Privacy Policy

• We collect what we need to run your account and the analytics on top of your trades — nothing more.
• We never sell your data, and we don't share trade data with anyone unless you explicitly turn on a public track record.
• Payments are handled by Stripe — we never see or store your card details.
• Your trades are stored encrypted at rest and in transit. Only you and (if you join one) your verified mentor can see them.
• You can export everything you've put in, or delete your account entirely, at any time from /settings.

FlowX Journal (the "Service") is operated by THEFLOWX LLC, a limited liability company registered in Wyoming, United States.

• Registered address: 5830 E 2nd St, Ste 7000 #34228, Casper, Wyoming 82609, United States
• Entity ID: 2026-001925081
• EIN: 36-5173066
• Contact: support@theflowx.site

This Privacy Policy describes how we collect, use, store and disclose information when you visit theflowxjournal.com or use any of the apps and services we provide under the FlowX brand.

1. Account information

When you create an account (whether by paying first via Stripe, by redeeming a mentor invite, or by accepting an admin invitation) we store your email, name (if provided), hashed password, language and timezone preferences, and the date you signed up.

2. Trade data you give us

FlowX is a trading journal — its job is to store and analyse trades. When you import a CSV / Excel file, paste a trade manually, or attach screenshots, we store the data you submit, including: instrument, direction, entry/exit prices and times, quantity, P&L, stop loss / take profit, commissions, swap, notes, and any images you upload. We do not connect to your broker account directly — FlowX never has the credentials needed to place or modify trades on your behalf.

3. Usage and technical data

We log basic technical data needed to keep the Service secure and operational: IP address, user-agent, request timestamps, the page you reached, and HTTP status codes. We use this data to debug errors, prevent abuse, and enforce rate limits.

4. Cookies and similar technologies

We use a small set of essential cookies for authentication (signed JWT session tokens with HttpOnly, Secure and SameSite=Lax flags) and CSRF protection.

We use Google Analytics 4 for aggregate usage measurement — pageviews, traffic sources, conversion funnel from landing to purchase. We configure GA4 with IP anonymization enabled and ad personalization signals disabled, so GA does not re-use your data across the broader Google advertising network. We do not embed Facebook Pixel, TikTok Pixel or any advertising-network pixels.

5. Payments

Card data is handled exclusively by Stripe, Inc. We never receive, store or process your card number, CVV or expiry. Stripe stores a customer record keyed to your email; we receive a customer ID and webhook events (payment succeeded / failed / refunded / cancelled) that we use to update your subscription state.

We use the data described above to:

• Authenticate you and protect your account.
• Render the dashboards, analytics, FlowX Score, Notebook, Progress Tracker and the rest of the product.
• Generate AI briefings (FlowX Pulse) using publicly-sourced market data — your private trade history is not sent to AI providers.
• Send transactional emails (welcome, password reset, payment receipts, plan changes, drawdown alerts), and product notifications you've opted into in /settings/notifications.
• Process payments, refunds and subscription lifecycle events through Stripe.
• Aggregate anonymised usage statistics (e.g. how many trades imported per platform) to improve the Service.
• Comply with legal obligations and enforce our Terms of Service.

We use a small number of carefully chosen vendors to operate the Service. We only share what each one needs to do its job, under contract:

• Stripe, Inc. — payment processing (US).
• Resend — transactional email delivery (US/EU).
• Railway Corp. — application hosting (US).
• Neon — managed Postgres database (US).
• Anthropic / OpenAI — language-model providers for FlowX Pulse and the AI assistant. They receive only the public market context we generate; they do not receive your private trades.
• Cloudflare — DNS, edge caching and DDoS protection (global).
• Google Analytics 4 (Google LLC) — aggregate usage analytics. IP anonymization is enabled and ad personalization signals are disabled.

We do not sell your personal data and we do not share it with advertisers or data brokers.

If — and only if — you turn on a public profile in /settings, we expose a read-only summary of your trading at theflowxjournal.com/u/<your-username>. You choose whether to share all accounts, personal accounts only, or a single prop firm account. You can revoke this at any time from the same settings page; the page goes 404 immediately.

On the Mentor plans, a verified mentor can view aggregate cohort statistics and per-student trade detail for students who have redeemed that mentor's invite code. Students always know they are in a cohort (their dashboard shows it) and can leave at any time. When a student leaves or a mentor cancels their subscription, the cohort link is severed and the mentor loses visibility on the student's data. We give a 30-day grace period after a mentor cancels so students don't lose Pro overnight.

• Active accounts: we keep your data for as long as your account exists.
• Cancelled subscription: your data stays — we never auto-delete a paying-then-cancelled account, so you can re-subscribe and pick up where you left off.
• Account deletion: when you delete your account from /settings, we irreversibly remove your trades, notes, playbooks, screenshots and login history within 7 days. Stripe customer/invoice data is retained for the period required by US tax and accounting law (typically 7 years).
• Backups: daily encrypted backups of the database are kept for 30 days for disaster recovery, then rotated out.
• Server logs: 30 days, then deleted.

Depending on where you live (notably the EU/EEA, UK, California, and a growing number of US states), you may have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your data (which you can also do yourself in /settings).
• Export your data in a portable format. We support a one-click export from the dashboard.
• Object to or restrict certain processing.
• Withdraw consent at any time.
• Lodge a complaint with your local data protection authority.

To exercise any of these rights, email support@theflowx.site from the address on your account. We respond within 30 days.

We protect your data with industry-standard controls: HTTPS everywhere with HSTS preload, bcrypt-hashed passwords (12 rounds), signed Stripe webhook verification, rate limiting on every destructive endpoint, and routine dependency / secret scanning. No online service is invulnerable, but we do the work.

FlowX is not directed at children under 18. We don't knowingly collect data from minors. If you believe a child has created an account, contact us and we will close it promptly.

We may update this policy from time to time — for example to reflect new product features or new subprocessors. When we make a material change, we'll notify active users by email at least 14 days before it takes effect, and we update the "Last updated" date at the top of this page.

For any privacy-related question, write to support@theflowx.site. Postal mail can be sent to:

THEFLOWX LLC
5830 E 2nd St, Ste 7000 #34228
Casper, Wyoming 82609
United States