Bull & Bear/Legal/Privacy Policy

Legal · GDPR

Privacy Policy

Last updated: 26 April 2026

1. Data Controller

Bull & Bear is an online trading journal published by Bull & Bear, based in Strasbourg, France.

For any questions regarding the protection of your personal data: bullandbear.journal@gmail.com.

2. Data We Collect

We only collect data strictly necessary to operate the service:

2.1 Identity & Contact Data

  • Email address — used for account creation and authentication.
  • Display name — optional, personalises your interface.
  • Timezone — optional, ensures correct display of trading times.

2.2 Trading Data (User Content)

  • Trading account details (name, broker, currency, initial balance).
  • Trade history (symbol, price, quantity, result, entry/exit dates).
  • Daily journals (market conditions, emotional state, notes, screenshots).

This data is exclusively content you voluntarily enter. It is never sold or shared for advertising purposes.

2.3 Browsing Data

  • IP address — temporarily collected for API rate limiting (anti-abuse). Not retained beyond 60 seconds.
  • Session cookies — required for authentication (strictly functional, exempt from consent under the ePrivacy Directive).

We use no analytics cookies, advertising trackers, or third-party pixels.

3. Purposes & Legal Bases

PurposeLegal Basis (GDPR)
Account creation and managementPerformance of contract (Art. 6.1.b)
Secure authenticationPerformance of contract (Art. 6.1.b)
Storage and display of your trades and journalsPerformance of contract (Art. 6.1.b)
API rate limiting (security)Legitimate interest (Art. 6.1.f)
Transactional emails (confirmation, password reset)Performance of contract (Art. 6.1.b)

We do not engage in automated profiling or automated decision-making that produces legal effects.

4. Emotional State Data

Our trading journal lets you document your emotional state during sessions (e.g. calm, anxious, confident). This psychological data may constitute sensitive data under Article 9 of the GDPR.

By entering this information, you explicitly consent to its processing solely to improve your personal trading analysis. This data is accessible only to you and is never shared with third parties.

5. Sub-processors & Data Transfers

  • Supabase Inc. (USA) — database hosting and authentication. Data stored in EU West (Ireland). SOC 2 Type II certified, GDPR-compliant via SCCs.
  • Upstash Inc. (USA) — Redis cache for rate limiting. Only anonymised IPs are processed, for a maximum of 60 seconds. GDPR-compliant via SCCs.
  • Vercel Inc. (USA) — web application hosting. GDPR-compliant via SCCs. Deployment logs contain no personal data.

No data is transferred outside the European Economic Area without adequate safeguards.

6. Data Retention

  • Active account — data retained as long as your account is active.
  • Archived accounts — retained for 12 months to allow restoration, then permanently deleted.
  • After account deletion — all data is immediately and irreversibly deleted.
  • IP addresses (rate limiting) — held in memory for a maximum of 60 seconds, not persisted.
  • Application logs — retained for 30 days for debugging, then automatically deleted.

7. Security

We implement the following technical and organisational measures:

  • All communications encrypted via TLS 1.2+ (HTTPS enforced).
  • Data at rest encrypted by Supabase (AES-256).
  • Passwords hashed, never stored in plain text.
  • CSRF verification on all mutating requests (POST, PATCH, DELETE).
  • API rate limiting to prevent abuse.
  • Row Level Security (RLS) enabled on Supabase — each user can only access their own data.

8. Your Rights

Under the GDPR (EU Regulation 2016/679), you have the following rights over your personal data:

  • Right of access (Art. 15) — view your data from your profile.
  • Right to data portability (Art. 20) — download all your data as JSON via Profile → Export my data.
  • Right to rectification (Art. 16) — edit your display name and timezone from your profile.
  • Right to erasure (Art. 17) — permanently delete your account via Profile → Delete my account.
  • Right to restriction of processing (Art. 18) — contact us to request a temporary suspension of processing.
  • Right to object (Art. 21) — object to processing based on our legitimate interest.

To exercise any of these rights: bullandbear.journal@gmail.com. We will respond within 30 days.

You also have the right to lodge a complaint with a supervisory authority — in France, the CNIL: www.cnil.fr.

9. Minors

Bull & Bear is intended for users aged at least 18 years old. We do not knowingly collect personal data from minors. If you are a parent or guardian and believe a minor has provided us with data, please contact us so we can delete it.

10. Policy Changes

We reserve the right to modify this privacy policy at any time. In the event of a material change, you will be notified by email or in-app notification at least 14 days before the changes take effect. Continued use of the service after that date constitutes acceptance of the changes.

For any questions relating to this policy: bullandbear.journal@gmail.com

Have questions?

Our team responds within 24–48 hours.

bullandbear.journal@gmail.com