Privacy Policy
Effective date: 29 June 2026 · Data controller: Fourdesk · Contact: legal@fourdesk.io
This Privacy Policy explains how Fourdesk ("we", "us") collects, uses, stores, and protects your personal data when you use our Service. As we operate from the Canary Islands, Spain, we are subject to the EU General Data Protection Regulation (GDPR) and Spanish data protection law (LOPDGDD).
1. Data Controller
Operated from the Canary Islands, Spain. Contact: legal@fourdesk.io.
You may exercise any of your GDPR rights by contacting us at legal@fourdesk.io.
2. Data We Collect
Account data: Your email address and authentication credentials when you register.
Usage data: Pages visited, features used, session duration, device type, browser, and IP address.
Journal and trading data: Trade records, mood and confidence ratings, notes, and any other content you enter into the Service.
Chart uploads: Images you upload for analysis. These are transmitted to our AI provider for processing and are not used for any other purpose.
Payment data: We do not store card details. Payment processors collect and handle payment information directly.
Communications: Emails or messages you send us.
3. How We Use Your Data
- To provide, operate, and maintain the Service.
- To process chart uploads through AI analysis and return results to you.
- To generate coaching and psychological insights based on your journal data.
- To send transactional emails (account verification, password reset, billing receipts).
- To understand product usage through privacy-friendly analytics (PostHog), where you have given consent, so we can improve the Service.
- To comply with legal obligations.
4. Legal Basis for Processing (GDPR)
- Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service you signed up for.
- Legitimate interests (Art. 6(1)(f)): Improving the Service, ensuring security, preventing fraud.
- Legal obligation (Art. 6(1)(c)): Retaining records as required by law.
- Consent (Art. 6(1)(a)): Where you have opted in to optional communications or cookies.
5. Third-Party Services
We use the following sub-processors to operate the Service:
- Supabase: Database, authentication, and file storage. Data is stored in EU regions. Privacy policy.
- Anthropic: AI provider used to generate chart analysis and coaching/psychology insights. The chart images you upload and the text you enter (for example trade notes and check-in notes) are transmitted to Anthropic's API to produce your results and may contain personal data you choose to include. Under Anthropic's commercial API terms, this data is not used to train their models. We send only what is needed to generate your results. Privacy policy.
- Vercel: Hosting and deployment infrastructure. Privacy policy.
- Stripe: Payment processing for subscriptions. Stripe collects and handles your payment details directly; we do not store card numbers. Privacy policy.
- PostHog: Product analytics, used only with your consent, with EU data hosting. Privacy policy.
- Resend: Sending transactional and notification emails (processes your email address). Privacy policy.
- Google: Optional "Sign in with Google" authentication; used only if you choose it. Privacy policy.
We do not sell your personal data to third parties.
6. Data Retention
We retain your account data for as long as your account is active. Journal entries, trade records, and uploads are retained until you delete them or close your account. Anonymised, aggregated usage data may be retained indefinitely. We will delete your personal data within 30 days of a verified account deletion request.
7. Your Rights Under GDPR
You have the following rights regarding your personal data:
- Access: Request a copy of the personal data we hold about you.
- Rectification: Ask us to correct inaccurate or incomplete data.
- Erasure: Request deletion of your personal data ("right to be forgotten").
- Restriction: Ask us to limit how we use your data in certain circumstances.
- Portability: Receive your data in a structured, machine-readable format.
- Objection: Object to processing based on legitimate interests.
- Withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.
To exercise any of these rights, contact us at legal@fourdesk.io. We will respond within 30 days.
8. Cookies
We use essential cookies for authentication, session management, and remembering your preferences (including your cookie choice). With your consent, we also use privacy-friendly analytics cookies (PostHog) to understand product usage; these are off by default and only enabled if you accept them in our cookie banner. We do not use advertising or cross-site tracking cookies. For full details and to change your choice at any time, see our Cookie Policy.
9. Data Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, including encrypted connections (HTTPS) and access controls on our databases.
10. International Transfers
Your data is primarily processed within the EU/EEA. Where sub-processors operate outside the EEA (for example, Anthropic in the United States), we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission.
11. Supervisory Authority
If you believe we have not handled your data lawfully, you have the right to lodge a complaint with the Spanish data protection authority, the Agencia Española de Protección de Datos (AEPD) at www.aepd.es, or with the data protection authority in your country of residence.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or in-app notice. Continued use of the Service after the effective date of any changes constitutes acceptance of the updated policy.
13. Contact
For any privacy-related questions or to exercise your rights, contact us at legal@fourdesk.io.