SizeForZero ("we", "us", "our") operates the SizeForZero trading journal platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you use the Service. We have written this policy to be readable in plain English, and to comply with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), Quebec's Act Respecting the Protection of Personal Information in the Private Sector (often called "Law 25"), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and other applicable privacy laws across North America.
We are a Canadian company. Our service is operated from Canada and our servers are located in North America. If you live in the European Union or United Kingdom, please note that we do not currently market the Service to those regions and do not represent compliance with the GDPR or UK GDPR.
1. The short version
- We collect the minimum data needed to run the Service.
- We never sell your personal data, and we never share it for advertising.
- Your trades and journal entries belong to you. You can export or delete them at any time.
- AI features are Premium-only and opt-in. You decide whether to enable them, and you can turn them off in one click.
- We use only essential cookies. No advertising, no analytics, no tracking pixels.
- If you have questions or want to exercise your rights, email us at privacy@sizeforzero.com. We respond within 30 days.
2. Information we collect
2.1 Information you provide
- Account information: email address, name (optional), timezone, currency preference.
- Profile information: trading experience level, preferred markets, trading style — all optional and editable in Settings.
- Trade data: trade entries, fills, positions, instruments, notes, tags, and related financial data you input or import via CSV.
- Journal entries: by default, journal entries are stored on your device only (in your browser's local storage) and never leave your device. Premium users may opt into server-side journal sync separately from AI consent.
- Billing information: if you subscribe to a paid tier, your name, billing address, and payment-card metadata are collected by Stripe on our behalf (see §6 — Subprocessors). We do not store full card numbers on our servers.
- Communications: emails or messages you send to our support team, including any attachments.
2.2 Information collected automatically
- Usage data: pages visited, features used, session duration. Held only as long as needed for security and debugging.
- Device information: browser type, operating system, and IP address — used for security (rate limiting, fraud detection) and not used for profiling or advertising.
- Cookies: we use only essential, first-party cookies required for authentication. See §10 — Cookies.
2.3 What we do NOT collect
- We do not collect Social Insurance Numbers, Social Security Numbers, government IDs, or any other sensitive identifiers.
- We do not collect brokerage account credentials, broker logins, or full payment-card numbers (Stripe handles those directly).
- We do not use third-party analytics tools, advertising trackers, or session replay tools.
- We do not buy data about you from data brokers.
3. How we use your information
We use your personal information for the following purposes:
- To provide, operate, and maintain the Service.
- To authenticate your identity and manage your account.
- To send transactional emails — sign-in links, billing notifications, account-security alerts.
- To send opt-in emails you have specifically chosen to receive (any such emails are off by default and require an explicit opt-in inside the product).
- To respond to your inquiries and provide customer support.
- To improve the Service, using aggregated and anonymised patterns that cannot be linked back to individual users.
- To comply with legal obligations and respond to lawful requests.
We do not use your personal information to provide financial advice, trading recommendations, or investment signals. We do not sell your personal information. We do notshare your personal information for cross-context behavioural advertising.
4. AI processing — Premium feature, opt-in only
SizeForZero's Premium tier offers AI-generated reflections on your trading. Because this involves sending some of your data to a third-party AI processor, we treat AI consent as a separate decision from signing up.
4.1 Our AI processing partner
As of the date above, our AI processing partner is Anthropic, PBC (model providers of Claude). Anthropic processes our requests in the United States. Our agreement with Anthropic includes a Data Processing Addendum incorporated automatically when we accepted Anthropic's Commercial Terms of Service, and is published at anthropic.com/legal/data-processing-addendum.
Anthropic's Commercial Terms forbid training on customer API data. This means your trades and any journal entries you choose to send are not used to train any AI model.
We treat the AI processor as a swappable subprocessor. If we change providers, we will update this policy and post a banner notice in the app for at least 30 days before the change takes effect. A change in the identity of the processor does not by itself require us to re-collect consent unless the data flow or retention materially changes.
4.2 What we send to the AI processor
- Trade rows you have logged: symbol, side (buy/sell), quantity, price, realised P&L, timestamps, and instrument type.
- Optional journal text — only if you have separately opted in to server-side journal storage AND turned on AI processing.
- The current month's tags you have applied to trades.
- A pseudonymous user identifier so the processor can correlate requests; this identifier is not your email or name.
4.3 What we never send to the AI processor
- Your name, email address, IP address, device identifier, or any other directly-identifying information.
- Any payment information (card number, billing address).
- Any data that belongs to other users.
4.4 Retention at the AI processor
By default, Anthropic retains API requests and responses for up to 30 days for abuse monitoring, after which they are deleted. We are pursuing a Zero Data Retention agreement with Anthropic for our production org; if and when we obtain it, we will update this policy and notify users by email. Until then, the 30-day retention applies.
4.5 Granting and withdrawing AI consent
You grant AI consent at Premium checkout, in a dedicated step before payment, with two unchecked boxes you must tick to continue. You can withdraw consent at any time by toggling AI processing off in Settings → Privacy. Withdrawal stops new AI requests immediately. Previously-generated AI insights remain visible in your account so you can read them; if you also want them deleted, contact us and we will remove them within 30 days.
