FundWarden
Log inStart Free Trial

Privacy Policy

Last updated: April 9, 2026

FundWarden ("we", "us", "our") respects your privacy. This Privacy Policy explains what information we collect, how we use it, who we share it with, and your rights regarding your data. By using FundWarden, you consent to the practices described here.

1. Information We Collect

1.1 Account Information (provided by you at signup and onboarding)

  • Email address: used for authentication, password resets, and account communication.
  • Password: hashed by our authentication provider (Supabase Auth) using bcrypt. FundWarden never stores, sees, or logs your plain-text password.
  • Display name (optional): shown within the app for personalization.
  • Google profile data (if you sign in via Google OAuth): email address and basic profile information provided by Google. We do not access your Google contacts, calendar, or other data.
  • Referral code (optional): if you signed up through a referral link or entered a coupon code.

1.2 Trading Configuration (provided by you during onboarding and in settings)

  • Account size: your trading account balance (e.g., $25,000).
  • Daily loss limit percentage: the maximum daily loss you allow yourself (e.g., 1.5%).
  • Max trades per day: the maximum number of trades you allow yourself per session.
  • Prop firm affiliation: which prop firm you trade with (FTMO, MyFundedFX, TFT, E8, Other, or none).
  • Primary instrument: what you primarily trade (gold, forex, indices, commodities, other).
  • Discipline toggles: whether you allow high loss limits (>10%) or high trade counts (>3).

1.3 Trading Session Data (created during app usage)

  • Session records: date, pre-session mood (calm, neutral, eager, frustrated, revenge, anxious), starting balance, daily loss percentage, max trades, lock status, lock reason, and post-session reflection notes.
  • Trade records: trade number, result (win/loss/breakeven), P&L amount, instrument traded, setup quality (yes/partial/no), emotional state during trade (calm/FOMO/revenge/greedy/bored), whether lot size was increased, free-text notes on what went right and wrong, rules followed count, and source (manual or MT5).
  • Alert records: when danger or warning alerts were triggered, which quote was shown, and whether the alert was acknowledged.

1.4 Prop Firm Account Data (if you use multi-account tracking)

  • Firm name, account identifier (optional label), account phase (evaluation/verification/funded/personal).
  • Financial parameters: initial balance, current balance, peak balance, daily drawdown %, max drawdown %, profit target %.
  • Status: active, passed, failed, or archived, with failure reason and notes if applicable.

1.5 MT5 Integration Data (if you connect MetaTrader 5)

  • API key: a unique key (pg_...) generated by FundWarden for authenticating webhook requests from your MT5 Expert Advisor. Stored securely in our database. Displayed in masked form after initial generation.
  • Broker name: the name of your MT5 broker, sent automatically by the EA.
  • MT5 account number: your MT5 login number, sent by the EA for identification.
  • Heartbeat timestamps: when the EA last communicated with FundWarden (used to show connection status).
  • Trade data from MT5: when a trade closes on MT5, the EA sends: deal ticket number, symbol, P&L (profit + swap + commission), lot size, trade direction (buy/sell), open time, close time, and current account balance.

1.6 Custom Rules (user-created content)

  • Up to 10 custom trading rules you create (free-text, max 200 characters each). These are displayed in your rules sidebar and rule reminders.

1.7 Payment Information

  • We do NOT collect or store your credit card number, debit card number, UPI ID, bank account details, or any payment credentials. All payment processing is handled entirely by Razorpay.
  • What we store: subscription status (trial/active/cancelled/expired), plan type (monthly/6-month), trial end date, subscription end date, Razorpay customer ID, and Razorpay subscription ID. These are used to manage your access and billing cycle.

1.8 Information We Do NOT Collect

  • We do not use any analytics, tracking pixels, or behavioral tracking tools (no Google Analytics, no Mixpanel, no Facebook Pixel, etc.).
  • We do not collect your IP address for profiling or advertising purposes. IP addresses are only used temporarily for rate limiting (in-memory, not stored).
  • We do not collect device information, browser fingerprints, or location data.
  • We do not collect or access your open/floating trades, pending orders, or real-time market data from MT5.

2. How We Use Your Information

  • Provide the Service: Log trades, calculate statistics, track streaks, monitor drawdowns, trigger alerts, lock sessions, display rule reminders, and show motivational content.
  • Authentication: Verify your identity when you log in, reset your password, or connect via Google OAuth.
  • Subscription management: Process payments through Razorpay, manage your billing cycle, handle trial expiration, and provide access to paid features.
  • MT5 integration: Receive and process trade data from your Expert Advisor, return alert status and session metrics for chart overlay display.
  • Communication: Send email verification and password reset emails through Supabase Auth. We do not send marketing emails, newsletters, or promotional content.
  • Referral tracking: If you signed up via a referral link, we track which admin referred you to calculate their commission. This does not affect your experience or pricing.
  • Security: Rate limiting on authentication (5 attempts/minute), payment (3 attempts/minute), and MT5 webhook (30 requests/minute) endpoints to prevent abuse.
  • Service improvement: Aggregate, anonymized statistics may be used to understand usage patterns and improve the Service. We do not sell or share individual user data for this purpose.

3. Third-Party Services

FundWarden uses the following third-party services. Each has access only to the minimum data necessary to perform its function.

3.1 Supabase (Database and Authentication)

What they process: All user data, sessions, trades, settings, and authentication (email/password, OAuth tokens). Supabase hosts our PostgreSQL database and manages authentication.

Security: Row-Level Security (RLS) policies ensure you can only access your own data. All database queries are parameterized (no SQL injection). Your password is hashed with bcrypt before storage.

Privacy policy: supabase.com/privacy

3.2 Razorpay (Payment Processing)

What they process: Your email address, subscription plan selection, and payment credentials (card details, UPI, etc.). Razorpay is PCI-DSS Level 1 compliant.

