Privacy Policy
Last updated: March 2026
v2026.05.11 · Effective: May 11, 2026
1. Introduction
Itrius is committed to protecting the privacy of its users. This privacy policy describes how we collect, use, store, and protect your personal information when you use our trading journal platform.
2. Data Collected
We collect the following types of data:
- Account information: email address, username, password (hashed)
- Trading data: trade history imported from your connected brokers (positions, P&L, symbols, dates)
- Broker credentials: login credentials for your brokerage accounts (encrypted with AES-256-GCM)
- Usage data: activity logs, interface preferences, notification settings
- Technical data: IP address, browser type, device fingerprint (for security purposes only)
3. Use of Data
Your data is used to:
- Provide and improve trading journal services
- Calculate your performance metrics and statistics
- Sync your trades from your brokerage accounts
- Generate personalized reports and analyses
- Ensure account security (detection of suspicious logins, lockout after failed attempts)
- Send alerts and notifications you have configured
4. Data Security
We take the security of your data very seriously:
- Passwords are hashed with Bcrypt
- Broker credentials are encrypted with AES-256-GCM with key rotation
- Authentication uses short-lived JWT tokens (15 minutes)
- Multi-factor authentication (MFA) is available via TOTP and email
- Communications are encrypted via HTTPS/TLS
- Accounts are locked after 5 failed login attempts
5. Data Sharing
Itrius does not sell your personal data. However, to deliver the features you enable, we transmit certain data to the technical subprocessors listed below. Sharing is strictly limited to what is necessary for the requested functionality.
- AI model providers: when you use the AI coach, briefings or any agent, the content of your requests (prompt text + included trade summaries) is sent to the configured provider (Anthropic, OpenAI, Google, Mistral, Cohere, OpenRouter, xAI, DeepSeek, Moonshot Kimi, MiniMax, Zhipu GLM, NVIDIA NIM, Cerebras, Groq depending on your configuration). You can change providers at any time in your settings or provide your own API key (BYOK).
- Stripe: for payment processing and billing (including billing address and VAT/sales-tax id if applicable).
- MetaAPI: when you connect an MT4 or MT5 broker, MetaAPI acts as a read-only technical bridge to your broker account.
- Connected brokers (Interactive Brokers, Binance, Bybit, DxTrade, TradeLocker): when you enable sync, Itrius reads executed orders from your account in read-only mode.
- Market data providers (Yahoo Finance, Twelve Data, HorizonFX): no personal data about you is sent — only public symbols.
- Hosting and infrastructure (Hetzner in Germany, Google Workspace for transactional email).
- Third-party identity (Apple Sign-in, Google Sign-in) if you choose to use them.
6. Data Retention
Your data is retained as long as your account is active. You may request complete deletion of your account and all associated data at any time. Deleted data is purged from our systems within 30 days.
7. Your Rights
In accordance with GDPR, you have the following rights:
- Access (GDPR Art. 15): request a copy of your personal data.
- Rectification (GDPR Art. 16): correct inaccurate data about you.
- Erasure (GDPR Art. 17): request complete deletion of your account.
- Restriction of processing (GDPR Art. 18): freeze processing of certain data.
- Portability (GDPR Art. 20): receive your data in a structured, machine-readable format.
- Objection (GDPR Art. 21): object to certain processing based on legitimate interest.
- Automated decision-making (GDPR Art. 22): not be subject to a decision based solely on automated processing producing legal effects. Sirius and behavioural scores are decision-support tools, never an automatic decision affecting you.
- Right to withdraw consent (Art. 7 §3) at any time from your settings.
- Right to lodge a complaint with the supervisory authority (CNIL in France: www.cnil.fr/en/plaintes; ICO in the UK; your local DPA elsewhere in the EEA).
8. Cookies
We only use essential cookies required for the application to function (authentication, interface preferences). We do not use advertising tracking cookies or third-party cookies for marketing purposes.
9. Contact
For any questions regarding this privacy policy or to exercise your rights, please contact us via our contact page.
10. Detailed list of subprocessors
The up-to-date list of subprocessors and the details of the data transferred to each are published in our subprocessor register. For each entry you will find: the subprocessor's role, the categories of data transferred, its jurisdiction and the legal framework of the transfer.
View the full register →11. Privacy Contact
You may contact our privacy team for any question regarding the processing of your data or the exercise of your rights. We can be reached at [email protected]. We commit to respond within one month in accordance with GDPR Art. 12 §3.