Privacy Policy
This policy describes how Zentralog collects, uses, retains and protects your personal data when you use our trading-journal application. It is written to comply with the EU General Data Protection Regulation (GDPR, Regulation 2016/679) and the Spanish Organic Law on Data Protection and Guarantee of Digital Rights (LOPDGDD, LO 3/2018).
Last updated: 2026-05-12 · Version: v1.0
1. Introduction
Zentralog is a web-based trading-journal and analytics platform. We help individual traders import, review and analyse their own trading activity from supported brokers. We only process the personal data needed to provide the service, and we do not sell your data to third parties.
By creating an account or otherwise using Zentralog you confirm that you have read this policy. If you do not agree with it, please do not use the service.
2. Who we are
The data controller responsible for your personal data is Zentralog, operated from Spain. Until our operating entity is finalised in the public registry, you can request formal entity details for legal correspondence by writing to info@zentralog.com.
Zentralog has not appointed a Data Protection Officer because we do not meet the mandatory criteria of Article 37 of the GDPR. For any privacy-related question or request you can use the contact address above.
3. What personal data we process
We process the minimum personal data needed to operate the service. We do not process special categories of data within the meaning of Article 9 of the GDPR.
3.1 Account data
Email address, hashed password, display name (optional), language and theme preferences, account creation date and last sign-in metadata. We collect this directly from you when you register.
3.2 Broker credentials
When you connect a broker (such as Rithmic, Tradovate, MatchTrader, cTrader, Topstep or others we integrate with), we receive credentials or OAuth tokens sufficient to retrieve your trading activity on a read-only basis. Section 5 below describes how these credentials are handled in detail.
3.3 Trading data
Account information, orders, fills, executions, closed trades, profit and loss, instruments traded, timestamps and any notes you add. We synchronise this from your connected brokers, and we may also accept manual imports (CSV) or in-app entries.
3.4 Technical and usage data
IP address, user-agent string, timezone, session identifiers, application logs and error reports. When you have given consent we may also process aggregated analytics data through Vercel Analytics (see section 12).
3.5 Communications
Any message you send us by email or through support channels, including the email address you write from and the content of the conversation.
4. Why we process your data
We process the data described above for the purposes set out in the table below, each relying on a specific legal basis under Article 6 of the GDPR.
| Purpose | Data used | Legal basis |
|---|---|---|
| Provide the journaling and analytics service | Account, broker credentials, trading, technical | Performance of contract (Art. 6.1.b) |
| Authenticate users and protect accounts | Account, technical | Performance of contract (Art. 6.1.b) |
| Synchronise broker activity into your journal | Broker credentials, trading | Performance of contract (Art. 6.1.b) |
| Improve the product through aggregated analytics | Technical, usage | Consent (Art. 6.1.a) |
| Prevent fraud, abuse and security incidents | Account, technical, logs | Legitimate interest (Art. 6.1.f) |
| Comply with legal and tax obligations | Account, billing (if applicable) | Legal obligation (Art. 6.1.c) |
| Answer your support and privacy requests | Communications, account | Legitimate interest (Art. 6.1.f) |
Where processing relies on your consent (analytics), you can withdraw it at any time from the cookie preferences panel without affecting the lawfulness of any processing carried out before withdrawal.
5. How we handle broker credentials
Broker credentials are the most sensitive data we handle. We take the following measures:
- Encrypted at rest. Credentials and OAuth tokens are stored encrypted in our database using industry-standard symmetric encryption. The encryption keys are held separately from the encrypted data.
- Minimum-necessary access. Only the synchronisation service that runs on your behalf can decrypt credentials, and only at the moment of an active sync operation. The credentials are not displayed back to you or to our staff after they are stored.
- Read-only use. We use credentials exclusively to retrieve account, order, execution and closed-trade information. We never place, modify or cancel orders on your behalf.
- No sharing with third parties. Credentials are never shared with any party other than the broker they were issued for.
- Revocation. You can disconnect any broker at any time from your account settings. On disconnection we delete the stored credentials within 30 days, unless we are required to retain them longer to comply with a legal obligation.
