Privacy Policy

1. Introduction

Welcome to RuleLocked ("we," "us," "our," or the "Company"). RuleLocked is an AI-powered trade analysis software-as-a-service (SaaS) platform designed to help traders evaluate and improve their trading decisions through artificial intelligence, journaling, rule compliance checking, and performance analytics.

This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you access or use our website, application, and services (collectively, the "Service"). It applies to all users of the Service, including visitors to our website, registered account holders, and subscribers to our paid plans.

We are committed to protecting your privacy and handling your personal information with transparency and care. We recognize that your trading data and financial information are highly sensitive, and we treat that responsibility seriously. We will never sell your personal data to third parties, and we will never share your trading data with brokers, financial institutions, or other third parties for their commercial purposes.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the practices described in this policy, please do not use the Service.

2. Information We Collect

We collect information that you provide directly to us, as well as information that is automatically gathered when you use the Service. The categories of information we collect include the following:

2.1 Account Information

When you create an account with RuleLocked, we collect your full name, email address, and a password. Your password is cryptographically hashed using industry-standard algorithms before being stored in our database. We never store your password in plain text, and our staff cannot view or retrieve your original password.

2.2 Profile and Trading Data

As you use the Service, we collect profile data including your trading preferences, custom rulesets you define for trade evaluation, preferred trading instruments, timeframes, and risk management parameters. This information is necessary to provide personalized AI analysis and rule compliance checking functionality.

2.3 Payment Information

Payment processing for RuleLocked is handled entirely by Stripe, Inc., our third-party payment processor. When you subscribe to a paid plan, your payment card details (including card number, CVC, and expiration date) are transmitted directly to Stripe and are never transmitted to or stored on our servers. We receive and store only limited payment information from Stripe, such as the last four digits of your card number, the card brand, the expiration date, and the billing address, for the purposes of displaying your subscription status and managing billing inquiries. Stripe's collection and use of your payment information is governed by Stripe's own privacy policy, available at stripe.com/privacy.

2.4 Usage Data

We collect information about how you interact with the Service, including the number and types of trade analyses you perform, journal entries you create, features you use, the frequency and duration of your sessions, and the pages and screens you visit within the application. This data helps us understand how the Service is used so we can improve the user experience and develop new features.

2.5 Chart Images

When you use our AI trade analysis feature, you upload chart images (such as screenshots of trading charts from your broker or charting platform) for processing. These chart images may contain information visible on your trading screen, including price data, indicators, annotations, and any other content displayed on the chart at the time of capture.

2.6 Device and Browser Information

We automatically collect certain technical information when you access the Service, including your Internet Protocol (IP) address, browser type and version, operating system, device type, screen resolution, referring URL, and the date and time of your visit. This information is collected through server logs and similar technologies and is used for security monitoring, analytics, and Service optimization.

2.7 Cookies and Similar Technologies

We use cookies, local storage, and similar tracking technologies to maintain your session, remember your preferences, and collect usage analytics. For detailed information about the cookies we use, please see Section 9 (Cookies Policy) of this Privacy Policy.

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Providing and Operating the Service

We use your account information, profile data, trading preferences, and rulesets to deliver the core functionality of RuleLocked, including AI-powered trade analysis, trade journaling, rule compliance verification, Pine Script generation, and performance analytics. Your chart images are processed to generate AI feedback on your trade setups.

3.2 Processing Payments

We use limited payment-related information in conjunction with Stripe to process your subscription payments, manage billing cycles, handle upgrades and downgrades, issue refunds when applicable, and send payment-related notifications such as receipts, renewal reminders, and failed payment alerts.

3.3 Improving AI Analysis Quality

We use aggregated, anonymized usage patterns and feedback data to evaluate and improve the accuracy and relevance of our AI analysis outputs. This may include analyzing trends in how users interact with analysis results, which feedback categories are most common, and how analysis quality correlates with user satisfaction. We do not use your individual chart images or personal trading data to train AI models.

3.4 Service Notifications

We use your email address to send transactional and service-related communications, including account verification emails, password reset requests, subscription confirmations, billing notifications, security alerts, and important updates about changes to the Service or this Privacy Policy. These communications are not marketing messages and are necessary for the operation of your account.

