Privacy Policy

Last updated: April 8, 2026

This Privacy Policy describes how Grasp Software Paweł Wąsowski ("we", "us", "our"), operating under the brand unTILTIFY, collects, uses, and protects your personal data when you use our web application at app.untiltify.com ("Service").

We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR/RODO), the Polish Act on Personal Data Protection, and other applicable data protection laws.

1. Data Controller

The data controller responsible for your personal data is:

Grasp Software Paweł Wąsowski
Email: support@untiltify.com
Website: untiltify.com

2. What Data We Collect

2.1 Account Data

When you register, we collect:

Email address — for authentication and communication
Display name (nickname) — chosen during onboarding, shown on shared reports
Password — stored as a hashed value (we never see your plaintext password)

2.2 Trading Journal Data

Data you voluntarily enter while using the Service:

Trading account details (broker name, account size, type)
Daily profit and loss (PnL) entries
Tilt logs (emotional trading records, behaviours, triggers)
Mental playbook rules
Trading session records
Income and expense records
Feedback posts, votes, and comments

We do not collect or store: real brokerage credentials, bank account numbers, credit card details (handled by Stripe), social security numbers, or government IDs.

2.3 Technical Data

Browser type and version
Device type (desktop/mobile)
IP address (for security and abuse prevention)
Pages visited and features used (for improving the Service)

2.4 Payment Data

If you subscribe to PRO Trader, payments are processed by Stripe, Inc. We receive from Stripe: your Stripe Customer ID, subscription status, plan type, and payment dates. We never receive or store your full credit card number.

3. How We Use Your Data

Purpose	Legal Basis (GDPR Art. 6)
Providing the Service (authentication, data storage, features)	Performance of contract (Art. 6(1)(b))
Processing payments via Stripe	Performance of contract (Art. 6(1)(b))
Sending transactional emails (password reset, account notifications)	Performance of contract (Art. 6(1)(b))
Security, fraud prevention, abuse detection	Legitimate interest (Art. 6(1)(f))
Improving the Service based on usage patterns	Legitimate interest (Art. 6(1)(f))
Marketing emails (if opted in)	Consent (Art. 6(1)(a))

4. Data Sharing and Sub-processors

We do not sell your personal data. We share data only with the following third-party service providers ("sub-processors") necessary to operate the Service:

Sub-processor	Purpose	Location	Data Shared
Supabase, Inc.	Database, authentication, server-side functions	USA (AWS us-east-1)	All account and journal data
Amazon Web Services (AWS)	Static file hosting (S3 + CloudFront CDN)	USA + global edge locations	No personal data (static files only)
Stripe, Inc.	Payment processing	USA / EU	Email, Stripe Customer ID, payment data

Each sub-processor is bound by their own GDPR-compliant Data Processing Agreements (DPAs). We have signed or will sign DPAs with all sub-processors.

5. International Data Transfers

Your data is stored on servers in the United States (AWS us-east-1 region via Supabase). Data transfers from the EU/EEA to the USA are protected by:

Standard Contractual Clauses (SCCs) — incorporated into DPAs with Supabase and AWS
EU-US Data Privacy Framework — where applicable

We ensure that all data transfers comply with GDPR Chapter V requirements.

6. Data Retention

Active accounts: Your data is retained for as long as your account is active.
Deleted accounts: When you delete your account, all personal data is permanently removed within 30 days, including all trading journal entries, tilt logs, playbook rules, and other user-generated content.
Payment records: Transaction records may be retained for up to 7 years as required by tax and accounting laws.
Backups: Data may persist in encrypted backups for up to 30 days after deletion.

7. Your Rights Under GDPR

As a data subject, you have the following rights:

Right of access (Art. 15) — Request a copy of all personal data we hold about you.
Right to rectification (Art. 16) — Correct inaccurate personal data.
Right to erasure ("right to be forgotten") (Art. 17) — Request deletion of your personal data.
Right to restriction of processing (Art. 18) — Request that we limit how we use your data.
Right to data portability (Art. 20) — Receive your data in a machine-readable format.
Right to object (Art. 21) — Object to processing based on legitimate interest.
Right to withdraw consent (Art. 7(3)) — Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, contact us at support@untiltify.com. We will respond within 30 days.

You also have the right to lodge a complaint with a supervisory authority. In Poland, this is the UODO (Urząd Ochrony Danych Osobowych) — uodo.gov.pl.

8. Cookies and Local Storage

We use the following client-side storage:

Authentication tokens (localStorage) — Essential for keeping you logged in. Cannot be disabled without losing access.
Theme preference (localStorage) — Dark/light mode setting.
Tutorial progress (localStorage) — Tracks which tutorials you've completed.
Referral code (cookie, 60 days) — If you arrived via an affiliate link. Domain: .untiltify.com.

We do not use third-party tracking cookies, analytics services (Google Analytics, etc.), or advertising pixels. We do not track you across other websites.

9. Data Security

We implement appropriate technical and organizational measures to protect your data:

All data transmitted via HTTPS/TLS encryption.
Passwords hashed using industry-standard algorithms (bcrypt via Supabase Auth).
Database access controlled by Row Level Security (RLS) — each user can only access their own data.
Infrastructure hosted on SOC 2 Type 2 certified platforms (Supabase, AWS).
Admin access restricted and logged.

10. Children's Privacy

The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a person under 18, we will promptly delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-app notification at least 30 days before taking effect. The "Last updated" date at the top indicates the most recent revision.

12. Contact

For any privacy-related questions, data requests, or concerns:

Grasp Software Paweł Wąsowski
Email: support@untiltify.com
Website: untiltify.com