Privacy Policy

The Short Version

Your trades stay on your computer. Prism Journal is local-first — we never see your trade data, screenshots, notes, or strategies.
We collect the minimum needed to run the service: your email, a hashed password, and a device identifier so we can enforce your 2-device license.
We don't sell your data, ever. No advertising, no tracking pixels in the desktop app, no marketing trackers we share with anyone.
Stripe handles payments. We never see or store your card number.
You can delete your account anytime by emailing [email protected].

Who we are
What we collect
What we deliberately don't collect
How we use information
Who we share information with
Cookies and tracking
How long we keep data
Security
Your rights
International users
Children's privacy
Changes to this policy
Contact us

1. Who we are

Prism Journal is a desktop trade journal application for futures traders, operated under the trade name Prism Journal by its funded founder, a sole proprietor with a principal place of business at:

Prism Journal
2093 Philadelphia Pike #1133
Claymont, DE 19703
United States
[email protected]

In this policy, "we," "us," and "our" mean Prism Journal. "You" means anyone who visits our website at prismjournal.net, signs up for an account, or uses the Prism Journal desktop application.

2. What we collect

2.1. Information you give us directly

Email address. Required to create an account and receive transactional email (password setup, receipts, important service notices).
Password. We never store your password in plain text. We store only a one-way bcrypt hash that lets us verify a sign-in attempt without ever knowing the actual password — even we cannot recover it.
Support correspondence. If you email us, we keep the message thread so we can help you and refer back if you contact us again.

2.2. Information our payment processor collects

When you buy Prism Journal, you complete checkout on a Stripe-hosted page. We never see, touch, or store your full card number. Stripe collects payment information directly and gives us back only:

A transaction ID and amount
Your email address (for the receipt)
The last 4 digits of your card and card brand (e.g., "Visa ····4242")
Whether the payment succeeded, failed, or was refunded

Stripe is a PCI-DSS Level 1 certified payment processor. Their privacy practices are described at stripe.com/privacy.

2.3. License and device information

Your purchase includes a license for two (2) devices. To enforce that limit, the desktop app sends the following information to our license server once — when you first activate a new install:

A locally-generated device identifier (a random UUID stored in your install folder)
Your operating system name and version (e.g., "Windows 11")
The Prism Journal app version (e.g., "1.3.0")
An approximate "last seen" timestamp, updated on subsequent activations

After activation, the desktop app does not phone home. It runs fully offline. The only network call the app needs is the initial activation; everything else — logging trades, attaching screenshots, computing analytics, generating backups — happens entirely on your own computer.

2.4. Information we collect automatically when you visit our website

When you visit prismjournal.net, our hosting provider (Cloudflare) automatically logs standard server information for security and abuse-prevention:

IP address
Browser type and version (User-Agent string)
Pages visited and the referring URL
Timestamps

We do not currently use third-party analytics, behavioral tracking pixels, or advertising identifiers on our website. If we add a privacy-respecting analytics service in the future (such as Cloudflare Web Analytics or Plausible — both of which work without cookies and without collecting personal data), we will update this policy and disclose it before turning it on.

3. What we deliberately don't collect

Because Prism Journal is local-first by design, the following data never reaches our servers, regardless of how much you use the app:

Your trades. Every trade you log lives in a SQLite database file on your own computer (typically at %LOCALAPPDATA%\Programs\Prism Journal\data\trades.db on Windows). We have no copy. We cannot read it. If you delete your computer, the data is gone — there is no cloud sync that we could restore from.
Your chart screenshots. Stored locally next to the database file, never uploaded to us.
Your trading notes, model labels, tags, journal entries. Local only.
Your broker login credentials. We never ask for them. Prism Journal does not connect to any broker API. The only way data enters the journal is when you log a trade manually or upload a CSV export — and the CSV is processed locally in your install, never sent to us.
Your real name, address, phone number, or other identity data beyond what's strictly required for billing (which Stripe handles, not us).
Cross-site browsing history or device fingerprinting beyond what's needed to identify which licensed device you're on.
Microphone, camera, contacts, location, or any other device sensor data.

We can't accidentally leak data we never had. The local-first architecture is the strongest privacy guarantee we can offer, and it's intentional.

4. How we use the information we do collect

We use the limited information described in Section 2 only for these purposes:

To create and authenticate your account on prismjournal.net so you can sign in, manage your devices, and re-download the installer.
To process your purchase through Stripe and deliver the product.
To enforce your 2-device license by checking your device identifier against the registered devices on your account.
To send you transactional emails related to your account: password setup links, password reset confirmations, purchase receipts, and important service announcements (e.g., a critical bug fix you should update for).
To respond to support requests when you email us.
To detect and prevent fraud, abuse, and security threats (e.g., a customer rapidly creating many accounts, suspicious chargeback patterns).
To comply with legal obligations, including tax record-keeping for purchases.

We do not use your information for advertising, profiling, or to train any machine-learning models. We don't run ad campaigns that target you based on your data, and we don't share it with anyone who does.

We share the limited information described in Section 2 only with these service providers ("subprocessors"), and only to the extent required for them to perform their function for us. Each is bound by a data processing agreement.

Subprocessor	Purpose	Privacy policy
Stripe	Payment processing and checkout. Stripe collects payment details directly.	stripe.com/privacy
Supabase	Account authentication, license database, and email-link generation.	supabase.com/privacy
Cloudflare	Website hosting (Cloudflare Pages), file hosting (R2), DNS, CDN, and DDoS protection.	cloudflare.com/privacypolicy
Resend	Sending transactional emails (password resets, receipts, service notices) from `[email protected]`.	resend.com/legal/privacy-policy

We do not sell your personal information to anyone, ever. We do not share it with marketers, data brokers, social networks, or advertising networks.