3.5 Analytics and Performance Monitoring

We use usage data and technical information to monitor the performance, availability, and reliability of the Service, to identify and diagnose technical issues, to analyze usage trends and patterns, and to make data-driven decisions about feature development and infrastructure investments.

3.6 Security and Fraud Prevention

We use IP addresses, device information, and usage patterns to detect, prevent, and respond to potential security threats, unauthorized access attempts, abuse of the Service, fraud, and other malicious activity. This includes rate limiting, anomaly detection, and monitoring for suspicious login patterns.

4. AI Processing and Chart Images

RuleLocked uses artificial intelligence to analyze your trading charts and provide feedback. It is important that you understand how your chart images are processed:

4.1 Transmission to AI Provider

When you submit a chart image for analysis, it is transmitted via encrypted connection to Anthropic's Claude API for processing. Anthropic is our third-party AI provider. The chart image, along with relevant context such as your trading rules and analysis parameters, is sent to Anthropic's servers to generate the AI analysis response.

4.2 Temporary Storage During Processing

Chart images may be temporarily stored on our servers and Anthropic's servers for the duration necessary to complete the analysis request. This temporary storage is required to facilitate the processing pipeline and to deliver the analysis results to you.

4.3 No AI Model Training

We do not use your chart images, trading data, or analysis results to train, fine-tune, or improve any AI or machine learning models. Your data is used solely for the purpose of generating your requested analysis. We have contractual agreements with Anthropic ensuring that data submitted through our API integration is not used for model training purposes.

4.4 Anthropic's Data Processing Terms

The processing of your chart images by Anthropic is subject to Anthropic's data processing terms and privacy practices. We encourage you to review Anthropic's privacy policy and terms of service to understand how they handle data received through their API. We have entered into a data processing agreement with Anthropic that includes appropriate safeguards for your data.

4.5 Deletion After Analysis

Chart images are deleted from Anthropic's processing servers after the analysis is completed, in accordance with Anthropic's API data retention policies. On our own servers, chart images associated with journal entries may be retained as part of your trade journal records unless you delete them or close your account. You may delete individual journal entries and their associated chart images at any time through the Service.

5. Data Sharing and Third Parties

We share your information only with the third-party service providers that are necessary to operate the Service, and only to the extent required for them to perform their functions. We do not sell, rent, lease, or trade your personal information to any third party.

5.1 Stripe (Payment Processing)

We share your name, email address, and billing information with Stripe, Inc. for the purpose of processing subscription payments, managing billing, and preventing payment fraud. Stripe acts as an independent data controller for the payment data it collects directly from you. Stripe is PCI DSS Level 1 certified, the highest level of certification available in the payments industry.

5.2 Anthropic (AI Analysis)

We share chart images, trading rule definitions, and analysis parameters with Anthropic for the purpose of generating AI-powered trade analysis results. Anthropic acts as a data processor on our behalf and processes this data solely for the purpose of providing the analysis service. We do not share your name, email address, or account credentials with Anthropic.

5.3 Supabase (Authentication and Database)

We use Supabase as our authentication and database infrastructure provider. Supabase stores your account data, profile information, trading journal entries, rulesets, and other application data on our behalf. Supabase acts as a data processor and processes your data in accordance with our instructions and their data processing agreement.

5.4 Vercel (Hosting)

Our application is hosted on Vercel's infrastructure. Vercel may collect and process technical information such as IP addresses and request logs as part of delivering the Service. Vercel acts as a data processor and is bound by their data processing agreement with us.

5.5 No Sale of Personal Data

We do not sell, and have never sold, your personal information to any third party. This applies to all categories of personal information we collect, as defined under the California Consumer Privacy Act (CCPA) and other applicable privacy laws.

5.6 No Sharing with Brokers or Financial Third Parties

We do not share your trading data, analysis results, journal entries, rulesets, performance metrics, or any other trading-related information with brokers, financial institutions, data aggregators, or any other third parties for their commercial or analytical purposes. Your trading data remains strictly confidential between you and RuleLocked.

