Privacy Policy.
Effective date: June 8, 2026 · Last updated: June 9, 2026
Applies to: disciplina.app, journal.disciplina.app
This policy explains what personal data disciplina. collects, why, and how it is handled. It is written to meet the requirements of the EU General Data Protection Regulation (GDPR) and Polish data protection law.
disciplina. is a post-session trading journal. The data you share — trade imports, journal entries, cognitive traces — is yours. We do not sell it, share it for advertising, or use it to build models on your behalf.
§1 · Data Controller
The data controller responsible for your personal data is:
§2 · What This Policy Covers
This policy applies to two properties:
- disciplina.app — the public landing page, including the beta access sign-up form.
- journal.disciplina.app — the trading journal application, accessible to registered users only.
It does not cover third-party websites or services that may be linked from these pages.
§3 · Data We Collect
3a. Landing page (disciplina.app)
| Data | Source | Purpose |
|---|---|---|
| Email address | Beta access sign-up form | To add you to the invite waitlist and notify you when your access is ready |
| Sign-up timestamp | Automatically recorded | Waitlist management; invite sequencing |
| Basic usage data (page visits, clicks) | Analytics (if enabled) | Understanding which parts of the landing page are useful |
3b. Journal application (journal.disciplina.app)
| Data | Source | Purpose |
|---|---|---|
| Email address, password hash | Account registration | Authentication and account security |
| Trade execution data (ticker, time, price, size, direction, P&L) | Broker CSV import (manual) | Calculation of discipline flags, behavioral analysis, AI Recap generation |
| Behavioral flags (revenge entry, loss chase, oversized, runaway, daily-limit breach) | Computed from execution data | Displaying discipline metrics; coaching feedback |
| Journal entries and Cognitive Traces | Written by you in the app | Day Review and self-coaching workflow |
| AI Recap content | Generated from your session data | Displayed to you in the AI Recap tab; stored so you can revisit past recaps |
| Streak and review completion records | App activity | The Chain streak system; consistency tracking |
| Account settings and preferences | In-app configuration | Personalising thresholds and display |
disciplina. does not collect Social Security numbers, government IDs, payment card details, or brokerage credentials. You import data by uploading a CSV file — your broker account is never connected.
§4 · Legal Basis for Processing (GDPR Art. 6)
| Processing activity | Legal basis |
|---|---|
| Beta waitlist (email collection) | Consent — Art. 6(1)(a). You can withdraw at any time by emailing privacy@disciplina.app. |
| Account creation and authentication | Performance of contract — Art. 6(1)(b). Necessary to provide the service. |
| Trade data processing and flag computation | Performance of contract — Art. 6(1)(b). The core function of the app. |
| Journal entries and Cognitive Traces | Performance of contract — Art. 6(1)(b). Stored at your explicit request. |
| AI Recap generation | Performance of contract — Art. 6(1)(b). Feature you actively trigger. |
| Analytics (landing page) | Legitimate interest — Art. 6(1)(f), subject to cookie consent where applicable. |
§5 · AI Processing — What Gets Sent and Where
The AI Recap feature sends a summary of your session data to generate coaching text. This includes trade statistics, computed behavioral flags, and — if you choose to include them — journal notes you have written for that session. Raw account credentials, your full trade history, or any data outside the selected session are never transmitted.
AI generation is provided by Lovable's platform infrastructure. OpenAI is a sub-processor of Lovable Technologies AB — your data contract for AI processing runs through Lovable, not directly through OpenAI. Lovable's handling of this relationship is governed by their own Data Processing Agreement and sub-processor list at lovable.dev/privacy.
If you do not wish your session data to be used for AI Recap generation, do not use the AI Recap feature. All other functions of the journal work without it.
§6 · Data Processors & Third Parties
| Processor | Role | Data location |
|---|---|---|
| Lovable Technologies AB | Primary infrastructure provider (Lovable Cloud): application hosting, deployment, database, authentication, serverless edge functions, and file storage. Supabase, Inc. is a sub-processor within Lovable Cloud's infrastructure — your data contract runs through Lovable, not Supabase directly. | European Union (EU) |
| GoDaddy, Inc. | Email hosting for the disciplina.app domain. Emails sent to addresses such as privacy@disciplina.app are routed through GoDaddy's mail servers. This includes any personal data you include in email correspondence with us. | United States — SCCs in place |
| Google LLC | Google Search Console: search performance monitoring for disciplina.app (impressions, clicks, search queries leading to the site, sitemap management, crawl data). This data is aggregated and does not include individually identified visitor data. | United States — SCCs in place; Google also holds EU–US Data Privacy Framework certification |
| Paddle.com Market Ltd. (planned) | Payment processing and sales tax (Merchant of Record). Paddle acts as data controller for payment and billing data. | UK/EU — governed by Paddle's own privacy policy |
Lovable Technologies AB maintains its own sub-processor relationships (including with Supabase, Inc.) under their terms. For details of Lovable's infrastructure and sub-processor chain, refer to lovable.dev/privacy.