We may disclose information in two narrow situations:

Legal compliance. If we receive a valid court order, subpoena, or government demand, we may disclose information to the extent legally required. We will challenge overly broad requests where we are able to and notify you in advance unless legally prohibited.
Business transfer. If Prism Journal is sold, merged, or transferred to another entity, your information would transfer to the acquirer, who would be bound by this policy or a substantially equivalent one. We would notify you before any such transfer takes effect.

6. Cookies and similar technologies

We use a minimal number of cookies, all of which are strictly necessary for the service to function:

Authentication session cookie — set after you sign in to prismjournal.net, so we can remember you for the duration of your session. Cleared when you sign out or close your browser.
Security cookies — set by Cloudflare to mitigate bot abuse and detect malicious traffic.

We do not use marketing cookies, advertising IDs, social-media share trackers, behavioral retargeting cookies, or third-party analytics cookies on our website. The desktop application does not use cookies at all.

7. How long we keep data

We keep personal data only as long as needed for the purpose it was collected, plus any legally required retention period.

Account data (email, hashed password, device list): kept while your account is active. Deleted within 30 days of receiving a valid deletion request.
Purchase records: retained for seven (7) years to comply with U.S. tax and accounting requirements, then deleted.
Email correspondence with support: retained for 12 months after the last reply, then deleted.
Server logs (Cloudflare): retained per Cloudflare's policy, typically 30 days.
Devices marked inactive: automatically removed from your registered-device list after 60 days of inactivity, freeing the slot.

8. How we protect your information

We use industry-standard security practices to protect your data:

Encryption in transit. All connections to our website and license server use HTTPS / TLS.
Hashed passwords. Passwords are stored as bcrypt hashes with per-password salts. We cannot recover them; we can only verify a sign-in attempt.
Restricted database access. Our database enforces row-level security so each account can only see its own data.
Principle of least privilege. Only the minimum data needed is collected, and only authorized systems can access it.
Subprocessor due diligence. We use established, security-audited service providers (Stripe, Supabase, Cloudflare, Resend) for the parts of our infrastructure that handle data.

No system is one hundred percent secure. If a breach affecting your personal data occurs, we will notify affected users without undue delay and as required by applicable law.

9. Your rights

Depending on where you live, you may have the following rights with respect to your personal data:

Access. You can ask for a copy of the personal data we hold about you.
Correction. You can ask us to fix inaccurate or incomplete data.
Deletion. You can ask us to delete your account and associated personal data. (We may retain limited records for tax compliance — see Section 7.)
Portability. You can ask for your data in a machine-readable format.
Objection. You can object to specific processing activities.
Withdraw consent. Where we rely on consent, you can withdraw it at any time.
No discrimination. We will not deny service, charge different prices, or degrade quality because you exercised a privacy right.

To exercise any of these rights, email [email protected] from the email address on your Prism Journal account. We will respond within 30 days. If you are in the EU/UK and we deny a request, you have the right to complain to your local data protection authority.

9.1. EU / UK users (GDPR)

We process EU/UK personal data under the following lawful bases (GDPR Article 6):

Contractual necessity for account creation, authentication, license enforcement, and order fulfillment.
Legitimate interest for fraud prevention, security monitoring, and product improvement based on aggregate non-personal data.
Legal obligation for tax record-keeping and responding to lawful government requests.

For international transfers from the EU/UK to the United States (where our servers are primarily located), we rely on Standard Contractual Clauses where applicable.

9.2. California users (CCPA / CPRA)

California residents have the right to know what personal information we collect, the right to delete it, and the right to opt out of the "sale" or "sharing" of personal information. We do not sell or share personal information for cross-context behavioral advertising, so the opt-out right is automatically satisfied. We will not retaliate against you for exercising any privacy right.

9.3. Other U.S. state laws

Residents of states with comprehensive privacy laws (including but not limited to Virginia, Colorado, Connecticut, Utah, Texas, Oregon, and Montana) have similar rights. The processes described in Section 9 apply equally to all U.S. residents.

10. International users and data location

Prism Journal operates from the United States. The limited personal data we collect (Section 2) is processed in the United States and in any country where our subprocessors operate. By using our services from outside the United States, you understand that your information will be transferred to and processed in the United States, which may have data protection laws different from those in your country. As described in Section 9.1, we use Standard Contractual Clauses where lawfully required for cross-border transfers.

11. Children's privacy

Prism Journal is intended only for adults (18 years or older). Futures trading is not appropriate for minors, and we do not market our service to children. We do not knowingly collect personal data from anyone under 18. If you are a parent or guardian and believe your child has given us personal information, contact us at [email protected] and we will delete it.

12. Changes to this policy

We may update this policy from time to time as our service evolves or as the law changes. The "Last updated" date at the top of this page reflects the most recent revision. For material changes that affect how we collect or use your personal data, we will give you reasonable advance notice — for example by email, by a banner on our website, or by an in-app notification — before the change takes effect. Continued use of Prism Journal after the new policy takes effect means you accept the updated terms.

13. Contact us

Questions, concerns, or privacy-rights requests:

Email: [email protected]
Postal mail:
Prism Journal
2093 Philadelphia Pike #1133
Claymont, DE 19703
United States

We aim to respond to privacy-rights requests within thirty (30) days. If you are an EU/UK resident and you are unsatisfied with our response, you may lodge a complaint with your local data protection authority.

— End of Privacy Policy —