5.7 Law Enforcement and Legal Requirements

We may disclose your personal information if we are required to do so by law, regulation, legal process, or governmental request, including in response to a court order, subpoena, or similar legal instrument. We may also disclose your information if we believe in good faith that disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request. Where permitted by law, we will make reasonable efforts to notify you before disclosing your information in response to a legal request.

6. Data Retention

We retain your personal information for as long as your account is active or as needed to provide you with the Service. The specific retention periods for different categories of data are as follows:

• Account data (name, email, profile information) is retained for the duration of your account and for up to 30 days following account closure to allow for account recovery in case of accidental deletion.
• Trading journal entries and analysis results are retained for the duration of your account. You may delete individual entries at any time.
• Chart images associated with journal entries are retained for the duration of your account unless individually deleted by you. Chart images submitted for analysis but not saved to a journal entry are deleted within 24 hours of processing.
• Payment records are retained for up to 7 years following the transaction date to comply with tax and financial reporting obligations.
• Server logs and security data (IP addresses, access logs) are retained for up to 90 days for security monitoring and incident response purposes.

When you close your account, we will delete or anonymize your personal information within 30 days, except where we are required by law to retain certain records (such as payment records for tax purposes) or where retention is necessary to resolve disputes, enforce our agreements, or protect our legal rights.

Anonymized and aggregated analytics data that does not identify you personally may be retained indefinitely for the purposes of improving the Service, conducting research, and generating aggregate usage statistics. This data cannot be used to re-identify you.

7. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, destruction, and other forms of unlawful processing. Our security measures include but are not limited to:

• Encryption in transit: All data transmitted between your browser and our servers is encrypted using Transport Layer Security (TLS 1.2 or higher). All API communications with third-party providers (Stripe, Anthropic, Supabase) are also encrypted in transit.
• Encryption at rest: Your data stored in our databases is encrypted at rest using AES-256 encryption. Database backups are also encrypted.
• Access controls: Access to user data is restricted to authorized personnel on a need-to-know basis. We enforce the principle of least privilege and use role-based access controls for all internal systems.
• Password security: User passwords are hashed using bcrypt with appropriate salt rounds before storage. We never store passwords in plain text.
• Regular security reviews: We conduct regular reviews of our security practices, infrastructure configurations, and access controls to identify and address potential vulnerabilities.
• Infrastructure security: Our hosting infrastructure on Vercel and database infrastructure on Supabase benefit from the security measures implemented by these enterprise-grade platforms, including physical security, network security, and monitoring.

While we strive to protect your personal information, no method of transmission over the Internet or method of electronic storage is 100% secure. We cannot guarantee absolute security of your data. If you become aware of any unauthorized access to your account, please contact us immediately at security@rulelocked.com.

8. Your Rights

Depending on your location and applicable privacy laws, including the European Union General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), you may have the following rights with respect to your personal information:

8.1 Right to Access

You have the right to request a copy of the personal information we hold about you. This includes your account data, profile information, trading journal entries, rulesets, analysis history, and any other data associated with your account. We will provide this information in a commonly used, machine-readable format within 30 days of receiving your request.

8.2 Right to Rectification

You have the right to request that we correct any inaccurate or incomplete personal information we hold about you. You can update most of your account information directly through the Settings page in the Service. For corrections that cannot be made through the Service interface, please contact us and we will make the necessary changes promptly.

8.3 Right to Erasure (Right to Be Forgotten)

You have the right to request that we delete your personal information. You can delete your account at any time through the Settings page, which will initiate the deletion of your personal data in accordance with the retention periods described in Section 6. You may also request deletion of specific data, such as individual journal entries or chart images, without closing your entire account. Please note that we may retain certain information where required by law or where we have a legitimate basis to do so.

8.4 Right to Data Portability

You have the right to receive your personal information in a structured, commonly used, and machine-readable format, and to transmit that data to another service provider. We support data export through the Settings page, where you can download your trading journal entries, analysis history, rulesets, and performance data in JSON or CSV format.

8.5 Right to Restrict Processing

You have the right to request that we restrict the processing of your personal information in certain circumstances, such as when you contest the accuracy of the data, when the processing is unlawful but you oppose deletion, when we no longer need the data but you require it for legal claims, or when you have objected to processing pending verification of our legitimate grounds.

