Privacy Policy
Last updated: 23 June 2026 · Version 1.1
- Fenix is a private trading journal. We collect only what we need to run it: your account, the trades and notes you log, and basic security data.
- We never sell your data and we don't use advertising trackers.
- Non-essential cookies — functional storage, Google Analytics and Microsoft Clarity — only run after you consent. You can change or withdraw consent at any time.
- You can export or permanently delete all of your data from inside the app whenever you want.
1. Who we are
Fenix ("Fenix", "we", "us") is a private, invite-only trading journal available at fen1x.in. For the purposes of the EU/UK General Data Protection Regulation (GDPR) and India's Digital Personal Data Protection Act, 2023 (DPDP Act), we are the data controller (the "Data Fiduciary") for the personal data described here.
Operator: Chandigarh, India. Privacy contact: [email protected].
2. What data we collect
We only hold data you give us or that is strictly necessary to operate and secure the service.
| Category | Examples |
|---|---|
| Account | Username and a securely hashed password (we never store your password in plain text). |
| Trading journal | The trades you log — instrument/ticker or currency pair, direction, setup, entry/stop/exit prices, R-multiple, result, whether you followed your plan, tags, free-text notes, market mode, pip/lot/currency details, and timestamps. |
| Screenshots | Chart images you optionally attach to a trade. |
| Playbook & reviews | Your trading rules and weekly-review notes (kept / leak / next step). |
| Email (optional) | If you use "Email report", the recipient address you type is used to deliver that one email. |
| Security & technical | IP address, failed-login counts and lockout timestamps, and server error/activity logs. Used to keep your account safe. |
| On-device settings | Theme, equity/forex mode, selected period, remembered username, P&L capital/risk inputs and your cookie choice — stored in your browser, not on our servers (see §4). |
We do not collect special-category data, we do not run advertising or behavioural-profiling trackers, and we do not buy data about you from third parties.
3. Why we use it & legal bases
Under the GDPR we rely on the following legal bases:
| Purpose | Legal basis |
|---|---|
| Create your account and provide the journal, analytics, exports and reports you request | Performance of a contract (Art. 6(1)(b)) |
| Keep the service secure — authentication, CSRF protection, rate-limiting, abuse prevention, logging | Legitimate interests (Art. 6(1)(f)) and legal obligation (Art. 6(1)(c)) |
| Remember your preferences (theme, mode, period, etc.) across visits | Your consent (Art. 6(1)(a)) |
| Send a report to an address you enter | Performance of a contract / your request |
Where we rely on consent, you can withdraw it at any time without affecting processing already carried out.
4. Cookies & local storage
Fenix uses a minimal set of cookies and browser storage. We group them as follows:
Strictly necessary (always on)
- Session cookie (PHPSESSID) — keeps you logged in. Set as HttpOnly, Secure and SameSite=Strict.
- CSRF token — protects forms against cross-site request forgery.
- Your cookie choice — a small record of the consent decision you made on this banner.
These do not require consent because the service cannot function or stay secure without them.
Functional (only after you consent)
- Theme (dark/light), equity/forex mode, selected period, remembered username, and P&L capital/risk inputs — stored in your browser's local storage so the app remembers your setup. If you decline, the app still works; it just won't remember these between sessions, and we clear any that were stored.
Analytics
With your consent, we use Google Analytics 4 (provided by Google) to understand how Fenix is used — pages visited, broad device and browser type, approximate (city-level) location derived from your IP, and general usage patterns — so we can improve the product. Analytics is off by default and only loads after you enable Analytics in the cookie banner; if you withdraw consent we stop loading it. It sets cookies such as _ga and _ga_<id>. GA4 does not store full IP addresses, and we have not enabled Google Signals or any advertising/remarketing features. Google processes this data as our processor — see Google's Privacy Policy — and you can install their opt-out browser add-on.
Also with your consent, we use Microsoft Clarity (provided by Microsoft Corporation) for product analytics — anonymous heatmaps and aggregated session replays that show how visitors move through Fenix and where they get stuck — so we can improve usability. Like Google Analytics, it is off by default and only loads after you enable Analytics in the cookie banner; withdrawing consent stops it loading. It sets cookies such as _clck and _clsk, and by default masks the text you type into form fields. Microsoft processes this data as our processor — see Microsoft's Privacy Statement.
You can review or change your choice any time via Cookie preferences, or by clearing site data in your browser.
5. Who we share it with
We don't sell or rent your data. We share it only with the service providers (processors) needed to run Fenix:
- Hosting — Hostinger hosts the application, database and uploaded screenshots.
- Content delivery networks — Google Fonts and jsDelivr (for the Chart.js library) serve static assets; your browser's IP address is necessarily visible to them when those files load.
- Analytics — with your consent, Google Analytics 4 (Google LLC) to measure aggregate usage.
- Product analytics — with your consent, Microsoft Clarity (Microsoft Corporation) for heatmaps and session insights.
- Payments — Razorpay processes founding-access payments; they receive the payment details you enter at their checkout. We never see your full card details.
- Email delivery — when you send a report, our server transmits it to the address you provide.
We may also disclose data if required by law, or to protect the rights, safety and security of Fenix and its users.
6. How long we keep it
- Account & journal data — kept until you delete it or close your account. Deleting your account removes your trades, screenshots, playbook, reviews and account record permanently (see §7).
- Security logs — login-attempt, lockout and error/activity logs are kept only as long as needed for security and troubleshooting (generally up to 12 months), then rotated and deleted.
- Email reports — the address you enter is used to send the report and is not retained for marketing.
7. Your rights
Subject to applicable law, you have the right to:
- Access a copy of your data — use Export (CSV/JSON) in the app.
- Rectify inaccurate data — edit any trade, rule or note directly in the app.
- Erase your data ("right to be forgotten") — use Delete my account & data in Privacy & Data.
- Port your data — the JSON export is a structured, machine-readable copy.
- Restrict or object to certain processing, and withdraw consent for functional cookies at any time.
You can exercise the main rights yourself from Privacy & Data inside the app, or by emailing [email protected]. We respond within one month. If you are in the EU/EEA or UK you may also lodge a complaint with your local data-protection authority; in India you may approach the Data Protection Board.
8. How we protect it
- Passwords are hashed with a strong one-way algorithm (bcrypt) — never stored or logged in plain text.
- Traffic is served over HTTPS; session cookies are HttpOnly, Secure and SameSite=Strict.
- CSRF tokens protect state-changing requests; login throttling and account lockout defend against brute force.
- Database access uses parameterised queries to prevent injection.
If a personal-data breach occurs that is likely to put your rights at risk, we will notify the relevant supervisory authority and, where required, you directly, without undue delay — consistent with our obligations under the GDPR and the DPDP Act.
No method of transmission or storage is ever 100% secure, but we work to protect your data using appropriate technical and organisational measures.
9. International transfers
Our hosting and CDN providers may process data on servers outside your country, including outside the EU/EEA. Where data is transferred internationally, we rely on appropriate safeguards (such as the providers' standard contractual clauses) to protect it.
10. Children
Fenix is not intended for anyone under 18, and we do not knowingly collect data from children. If you believe a minor has provided us data, contact us and we will delete it.
11. Changes to this policy
We may update this policy as the service evolves. We'll change the "Last updated" date above and, for material changes, provide a more prominent notice. Continued use after an update means you accept the revised policy.
12. Contact
Questions or requests about your privacy? Email [email protected].