What we share with Razorpay: Your email address, selected plan ID, and an internal user ID (used to match webhook callbacks). We do not share your trading data, session data, or any other FundWarden-specific information with Razorpay.

Privacy policy: razorpay.com/privacy

3.3 Vercel (Hosting and Deployment)

What they process: HTTP requests, application logs (error logs only, no personal data in logs), and serves the FundWarden website and API. Vercel enforces HTTPS on all connections.

Privacy policy: vercel.com/legal/privacy-policy

3.4 Google (OAuth Authentication, Optional)

What they provide: If you choose to sign in with Google, Google shares your email address and basic profile information with FundWarden via Supabase Auth. We do not access your Google contacts, Drive, Calendar, or any other Google service.

Privacy policy: policies.google.com/privacy

We do not sell, rent, or share your personal data with any other third parties for advertising, marketing, or data brokerage purposes.

4. Cookies and Local Storage

4.1 Authentication Cookies (Essential)

Supabase Auth sets HTTP-only, secure cookies to manage your login session. These cookies are essential for the Service to function and cannot be disabled. They contain encrypted session tokens and are automatically refreshed on each page visit. Cookie attributes: HttpOnly, Secure, SameSite=Lax.

4.2 Referral Attribution Cookie

If you arrive at FundWarden via a referral link, we set a cookie named fundwarden_ref containing the referral code. This cookie expires after 30 days, is HttpOnly (not accessible by JavaScript), and is used solely to attribute your signup to the referring admin. The cookie is deleted after signup.

4.3 Local Storage (Browser)

  • Theme preference (dark/light mode): stored via the next-themes library in localStorage. This is a UI preference only and contains no personal data.
  • Rules sidebar state (collapsed/expanded): stored in sessionStorage (cleared when you close the browser tab). This is a UI preference only.

We do not use any tracking cookies, analytics cookies, or advertising cookies.

5. Data Security

We take the security of your data seriously and implement the following measures:

  • Encryption in transit: All data is transmitted over HTTPS (TLS 1.2+). This applies to the website, API, MT5 webhook, and Razorpay communications.
  • Database security: Row-Level Security (RLS) on all 12 database tables ensures you can only read and write your own data. All queries are parameterized to prevent SQL injection.
  • Authentication security: Passwords are hashed with bcrypt. Session tokens are stored in HttpOnly, Secure cookies with SameSite=Lax. Rate limiting prevents brute-force attacks (5 auth attempts per minute).
  • Webhook verification: Razorpay webhooks are verified using HMAC-SHA256 signatures. MT5 webhooks are authenticated via API key lookup.
  • Security headers: Content-Security-Policy (CSP), HTTP Strict-Transport-Security (HSTS), X-Frame-Options (SAMEORIGIN), X-Content-Type-Options (nosniff), Referrer-Policy (strict-origin-when-cross-origin), and Permissions-Policy (camera, microphone, geolocation disabled).
  • CORS protection: All non-GET API requests (except external webhooks) must originate from the FundWarden domain.
  • Open redirect prevention: Auth callback redirects are restricted to a whitelist of internal paths.
  • MT5 API key masking: Full API key shown only once on generation. Thereafter, only the last 4 characters are visible in the UI. API keys are never logged by the MT5 EA.
  • No sensitive data in client code: Only public keys (Supabase URL, Supabase anon key, Razorpay public key ID) are exposed to the browser. All secret keys remain server-side only.
  • Error sanitization: Error responses never expose database schemas, stack traces, internal paths, or sensitive payload data.

6. Data Retention

  • Your data is retained for as long as your account is active.
  • If your subscription expires, your data is retained indefinitely so you can access it if you re-subscribe.
  • If you request account deletion, all your data is permanently deleted from our database, including sessions, trades, statistics, custom rules, MT5 connections, referral records, and alert history. This deletion is irreversible.
  • Razorpay retains payment transaction records independently according to their own data retention policy.
  • Supabase may retain database backups for up to 30 days (on Pro plan) after data is deleted from live tables.

7. Your Rights

You have the right to:

  • Access your data: All your trading data, sessions, statistics, and settings are visible within the FundWarden app at all times.
  • Correct your data: You can update your account settings, edit custom rules, and modify prop firm account details at any time through the Settings page.
  • Delete your data: You can request complete account deletion by emailing support@fundwarden.app. We will delete all your data within 30 days of receiving your request.
  • Revoke MT5 connection: You can revoke your MT5 API key at any time from Settings, which immediately stops all data flow from your MT5 terminal to FundWarden.
  • Cancel subscription: You can cancel your subscription at any time (see Terms of Service, Section 6.4).

8. Children's Privacy

FundWarden is not intended for anyone under the age of 18. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@fundwarden.app and we will delete that information promptly.

9. International Data Transfers

FundWarden's services are hosted on cloud infrastructure that may be located in different geographic regions. Your data may be processed and stored in:

  • Supabase: Data region selected during project setup (e.g., Mumbai, Singapore, or other available regions).
  • Vercel: Edge network with serverless functions that may execute in various global regions.
  • Razorpay: Payment data processed in India (Razorpay's primary infrastructure).

By using FundWarden, you consent to the transfer and processing of your data in these regions.

10. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a prominent notice within the app at least 14 days before the changes take effect. The "Last updated" date at the top of this page will be revised accordingly.

11. Contact

If you have questions about this Privacy Policy or your data, please contact us at: support@fundwarden.app

© 2026 FundWarden
TermsPrivacyRefundsContact

FundWarden enforces discipline through its own session system — alerts, session locks, and forced rule reading all happen within the app. FundWarden does not control, restrict, or block access to your trading platform (MT4/MT5) or broker.