Performax

Privacy Policy

Effective Date: February 18, 2026 · Last Updated: February 18, 2026

1. Data We Collect

We only collect data necessary for the operation of the service. The table below reflects the processing activities actually implemented in our application.

CategoryExamplesPurposeLegal Basis (GDPR)
User accountEmail address, name (optional), hashed password, Google OAuth identifierAccount creation and authenticationPerformance of contract (Art. 6(1)(b))
Trading profileTrading style, risk tolerance, monthly goals, primary weakness, AI coaching stylePersonalization of the journal and AI coachPerformance of contract (Art. 6(1)(b))
Trading dataTrades (pair, price, quantity, leverage, P&L, fees, duration), notes, tags, screenshots, playbooks, cashflowsCore trading journal featuresPerformance of contract (Art. 6(1)(b))
Exchange credentialsAPI keys (AES-256-GCM encrypted), wallet addresses (DEX)Automatic trade synchronization from your exchangesPerformance of contract (Art. 6(1)(b))
Psychological & behavioral dataDaily mood, stress/energy/confidence level, behavioral score, tilt detection, coach rule violationsBehavioral analysis, tilt alerts, personalized coachingConsent (Art. 6(1)(a))
AI conversationsChat messages, AI-generated trader profiles, pinned insightsConversational AI coachPerformance of contract (Art. 6(1)(b))
Journal / NotebookJournal entries, daily notes, attached imagesPersonal journal featurePerformance of contract (Art. 6(1)(b))
LeaderboardChosen username, avatar, aggregated statistics (win rate, P&L, etc.)Community leaderboard (opt-in only)Consent (Art. 6(1)(a))
SubscriptionPlan, status, period datesFeature access managementPerformance of contract (Art. 6(1)(b))
Usage dataPages visited, button/link clicks, session identifier (random UUID)Product improvement, internal usage analysisLegitimate interest (Art. 6(1)(f))
Technical dataAuthentication cookies (HTTP-only), language preferenceSession maintenance, interface personalizationPerformance of contract (Art. 6(1)(b))

What we do not collect: we do not collect your IP address for profiling purposes, do not deploy any third-party tracking pixels (Google Analytics, Facebook Pixel, etc.), and do not use any external analytics SDK.

2. How We Use Your Data

Your data is used exclusively to:

  • Provide and maintain the Performax service (journal, analytics, sync, alerts).
  • Power artificial intelligence features: the AI coach analyzes your trades, profiles, and psychological states to generate personalized insights.
  • Send email notifications that you have enabled (risk alerts, rule violations, API key errors).
  • Display your profile on the community leaderboard, only if you have explicitly opted in.
  • Improve the product by analyzing aggregated usage data (pages visited, clicks) internally.

We do not sell, rent, or share your personal data for advertising or third-party marketing purposes.

3. Legal Bases for Processing

  • Performance of contract (Art. 6(1)(b)): the majority of processing activities are necessary to provide you with the service you have subscribed to (trading journal, synchronization, AI coach, alerts).
  • Consent (Art. 6(1)(a)): psychological and behavioral tracking (mood, tilt score, revenge trading analysis) relies on your voluntary participation. Publication of your profile on the leaderboard is strictly opt-in.
  • Legitimate interest (Art. 6(1)(f)): the collection of usage data (pages visited, clicks) for product improvement. You may object to this processing by contacting us.

4. Cookies and Local Storage

Performax uses a minimal number of client-side storage mechanisms, all strictly functional:

TypeName / DescriptionPurposeDuration
HTTP-only cookieSupabase Auth session cookieAuthentication and session maintenanceSession (automatically renewed)
Application cookieperformax-onboarding-doneOnboarding status cacheSession
localStoragePreferences (language, journal columns, dashboard presets, alert settings)Interface personalizationPersistent (until manually cleared)
sessionStorageai_session_id (random UUID)Grouping usage events by sessionBrowser tab

No third-party cookies are set. We do not use any tracking pixels, marketing beacons, or external analytics SDKs.

5. Data Sharing and Sub-processors

We never sell your data. We share your data only with the technical sub-processors necessary for the operation of the service:

Sub-processorRoleData ConcernedLocation
Supabase Inc.Database, authentication, file storageAll user dataEU (Frankfurt, Germany) / USA
Mailjet (Sinch)Transactional email deliveryEmail address, alert content (loss amounts, rule violations)EU (France)

Crypto exchanges: when you connect an exchange (Bitget, OKX, MEXC, Hyperliquid, Paradex, Lighter), we use your API keys to retrieve your trade history and balances. Your API keys are encrypted with AES-256-GCM before storage. We never transmit your API keys to any third party — they are used exclusively to communicate with the API of the exchange you have selected.