6. Who we share data with
We do not sell your personal data. We share data only with the categories of recipients listed below, under written data-processing agreements where required by Article 28 of the GDPR.
- Infrastructure and hosting providers. Supabase (managed database and authentication) and Vercel (application hosting and analytics).
- Connected brokers. The brokers you choose to connect (such as Rithmic, Tradovate and others). We send your credentials back to the originating broker only to authenticate the sync, and we receive your trading data in return.
- Professional advisors and authorities. Lawyers, accountants and public authorities where strictly necessary and only to the extent required by law.
You can request the current list of sub-processors at any time by writing to info@zentralog.com.
7. International transfers
Some of our sub-processors and broker partners are based outside the European Economic Area, in particular in the United States. Where we transfer personal data to those countries, the transfer is protected by one of the safeguards listed in Articles 45 to 49 of the GDPR, typically the European Commission’s Standard Contractual Clauses combined with additional technical and organisational measures (encryption, access controls).
You can request a copy of the safeguards in place for a specific transfer by writing to the contact address above.
8. How long we keep your data
We retain personal data only as long as needed for the purposes for which it was collected, or as required by law.
| Data category | Retention period |
|---|---|
| Account data | For as long as your account is active, plus 30 days after deletion in backups |
| Broker credentials | Until you disconnect the broker, then deleted within 30 days |
| Trading data (journal) | For as long as your account is active, then deleted within 30 days |
| Application logs | 90 days rolling window |
| Communications (support, privacy requests) | Up to 3 years from the last interaction, to defend potential claims |
| Accounting and tax records (if applicable) | As required by Spanish law (typically 6 years) |
9. Your rights
Under the GDPR and the LOPDGDD you have the following rights regarding your personal data:
- Access. Obtain confirmation of whether we process your data and receive a copy of it.
- Rectification. Have inaccurate or incomplete data corrected.
- Erasure. Have your data deleted when it is no longer needed, you withdraw consent, or you object to processing without overriding legitimate grounds.
- Restriction. Have processing temporarily suspended while a dispute or request is being resolved.
- Portability. Receive your data in a structured, commonly used, machine-readable format and have it transmitted to another controller where technically feasible.
- Objection. Object to processing based on legitimate interest, in particular for direct marketing.
- Withdrawal of consent. Withdraw any consent you have given, at any time, without affecting the lawfulness of prior processing.
- Not to be subject to fully automated decisions that produce legal effects or significantly affect you. We do not currently make such decisions (see section 13).
10. How to exercise your rights
You can exercise any of the rights above by emailing info@zentralog.com from the email address associated with your account. We may ask for additional information to verify your identity if there is a reasonable doubt about who is making the request.
We will respond within one month of receipt. The deadline may be extended by two further months for complex or numerous requests; we will inform you within the first month if that is the case.
11. Security
We apply technical and organisational measures appropriate to the risk: encryption in transit (TLS) and at rest for sensitive fields, role-based access controls, audit logging, isolated infrastructure, periodic dependency updates and the principle of least privilege. No method of transmission or storage is perfectly secure; in the event of a personal data breach affecting your rights and freedoms we will notify you and the Spanish Data Protection Authority within 72 hours as required by Articles 33 and 34 of the GDPR.
13. Automated decisions and profiling
Zentralog does not make decisions about you that are based solely on automated processing and that produce legal effects or significantly affect you in similar ways. The analytics and journal insights we present are informational; they do not block, approve or deny any service or transaction automatically.
14. Children’s data
Zentralog is intended for adults who trade financial instruments. The service is not directed to children and we do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, please contact us and we will delete the data without undue delay.
15. Changes to this policy
We may update this policy from time to time to reflect changes in the service, in our processing activities or in applicable law. Each version is identified at the bottom of this page. Material changes will be communicated through the application or by email before they take effect, and we will keep prior versions available in our version history on request.
16. Complaints and contact
For any privacy question or complaint, please contact us first at info@zentralog.com. If you are not satisfied with our response, you have the right to file a complaint with the Spanish Data Protection Authority (Agencia Española de Protección de Datos, AEPD) at www.aepd.es or, if you reside in another EU country, with your local supervisory authority.