· Legal
Privacy Policy
Last updated: June 2026
This policy describes the personal data collected by SENZOUKRIA (publisher: Ryad Bouderga, contact: ryad.bouderga78@gmail.com), the purposes of processing, recipients, your rights and how to exercise them.
1. Data Collected & Legal Bases
We collect only the data necessary for the service to function.
| Category | Data | Legal basis (GDPR art. 6) |
|---|---|---|
| Account | Email, name (optional), display name, avatar, password (bcrypt-12 hash) | Contract performance |
| Google OAuth | Google ID, access_token, refresh_token, id_token | Contract performance (delegated auth) |
| Security | IP address, user-agent, device fingerprint (anti-sharing), failed login attempts | Legitimate interest (security / fraud prevention) |
| Payment | Stripe customer ID, Stripe subscription ID (no card numbers) | Contract performance / legal obligation (billing) |
| Trade Journal | Symbol, direction (LONG/SHORT), entry/exit price, quantity, P&L, screenshots — voluntarily entered by the user | Contract performance (Journal feature) |
| AI Assistant | Text messages and images sent to the assistant — forwarded to a third-party LLM provider (see §5) | Contract performance (AI feature) |
2. Data We NEVER Collect
We NEVER collect:
- Live CME market data (ticks, quotes, DOM, trades)
- Broker account credentials (Rithmic, Apex, IBKR logins or passwords)
- Card numbers or raw payment data
- Open positions or orders routed through the desktop app (these flow directly broker ↔ client)
Trade journal data (entry/exit, P&L) is voluntarily entered by the user in the Journal module — it is not captured automatically from the broker.
3. Purposes of Processing
- Authentication and session management (JWT 6h)
- Account sharing prevention (anti-sharing, multi-device detection)
- Subscription management and billing (Stripe)
- Providing features: Footprint, Heatmap, GEX, Journal, AI Assistant
- Service security (attack detection, account lockout)
- Technical support
4. Retention Periods
- Sessions: deleted on expiry (6h) or sign-out, expired sessions purged automatically
- Account data: retained for the subscription duration + 30 days after cancellation, then deleted on request or automatically
- IP logs / security logs: 12 months maximum
- Payment data (Stripe): 10 years (French accounting legal obligation)
- Trade journal: retained while the account is active; deleted with the account on request
5. Sub-processors & International Transfers
We use the following sub-processors. Some are based in the United States (transfers covered by EU Standard Contractual Clauses or the EU-US Data Privacy Framework):
| Sub-processor | Role | Country | Safeguard |
|---|---|---|---|
| Vercel Inc. | Web app hosting | USA | DPF + SCC |
| Stripe Inc. | Payment processing | USA | DPF + SCC |
| Anthropic PBC | AI assistant LLM (Claude) — receives your messages and images | USA | SCC |
| Groq Inc. | AI assistant LLM (Llama) — receives your messages and images | USA | SCC |
| Google LLC | Google OAuth (sign-in) + Gemini LLM (AI assistant) | USA | DPF + SCC |
| SMTP provider | Sending verification emails and notifications | Variable | SCC if outside EU |
Regarding the AI assistant: your text messages and chart images sent to the assistant are forwarded to these providers to generate a response. They are not used to train their models (contractual clauses in force). No broker market data (credentials, positions, orders) passes through the AI.
6. Your Rights
Under GDPR (articles 15–22), you have the following rights:
- Access: obtain a copy of your data
- Rectification: correct inaccurate data
- Erasure: request deletion — available directly from Account → Danger Zone → Delete account
- Portability: receive your data in a structured format — available from Account → Export my data
- Objection / restriction: object to processing based on legitimate interest
To exercise these rights: ryad.bouderga78@gmail.com. Response within 30 days. If your request is not resolved, you may lodge a complaint with your local data protection authority (in France: CNIL).
7. Cookies
We use only strictly necessary technical cookies required for the service to function (NextAuth session cookie, CSRF cookie). No advertising, profiling, or third-party tracking cookies are set. No third-party analytics tool is active.
8. Security
- Passwords hashed with bcrypt (12 rounds) — never stored in plain text
- Broker credentials (Rithmic, Apex…) stored exclusively in the user's local OS keychain (Windows DPAPI / macOS Keychain) — never transmitted to our servers
- Sessions with 6h expiry and immediate revocation capability
- PostgreSQL database encrypted in transit (TLS 1.2+)
- HTTPS-only communications
Contact DPO / données personnelles : ryad.bouderga78@gmail.com