Privacy Policy
Last updated: April 2026
We take your privacy seriously. This policy explains what personal data EdgeGuard collects, why we collect it, how it is used, and what your rights are under the UK GDPR and EU GDPR.
1. Who we are
EdgeGuard is the data controller for the personal data described in this policy. We operate the EdgeGuard web application and landing page at edgeguard.netlify.app.
If you have any questions about this policy or how your data is handled, contact us at: privacy@edgeguard.app
2. What data we collect and why
We collect only the data necessary to provide the service. Below is a full breakdown:
Account registration (app users)
- Email address — used to create and identify your account, and to send account-related messages (e.g. password resets). Legal basis: contract performance (Art. 6(1)(b) GDPR).
- Password — stored as a secure hash by Supabase. We never see your plain-text password.
Trading data (app users)
- Trade records — instrument, direction, size, entry price, stop loss, take profit, P&L, emotional state, exit reason, and timestamp. You provide this yourself when logging trades. Legal basis: contract performance.
- Preferences — your chosen prop firm, account size, currency, and challenge start date. Legal basis: contract performance.
Newsletter subscribers
- Email address — used solely to send you the EdgeGuard newsletter. Legal basis: consent (Art. 6(1)(a) GDPR). You provide explicit opt-in consent at the point of subscription.
- Consent record — the exact consent statement you agreed to and the timestamp, retained as evidence of your consent.
- Subscription source — which page you signed up from (e.g. "landing_page"), for our internal records only.
We do not collect: IP addresses (beyond what Supabase logs for security), location data, payment information, or any special category data.
3. How we use your data
- To operate your EdgeGuard account and display your trading data back to you.
- To send you the EdgeGuard newsletter if you have subscribed (newsletter subscribers only).
- To send essential account emails such as password reset links (app users only).
- To improve the product based on aggregate, anonymised usage patterns.
We will never sell your personal data, share it with third parties for their marketing purposes, or use it for automated decision-making that produces legal or similarly significant effects.
4. Legal bases for processing
- Contract performance (Art. 6(1)(b)) — processing necessary to operate your account and provide the service you signed up for.
- Consent (Art. 6(1)(a)) — newsletter subscriptions. You may withdraw consent at any time; this does not affect the lawfulness of processing before withdrawal.
- Legitimate interests (Art. 6(1)(f)) — security monitoring, fraud prevention, and aggregate analytics. We have balanced these interests against your rights and concluded they do not override your privacy interests.
5. Data sharing and third-party processors
We use the following sub-processors to store and process your data:
- Supabase Inc. — database, authentication, and storage. Data is hosted in the EU (AWS eu-west-1 region). Supabase acts as a data processor under a Data Processing Agreement. See Supabase Privacy Policy.
- Netlify Inc. — web hosting and CDN. Netlify may process standard server access logs. See Netlify Privacy Policy.
We do not share personal data with any other third parties. No data is transferred outside the UK or EEA without appropriate safeguards.
6. Data retention
- Account and trade data — retained for as long as your account is active. If you delete your account, all associated data is permanently deleted from our database within 30 days.
- Newsletter subscriptions — your email and consent record are retained until you unsubscribe. After unsubscribing, your email is suppressed (retained on a do-not-contact list) to honour your opt-out; the rest of your subscription record is deleted within 30 days.
- Server access logs — retained by Netlify for up to 30 days in accordance with their data retention policy.
7. Your rights under GDPR
Under UK GDPR and EU GDPR, you have the following rights:
- Right of access — you can request a copy of the personal data we hold about you.
- Right to rectification — you can ask us to correct inaccurate data.
- Right to erasure ("right to be forgotten") — you can ask us to delete your data. For app users, you can delete your account directly from the app. For newsletter subscribers, unsubscribing from any email will remove you.
- Right to restriction — you can ask us to limit how we use your data while a dispute is resolved.
- Right to data portability — you can request your data in a structured, machine-readable format (JSON or CSV).
- Right to object — you can object to processing based on legitimate interests at any time.
- Right to withdraw consent — for newsletter subscriptions, you can withdraw consent at any time by clicking "Unsubscribe" in any newsletter email, or by contacting us directly. Withdrawal does not affect the lawfulness of processing before withdrawal.
To exercise any of these rights, email us at privacy@edgeguard.app. We will respond within 30 days.
You also have the right to lodge a complaint with your national data protection authority. In the UK, this is the Information Commissioner's Office (ICO). In the EU, contact the supervisory authority in your member state.
8. Cookies
EdgeGuard uses only essential, functional cookies set by our authentication provider (Supabase) to keep you signed in. We do not use tracking cookies, advertising cookies, or third-party analytics cookies. No cookie consent banner is required as no non-essential cookies are used.
9. Security
We take appropriate technical and organisational measures to protect your data, including:
- HTTPS enforced on all connections (HSTS with 1-year duration).
- Row Level Security (RLS) in our database — each user's data is isolated and inaccessible to other users.
- Passwords are hashed using bcrypt by Supabase Auth; we never store or see plain-text passwords.
- Access to the database is restricted to authenticated users only via API key controls.
No system is 100% secure. In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will notify affected users and the relevant supervisory authority within 72 hours as required by GDPR.
10. Children's data
EdgeGuard is not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us at privacy@edgeguard.app and we will delete it promptly.
11. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date at the top of this page. If the changes are significant, we will notify app users by email. Continued use of EdgeGuard after changes are posted constitutes acceptance of the updated policy.
12. Contact us
For any privacy-related questions, data subject requests, or concerns:
- Email: privacy@edgeguard.app
- Website: edgeguard.netlify.app