Last Updated: 1 April 2026
Effective Date: 1 April 2026
Version: 1.0
This Privacy Policy describes how Numen ("the Service", "we", "us", "our"), operated by Numen Labs Ltd ("Numen Labs Ltd"), collects, uses, stores, and protects your personal information when you use our trade journaling and analytics platform.
We are committed to protecting your privacy and handling your data responsibly. By using the Service, you agree to the collection and use of information in accordance with this policy.
The data controller responsible for your personal data is:
Numen Labs Ltd
39 Rosaville Road, London SW6 7BN
Email: privacy@numenlabs.xyz
| Data | Purpose |
|---|---|
| Email address | Account creation, authentication, communications |
| Username / display name | Profile identification |
| Password | Authentication (stored as a salted hash, never in plain text) |
| Exchange API keys and secrets | Syncing trade data from your exchange accounts (encrypted at rest) |
| Journal entries, notes, and tags | Providing the journaling feature |
| Uploaded images and media | Trade chart screenshots and journal attachments |
| Trading rules and setups | Providing the rules/setup tracking feature |
| Feedback submissions | Improving the Service |
When you connect an exchange account, we retrieve the following data via the exchange's API:
| Data | Purpose |
|---|---|
| Trade history | Displaying trades, calculating PnL and analytics |
| Open positions | Position management and risk display |
| Account balances | Portfolio overview and risk calculations |
| Asset/symbol information | Trade categorisation and analytics |
This data is associated with your Numen account and stored in our database.
| Data | Purpose | Collected By |
|---|---|---|
| IP address | Security, rate limiting, abuse prevention | Server infrastructure |
| Browser type, OS, device info | Error diagnostics, compatibility | Sentry |
| Pages visited, features used, session duration | Product improvement, understanding usage patterns | PostHog |
| Error logs and stack traces | Debugging and fixing issues | Sentry |
| Performance metrics | Monitoring service reliability | AWS CloudWatch |
If you sign in using Discord OAuth, we receive:
| Data | Purpose |
|---|---|
| Discord user ID | Account linking |
| Email address (from Discord) | Account creation and communication |
| Username (from Discord) | Profile display |
We do not access your Discord messages, servers, or other Discord data.
Payment processing is handled entirely by Stripe. We do not store your credit card number, bank account details, or other payment credentials. From Stripe, we receive:
| Data | Purpose |
|---|---|
| Subscription status | Feature access control |
| Billing email | Payment receipts |
| Payment history (amounts, dates, status) | Subscription management |
| Last four digits of card (via Stripe dashboard) | Customer support identification |
We use your information for the following purposes:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Providing and operating the Service | Performance of contract |
| Syncing and displaying your trade data | Performance of contract |
| Processing payments and managing subscriptions | Performance of contract |
| Sending transactional emails (password resets, billing) | Performance of contract |
| Monitoring and fixing errors | Legitimate interest |
| Analysing usage to improve the product | Legitimate interest |
| Ensuring platform security and preventing abuse | Legitimate interest |
| Sending product updates and feature announcements | Legitimate interest (with opt-out) |
| Sending marketing emails | Consent (opt-in) |
| Complying with legal obligations | Legal obligation |
We do not:
We use the following third-party services to operate the Platform. Each processes data on our behalf under data processing agreements:
| Provider | Purpose | Data Processed | Location |
|---|---|---|---|
| Supabase | Database hosting, authentication | All user and trade data (encrypted) | AWS infrastructure |
| Amazon Web Services (AWS) | Backend processing (Lambda, API Gateway, Secrets Manager) | Trade data, encrypted credentials, request logs | EU (eu-west-2) |
| Vercel | Frontend hosting | Request logs, IP addresses | Global CDN |
| Stripe | Payment processing | Billing info, email, subscription data | United States |
| Sentry | Error monitoring | Error context, user ID (anonymised), browser info | United States |
| PostHog | Product analytics | Usage events, device info, session data | EU |
| Discord | OAuth authentication | Discord user ID, email, username | United States |
When you connect an exchange, your API keys are used to communicate directly with that exchange's API:
| Exchange | Data Retrieved | Note |
|---|---|---|
| HyperLiquid | Trades, positions, balances | API keys encrypted at rest and in transit |
| Bitunix | Trades, positions, balances | API keys encrypted at rest and in transit |
| Bitget | Trades, positions, balances | API keys encrypted at rest and in transit |
We implement the following security measures to protect your data:
While we take extensive measures to protect your data, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.
| Data Type | Retention Period |
|---|---|
| Account data (email, profile) | Duration of account + 30 days after deletion |
| Trade data and analytics | Duration of account + 30 days after deletion |
| Journal entries and media | Duration of account + 30 days after deletion |
| Exchange API keys | Duration of connection; deleted immediately upon disconnection or account deletion |
| Payment records | As required by tax and accounting laws (typically 7 years) |
| Error logs (Sentry) | 90 days |
| Analytics data (PostHog) | 1 year |
| Server/access logs | 30 days |
When you delete your account, we will delete or anonymise your personal data within 30 days, except where retention is required by law.
If you are located in the EEA, you have the following rights:
If you are a California resident, you have the right to:
To exercise any of these rights, contact us at privacy@numenlabs.xyz. We will respond to your request within 30 days (or within the timeframe required by applicable law). We may ask you to verify your identity before processing your request.
You can also export your trade data and journal entries directly from the Platform at any time.
We use essential cookies that are necessary for the Service to function, including:
These cookies cannot be disabled without breaking the Service.
With your consent, we use analytics cookies to understand how the Service is used:
You can opt out of analytics cookies at any time through the cookie preferences in the Platform or by contacting us.
You can manage cookies through your browser settings. Note that disabling essential cookies will prevent the Service from functioning properly.
Your data may be processed in countries outside your country of residence, including the United States. When we transfer data internationally, we ensure appropriate safeguards are in place, including:
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal data from a child under 18, we will take steps to delete that information promptly. If you believe a child under 18 has provided us with personal data, please contact us at privacy@numenlabs.xyz.
We may update this Privacy Policy from time to time. For material changes, we will notify you via email or a prominent in-app notification at least 30 days before the changes take effect.
The "Last Updated" date at the top of this policy indicates when the latest revision was made. Your continued use of the Service after changes take effect constitutes your acceptance of the revised policy.
If you have questions about this Privacy Policy or how we handle your data, please contact us at:
If you are in the EEA and are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.
This Privacy Policy was last updated on 1 April 2026.