Market data APIs: we query public APIs (Twelve Data, Frankfurter, Binance public API) to obtain market data (prices, volatility, economic calendar). No personal data is transmitted to these services.

6. International Data Transfers

Some of our sub-processors (Supabase) may process data in the United States. These transfers are governed by:

  • The EU-U.S. Data Privacy Framework (DPF) for certified entities.
  • Standard Contractual Clauses (SCCs) approved by the European Commission.

Our primary Supabase database is hosted in the European Union.

7. Data Retention

We retain your data in accordance with the following principles:

  • Account and trading data: retained as long as your account is active. Deleted upon account deletion.
  • AI conversations: retained as long as your account is active. Deleted upon account deletion.
  • Behavioral and psychological data: retained as long as your account is active to support the coach's longitudinal analyses.
  • Usage data (behavior logs): retained for product improvement purposes. Deleted upon account deletion.
  • Files (screenshots, images): retained in our storage buckets as long as your account is active.
  • After account deletion: all data identified above is permanently deleted (hard delete). No copies are retained, with the exception of automatic infrastructure backups that are purged according to Supabase's retention cycle (typically 7 days).

8. Security Measures

We implement the following technical measures:

  • Credential encryption: your exchange API keys are encrypted with AES-256-GCM (authenticated encryption) before storage in the database.
  • Data isolation: Row-Level Security (RLS) policies in PostgreSQL ensure that each user can only access their own data.
  • Secure cookies: authentication sessions use HTTP-only cookies, inaccessible to client-side JavaScript.
  • Security headers: restrictive Content-Security-Policy, X-Frame-Options DENY, strict Referrer-Policy, Permissions-Policy disabling camera/microphone/geolocation.
  • Passwords: hashed by Supabase Auth (bcrypt). We never have access to your plaintext password.
  • Encrypted communications: all connections use HTTPS/TLS.
  • Rate limiting: AI endpoints are limited to 10 requests per minute per user, with monthly quotas per plan.

No security measure is infallible. We cannot guarantee the absolute security of your data, but we are committed to responding promptly in the event of an incident and to notifying you in accordance with the GDPR (Art. 33-34).

9. Your Rights

Under the GDPR and applicable legislation, you have the following rights:

  • Right of access (Art. 15): obtain confirmation that your data is being processed and receive a copy thereof.
  • Right to rectification (Art. 16): correct inaccurate or incomplete data.
  • Right to erasure (Art. 17): request the deletion of your data. You may delete your account from the application settings.
  • Right to restriction of processing (Art. 18): request the restriction of processing in certain circumstances.
  • Right to data portability (Art. 20): receive your data in a structured, machine-readable format.
  • Right to object (Art. 21): object to processing based on legitimate interest (in particular, usage data collection).
  • Right relating to automated profiling (Art. 22): the AI coach analyses (tilt, revenge trading, scoring) constitute automated profiling. You may contest these analyses, request human intervention, or express your point of view.
  • Withdrawal of consent: you may withdraw your consent at any time for processing activities that rely on it (psychological data, leaderboard), without affecting the lawfulness of prior processing.

To exercise these rights, contact us at privacy@performax.ai. We will respond within 30 days.

You also have the right to lodge a complaint with a supervisory authority (in France: the CNIL — www.cnil.fr).

10. Account Deletion and Data Export

Account deletion: you may permanently delete your account from the Settings page of the application. Deletion requires confirmation of your password and results in the irreversible deletion of all your data (trades, exchange accounts, playbooks, AI conversations, behavioral data, files).

Data export: you may request a complete export of your data by contacting us at privacy@performax.ai. We will provide a JSON file containing all of your personal data within 30 days.

11. Protection of Minors

Performax is not intended for persons under the age of 18. We do not knowingly collect personal data from minors. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us immediately.

12. Changes to This Policy

We may update this privacy policy periodically. In the event of a material change, we will notify you by email or through an in-app notification before the changes take effect. The date of the last update is indicated at the top of this page.

We encourage you to review this page regularly to stay informed of our practices.

13. Contact

For any questions regarding this privacy policy or your personal data:

Email: privacy@performax.ai