Privacy Policy
Last updated: March 21, 2026
1. Introduction
Mnemosyne ("we", "us", "our") operates the trading journal platform at mnemosyne.live. This Privacy Policy explains how we collect, use, store, and protect your personal information when you use our Service.
We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and other applicable data protection laws.
2. Data Controller
The data controller for the purposes of the GDPR is Mnemosyne. For any data protection inquiries, contact us at support@contact.mnemosyne.live.
3. Information We Collect
3.1 Identity & Authentication
- Account information: first name, last name, and email address when you register.
- Authentication data: password (stored as a cryptographic hash using PBKDF2-SHA256) and OAuth2 access/refresh tokens for session management.
3.2 Trading Activity
- Trade data: trade entries, exits, P&L, top-down analyses, execution details, updates, reviews, and backtesting sessions you submit through the Service.
- Account & financial data: trading accounts you configure, equity snapshots (daily, weekly, and monthly), and transactions.
- Market analysis: analyses with sections, daily and weekly profiles, and topics of study.
3.3 User Preferences & Configuration
- Trading preferences: assets/watchlist, entry patterns, mistakes, PD arrays, session ranges, retail patterns, low probability factors, and in-trade feelings.
- Psychological & physical state: general psychology state and physical state (per trading day), if you choose to record them.
3.4 Media Uploads
- Images: chart screenshots for trades, analyses, and assets, stored as image files on secure cloud storage.
3.5 Support Communications
- Contact form submissions: category, subject, and message content when you contact support.
3.6 Information Collected Automatically
- Analytics data: we use Umami, a privacy-focused analytics tool, to collect anonymous usage statistics such as page views, referrer URLs, browser type, device type, and country. Umami does not use cookies and does not collect personally identifiable information.
- Error monitoring data: when an error occurs, our error tracking service (Sentry) may collect your IP address, request headers, and basic user details for debugging purposes. See Section 6 for details.
- Authentication token: a session token stored in a browser cookie to keep you logged in (see our Cookie Policy).
4. Legal Basis for Processing (GDPR)
We process your personal data on the following legal bases:
| Purpose | Legal Basis |
|---|---|
| Providing the trading journal service | Contract performance (Article 6(1)(b)) |
| Equity tracking & P&L calculations | Contract performance (Article 6(1)(b)) |
| Email verification & password resets | Legitimate interest — account security (Article 6(1)(f)) |
| Economic calendar data display | Legitimate interest — service feature (Article 6(1)(f)) |
| Error monitoring & debugging | Legitimate interest — service reliability (Article 6(1)(f)) |
| Anonymous analytics | Legitimate interest — service improvement (Article 6(1)(f)) |
Where required, we will ask for your explicit consent before processing data for purposes not covered above (Article 6(1)(a) GDPR).
5. How We Use Your Information
We use your information to:
- Provide, maintain, and improve the Service;
- Authenticate your identity and manage your account;
- Store and display your trading journal data;
- Calculate and track your equity and P&L across daily, weekly, and monthly timeframes;
- Send email verification and password reset emails;
- Display economic calendar data relevant to your configured assets;
- Monitor and debug errors to ensure service reliability;
- Respond to support requests and communications;
- Analyze anonymous usage patterns to improve the Service.
We do not use your data for advertising, profiling, or automated decision-making. We do not sell your personal data to third parties.
6. Data Sharing & Third Parties
We do not sell, rent, or trade your personal information. We share data only with the following service providers, strictly for the purposes described:
| Service | Purpose | Data Shared | Location |
|---|---|---|---|
| Scaleway (S3) | File storage | Uploaded images (chart screenshots, asset images) | Paris, France (EU) |
| Sentry | Error tracking | IP address, request headers, user details (when errors occur) | EU (Frankfurt) |
| Resend | Transactional emails | First name, email address | United States |
| Forex Factory | Economic calendar source | No user data sent (one-way data fetch) | N/A |
We may also disclose data when required by law, court order, or governmental regulation, or to protect the rights, property, or safety of Mnemosyne, our users, or the public.
7. Data Retention
We retain your data as follows:
| Data Type | Retention Period |
|---|---|
| User account & all associated data | Kept until you request deletion |
| OAuth2 tokens | Valid until revoked (no automatic expiry) |
| Email verification & password reset tokens | Expire after 1 day |
| Uploaded images (S3) | Deleted when the parent record is deleted |
| Sentry error logs | Per Sentry's retention policy (90 days default) |
| Analytics data | Anonymous and aggregated; not linked to your account |
8. Your Rights (GDPR)
Under the GDPR, you have the following rights regarding your personal data:
| Right | How to Exercise |
|---|---|
| Access (Art. 15) | View this page or request a data export |
| Data Portability (Art. 20) | Use the data export feature in your account settings to download all your data as JSON |
| Erasure (Art. 17) | Use the account deletion feature in your account settings to permanently delete your account and all associated data |
| Rectification (Art. 16) | Contact support@contact.mnemosyne.live to correct any inaccurate data |
| Restriction / Objection | Contact support@contact.mnemosyne.live |
| Withdraw consent | Where processing is based on consent, you may withdraw it at any time by contacting support |
We will respond to all rights requests within 30 days. You also have the right to lodge a complaint with a supervisory authority in the EU member state where you reside or where the alleged infringement occurred.
9. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- Passwords hashed with PBKDF2-SHA256 (never stored in plaintext);
- OAuth2 token-based authentication;
- Encrypted data transmission (HTTPS enforced in production);
- CORS restricted to mnemosyne.live and app.mnemosyne.live in production;
- Rate limiting on registration (5/hour), email verification (3/min), and password reset (3/min);
- Disposable email addresses blocked at registration;
- Access controls limiting who can access user data.
While we strive to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.
10. International Data Transfers
Your data is primarily processed and stored within the European Union. File storage (Scaleway) is located in Paris, France, and error tracking (Sentry) ingests data in Frankfurt, Germany.
Transactional emails are processed by Resend, which operates in the United States. For this transfer, we rely on appropriate safeguards, including Standard Contractual Clauses approved by the European Commission, to ensure your data is protected to EU standards.
11. Children's Privacy
The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from minors. If we learn that we have collected data from a person under 18, we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or through the Service at least 14 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.
13. Contact
For any privacy-related questions or to exercise your data rights, contact us at support@contact.mnemosyne.live.