industry-standard security measures to protect your information:

• SSL/TLS encryption for all data in transit
• Data encryption at rest in Supabase PostgreSQL database
• Secure authentication via Clerk with session management
• Input field masking in PostHog session recordings
• Regular security updates and monitoring
• Restricted access to personal data (authorized personnel only)
• Device fingerprinting and IP logging for fraud prevention

While we strive to protect your information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

8. Your Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), you have the following rights:

• Right to Access: Request a copy of the personal data we hold about you
• Right to Rectification: Request correction of inaccurate or incomplete data
• Right to Erasure: Request deletion of your personal data (account deletion available in profile settings)
• Right to Data Portability: Request your data in a machine-readable format
• Right to Restrict Processing: Request limitation on how we use your data
• Right to Object: Object to certain processing activities
• Right to Withdraw Consent: Withdraw consent for AI coach insights or leaderboard participation at any time

To exercise any of these rights, please contact us at hello@m1nd.app. We will respond within 30 days.

Account Deletion: You can delete your account directly from your profile settings. This will permanently remove all your personal data, trading history, and associated records from our systems.

9. Automated Decision-Making and Profiling

9.1 AI Coach Profiling

Our AI Trading Coach analyzes your trading data, journal entries, and psychological reflections to identify patterns and provide personalized coaching insights. This constitutes "profiling" under GDPR Article 4(4), as we process personal data to analyze and predict aspects of your trading behavior and psychology.

What the AI Coach analyzes:

• Trading patterns (entry/exit timing, win/loss ratios, position sizing)
• Emotional patterns from journal entries
• Behavioral tendencies over time
• Psychological triggers and biases

9.2 Not Automated Decision-Making Under Article 22

Important: The AI Coach provides advisory insights only. It does NOT make automated decisions that produce legal effects or similarly significantly affect you. Specifically:

• AI insights are suggestions and observations, not binding decisions
• You retain full control over all trading and financial decisions
• The AI does not execute trades or take actions on your behalf
• Subscription status and account access are managed by human-reviewed systems

Therefore, the AI Coach profiling does not fall under GDPR Article 22 restrictions on automated individual decision-making.

9.3 Your Control Over AI Profiling

You have full control over whether AI profiling is performed on your data:

• Opt-in Required: AI Coach profiling requires your explicit consent via the "Coach Consent" toggle in your profile settings
• Withdraw Anytime: You can disable coach consent at any time, which immediately stops AI analysis of your data
• Data Access: You can request a copy of all AI-generated insights about your trading patterns
• No Adverse Effects: Disabling AI profiling does not affect your access to other platform features (journal, analytics, trade tracking)

10. Data Sharing and Disclosure

We do not sell your personal information. We may share your information only in the following circumstances:

• Service Providers: With third-party services listed in Section 4 to operate our platform
• Leaderboard (Opt-In Only): Your username and XP points if you enable the "Show on Leaderboard" setting
• Legal Compliance: When required by law, court order, or government regulation
• Safety and Security: To protect against fraud, abuse, or security threats
• Business Transfers: In the event of a merger, acquisition, or sale of assets (you will be notified)

11. Children's Privacy

Our service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal data, please contact us, and we will take steps to delete such information.

12. International Data Transfers

EU-Based Infrastructure: Your data is primarily stored and processed within the European Union. We use EU-based infrastructure for GDPR compliance:

• Railway (EU-West): Application hosting
• Supabase (EU): PostgreSQL database
• PostHog (Frankfurt, Germany): Product analytics
• Plausible (EU): Traffic analytics

12.1 Services with Non-EU Data Processing

The following services may process data outside the European Economic Area:

• Clerk (Authentication): US-based. We have a Data Processing Agreement (DPA) with Standard Contractual Clauses (SCCs) in place.
• Stripe (Payment Processing): US-based with EU data residency options. Certified under the EU-US Data Privacy Framework.
• Paddle (Merchant of Record): UK-based. Operates under the UK GDPR adequacy decision.
• Klaviyo (Email Marketing): US-based. We have a DPA with SCCs in place.
• Anthropic (AI Coach): US-based. We have a commercial agreement that includes data protection provisions. Your data is not used for AI training purposes.

12.2 Transfer Safeguards

For transfers outside the EEA, we ensure appropriate safeguards are in place through:

• EU-approved Standard Contractual Clauses (SCCs)
• EU-US Data Privacy Framework certification (where applicable)
• UK adequacy decision (for UK-based processors)
• Data Processing Agreements (DPAs) with all service providers

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by updating the "Last Updated" date at the top of this policy. Continued use of the service after changes constitutes acceptance of the updated policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: