Privacy policy.
FX Patrol is a solo personal project. The data collection here is the minimum needed for the service to work — there is no analytics platform, no advertising network, no third-party data sharing for marketing. This page describes what's actually collected and why.
1 · What we collect
- Email address — required to identify your account across sessions. We send password-reset links and (in future) the optional morning briefing if you opt in.
- Display name — what we greet you with in the briefing and on your account page. Optional if you sign in with Google (we use the name your Google account provides).
- Password (hashed) — stored as a bcrypt hash if you sign up with email/password. The plaintext is never stored. If you only ever sign in with Google, no password is stored at all.
- Google account identifier — if you sign in via Google, we store the unique account ID Google provides (the "sub" claim) so future Google sign-ins resolve to the same account.
- Dashboard preferences — which pairs you've hidden, your custom ordering, which sections are collapsed. Saved per account so the dashboard looks the same on next login.
- Push subscription details — only if you turn on browser notifications. The endpoint URL + keys your browser provides are stored; we POST to that endpoint when a bias flips.
- Server logs — Fly.io (our host) records HTTP request logs for ~7 days for debugging and abuse prevention. Standard practice; we don't have a separate analytics layer.
2 · What we don't collect
- Trading account credentials. No broker login, no API keys, nothing that touches your money. You don't connect a broker to this service because it has no execution layer.
- Personally identifiable financial data. We don't ask for, store, or process bank details, card numbers, or trading P&L.
- Behavioural analytics. No Google Analytics, no Hotjar, no Mixpanel, no advertising pixels, no remarketing tags.
- Your conversations with anyone else. No chat monitoring, no DMs.
3 · How long we keep it
Account data stays for as long as your account exists. If you ask for your account to be deleted, we erase your user row and any data tied to it (preferences, push subscriptions, etc.) within 30 days. To request deletion, email alsibahiahmed@gmail.com.
Aggregated, non-identifying data used for the dashboard's overall track record (e.g. how often biases at a given conviction level resolved in-direction) is kept indefinitely because it's the calibration backbone — but it contains no link back to your account.
4 · Third parties
The minimum third-party services involved are:
- Fly.io — our hosting provider. Sees the same server-log data we do.
- Google — only if you choose to sign in with Google. Google handles authentication; we receive your verified email + name. See Google's own privacy policy for what they hold.
- Web Push services (Mozilla / Apple / Google) — only if you opt into browser notifications. They relay the notification to your device; we don't share the message content with them beyond what's needed to deliver it.
- Resend — used to send password-reset emails on the rare occasion you request one. Stores the recipient email + the message it sent for delivery logs.
5 · Your rights
Under UK GDPR you have the right to access, correct, or delete the personal data we hold about you, and to object to processing or request data portability. Email alsibahiahmed@gmail.com and we'll handle it within 30 days. If we ever process anything in a way you think violates your rights, you also have the right to complain to the UK Information Commissioner's Office (ICO).
6 · Changes to this policy
If the policy materially changes — e.g. if a new analytics layer gets added, or a new third party processes your data — we'll update this page. You're encouraged to check it occasionally. There's no email blast when it changes; this is a small enough operation that flooding inboxes would feel disproportionate.