8.6 Right to Object

You have the right to object to the processing of your personal information where we rely on legitimate interests as our legal basis, or where your personal information is processed for direct marketing purposes. Upon receiving your objection, we will cease processing your data for the objected purpose unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

8.7 How to Exercise Your Rights

To exercise any of the rights described above, you may:

• Use the self-service options available in the Settings page of your RuleLocked account.
• Send an email to privacy@rulelocked.com with your request.
• Contact us using the details provided in Section 13 of this Privacy Policy.

We will respond to your request within 30 days. If we need additional time to fulfill your request (up to an additional 60 days for complex requests), we will notify you of the extension and the reasons for it. We may ask you to verify your identity before processing your request to protect your account security. We will not charge a fee for processing your request unless the request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request.

9. Cookies Policy

We use cookies and similar technologies to operate and improve the Service. A cookie is a small data file placed on your device when you visit a website. Below is a description of the types of cookies we use:

9.1 Essential Cookies

These cookies are strictly necessary for the operation of the Service. They include session cookies that maintain your authenticated session, security tokens that protect against cross-site request forgery (CSRF), and cookies that remember your session state across pages. Essential cookies cannot be disabled without impairing the functionality of the Service. The legal basis for these cookies is our legitimate interest in providing a secure, functional service, and these cookies do not require consent under applicable privacy laws.

9.2 Analytics Cookies (Optional)

We may use analytics cookies to collect anonymized usage statistics, such as which pages are most frequently visited, how users navigate through the Service, and where errors occur. These cookies help us understand how the Service is used and identify areas for improvement. Analytics cookies are optional and are only placed with your consent. You may opt out of analytics cookies at any time without affecting the functionality of the Service.

9.3 Managing Cookies

You can manage your cookie preferences through your browser settings. Most browsers allow you to block or delete cookies, or to be notified when a cookie is being set. Please note that blocking essential cookies may prevent you from using certain features of the Service or may require you to re-authenticate more frequently. You can also manage your analytics cookie preferences through the cookie consent banner displayed when you first visit the Service, or through the Settings page in your account. For more information about cookies and how to manage them, visit allaboutcookies.org.

10. Children's Privacy

The Service is not intended for individuals under the age of 18. RuleLocked is a financial analysis tool designed for adult traders, and we do not knowingly collect, solicit, or maintain personal information from anyone under the age of 18. We do not knowingly allow individuals under 18 to create accounts or use the Service.

If we learn that we have collected personal information from a child under the age of 18, we will take immediate steps to delete that information from our systems. If you are a parent or guardian and believe that your child under 18 has provided us with personal information, please contact us at privacy@rulelocked.com so that we can take appropriate action.

11. International Data Transfers

RuleLocked is operated from the United States, and your personal information is primarily processed and stored on servers located in the United States. If you access the Service from outside the United States, please be aware that your information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your country of residence.

For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we ensure that any transfer of personal data to the United States or other countries outside the EEA is protected by appropriate safeguards. These safeguards include Standard Contractual Clauses (SCCs) approved by the European Commission, as well as any supplementary measures necessary to ensure an essentially equivalent level of data protection as required under the GDPR.

Our third-party service providers (Stripe, Anthropic, Supabase, and Vercel) also maintain appropriate data transfer mechanisms and safeguards. You may request a copy of the relevant Standard Contractual Clauses or other transfer mechanisms by contacting us at privacy@rulelocked.com.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes to this policy, we will update the "Last updated" date at the top of this page.

For material changes that significantly affect how we collect, use, or share your personal information, we will provide at least 30 days' advance notice before the changes take effect. This notice will be provided through one or more of the following methods: a prominent notice on the Service, an email notification sent to the email address associated with your account, or an in-app notification.

Your continued use of the Service after the effective date of a revised Privacy Policy constitutes your acceptance of the changes. If you do not agree with the revised policy, you should discontinue your use of the Service and close your account before the changes take effect. We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

13. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us using the following information:

We aim to respond to all privacy-related inquiries within 5 business days. If you are not satisfied with our response, you may have the right to lodge a complaint with your local data protection authority. For users in the European Economic Area, this includes the supervisory authority in your member state of residence, place of work, or place of the alleged infringement.