We do not sell personal data to any third party. We do not share data for advertising purposes.
§7 · International Data Transfers
Some processors used to operate this service are based in the United States: GoDaddy (email hosting), Google LLC (Search Console), and OpenAI as a sub-processor of Lovable. Data transferred to US-based processors is protected by Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Art. 46(2)(c). Google LLC additionally holds EU–US Data Privacy Framework certification.
Where Lovable Cloud stores application data in an EU region, no international transfer takes place for that data. The specific data region is subject to Lovable's own infrastructure configuration. If you have questions about transfer mechanisms in place, contact us at privacy@disciplina.app.
§8 · Data Retention
| Data category | Retention period |
|---|---|
| Beta waitlist email | Until you request removal, or 24 months from sign-up with no conversion to an active account, whichever is earlier |
| Account data (active users) | For the lifetime of your account |
| Trade executions, behavioral flags | For the lifetime of your account; permanently deleted within 30 days of account deletion |
| Journal entries and Cognitive Traces | For the lifetime of your account; permanently deleted within 30 days of account deletion |
| AI Recap content (stored recaps) | For the lifetime of your account |
| Deleted account residual backups | Purged from backup systems within 90 days of deletion |
§9 · Your Privacy Rights
These rights apply to all users of disciplina., regardless of location. Because disciplina. is operated by an EU-based controller (Poland), the GDPR governs all data processing — including data belonging to users based outside the European Economic Area.
- Right of access
- Request a copy of all personal data we hold about you (Art. 15).
- Right to rectification
- Ask us to correct inaccurate or incomplete data (Art. 16).
- Right to erasure
- Request deletion of your data ("right to be forgotten") where no overriding legal basis exists (Art. 17). For journal app users, you can delete your account directly from the app settings.
- Right to restrict processing
- Ask us to pause certain processing activities while a dispute is resolved (Art. 18).
- Right to portability
- Receive your data in a structured, machine-readable format (Art. 20). Trade data can be exported from the app as CSV.
- Right to object
- Object to processing based on legitimate interest (Art. 21).
- Right to withdraw consent
- Where processing is based on your consent (e.g., beta waitlist), you may withdraw at any time without affecting the lawfulness of prior processing.
- Right to complain
- Lodge a complaint with the Polish supervisory authority: Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warsaw — uodo.gov.pl. Users based outside the EU/EEA who wish to raise a concern may contact us directly at privacy@disciplina.app.
To exercise any of these rights, contact us at privacy@disciplina.app. We will respond within 30 days.
§10 · Cookies & Analytics
The landing page (disciplina.app) may use:
- Strictly necessary cookies — required for the site to function (no consent needed).
- Analytics cookies — used to understand how visitors interact with the page. Where these are in use, a consent banner will be shown on first visit. You may withdraw consent at any time by clearing your cookies or using your browser settings.
The journal application (journal.disciplina.app) uses session cookies issued by Supabase Auth (via Lovable Cloud) to keep you logged in. These are strictly necessary and do not require separate consent.
We do not use advertising cookies, retargeting pixels, or any third-party tracking for commercial purposes.
§11 · Security
Your data is stored in a database protected by Row Level Security (RLS) policies — meaning each user's data is strictly isolated and inaccessible to other users at the database level. Access to the database is restricted to authenticated application connections only.
Passwords are never stored in plain text; authentication uses bcrypt hashing. All connections to the service use TLS encryption in transit.
No system is perfectly secure. If you become aware of a potential security issue, please contact us at privacy@disciplina.app.
§12 · Children
disciplina. is not directed at persons under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with data, contact us and we will delete it promptly.
§13 · Changes to This Policy
We may update this policy as the product evolves. When we make material changes, we will update the "Last updated" date at the top of this page and, where required by law, notify active users by email at least 30 days before changes take effect.
Continued use of the service after the effective date constitutes acceptance of the updated policy.
§14 · Contact
For any questions, requests, or concerns about this policy or your personal data:
We aim to respond to all requests within 30 calendar days. For complex requests, we may extend this by a further two months and will inform you accordingly.