When AI processing is off, the rest of the Service continues to work normally; you simply will not see new AI-generated insights.
4.6 AI is reflection, not a decision
The AI generates short reflections about your trading patterns. It does not make decisions for you, does not place trades, does not move money, and does not control any aspect of your account. Under Quebec's Law 25 and California's CPRA, the AI is therefore not engaged in "automated decision-making" with legal or similarly significant effects on you. Reflections are informational, not advisory — see our Terms of Service for the full disclaimer.
5. Legal basis for processing
Under PIPEDA and equivalent provincial laws, we process your personal information based on:
- Consent: you provide consent when you create an account, and an additional, specific consent at Premium checkout for AI processing.
- Contract performance: processing necessary to provide the Service you have asked us to provide.
- Legitimate interest: security, fraud prevention, and improving the Service in ways that do not override your rights.
- Legal obligation: compliance with applicable laws and lawful government requests.
6. Subprocessors and data sharing
We share personal information only with vendors that help us run the Service. Each one is contractually required to protect your data and use it only for the purposes we direct. Our subprocessors as of the date above:
| Vendor | Purpose | Data location |
|---|---|---|
| Google Cloud Platform | Application hosting and compute | United States (us-east1) |
| Neon | Managed Postgres database | United States |
| Stripe | Payment processing for paid subscriptions | United States and Canada |
| Anthropic, PBC | AI inference for Premium reflections (opt-in) | United States |
| Email delivery provider | Transactional and opt-in emails | North America |
We may also disclose your information when required by law, court order, or governmental request; or in connection with a merger, acquisition, or sale of assets, with notice to you. We will never sell, rent, or trade your personal information or trade data for marketing purposes.
7. Data retention
We retain different categories of data for different periods, set by what is necessary to provide the Service and comply with the law:
- Account data: for as long as your account exists. Deleted within 30 days of account closure.
- Trade and journal data: for as long as your account exists. Deleted within 30 days of account closure, or sooner on request via the in-app delete tools.
- AI insights: stored for 90 days from generation by default, so you can re-read recent reflections. Older insights are automatically purged.
- AI request logs at our processor: up to 30 days (Anthropic's default), or zero days if and when our Zero Data Retention agreement is in place.
- Billing records: retained for the period required by Canadian tax law (currently 7 years).
- Anonymised, aggregated analytics: may be retained indefinitely; cannot be re-linked to individual users.
- Backups: rotated on a 30-day cycle; deletion propagates to backups within that window.
8. Data security
We implement industry-standard technical and organisational security measures, including:
- TLS/HTTPS encryption for all data in transit.
- Encrypted database connections with SSL enforcement.
- Encryption at rest for the database (AES-256, managed by Neon).
- Passwordless authentication via signed one-time email links — no passwords stored.
- HTTP-only, secure, SameSite-strict cookies for session management.
- Content Security Policy (CSP) headers and modern security headers across all pages.
- Regular token rotation, revocation on password / security events, and rate limiting on sensitive endpoints.
- Least-privilege database access; production database changes require code review and migration history.
- Secrets stored in Google Secret Manager — not in source code.
No system is perfectly secure. If a breach occurs and we determine it poses a real risk of significant harm, we will notify affected users and the Office of the Privacy Commissioner of Canada in accordance with PIPEDA's breach-notification requirements, and any applicable provincial or U.S. state laws.
9. Your rights
9.1 Canadian residents (PIPEDA)
You have the right to:
- Access the personal information we hold about you.
- Request correction of inaccurate or incomplete information.
- Withdraw consent for collection, use, or disclosure (which may limit your access to parts of the Service).
- File a complaint with the Office of the Privacy Commissioner of Canada at priv.gc.ca.
We will respond to access and correction requests within 30 days.
9.2 Quebec residents (Law 25)
In addition to PIPEDA rights, Quebec residents have the right to:
- Data portability: request your personal information in a structured, commonly-used technological format. We provide JSON export from your account.
- Opt out of automated decision-making: we do not make automated decisions about you with legal or similarly significant effects (see §4.6). If we ever introduce such a feature, you will have the right to request human review and to obtain an explanation of how the decision was reached.
- Be informed of cross-border transfers: as noted in §11, your data may be transferred to and stored in the United States.
Quebec's Law 25 designates a "Person Responsible for the Protection of Personal Information" — for SizeForZero, that is the founder, reachable at privacy@sizeforzero.com.
9.3 California residents (CCPA / CPRA) · Do Not Sell or Share
You have the right to:
- Know what personal information we collect, use, disclose, and (if applicable) sell or share — see §2 and §6 above.
- Delete your personal information, subject to legal retention exceptions (e.g. tax records).
- Correct inaccurate personal information.
- Opt out of sale or sharing of personal information — we do not sell or share your personal information for cross-context behavioural advertising, so there is nothing to opt out of.
- Limit use of sensitive personal information — we do not use sensitive personal information for any purpose outside of providing the Service.
- Non-discrimination for exercising your privacy rights — we will not deny service, charge a different price, or provide a different level of quality because you exercised a right.
- Limit automated decision-making technology (ADMT):we do not use ADMT to make decisions about you with legal or similarly significant effects (see §4.6).
To exercise any right, email privacy@sizeforzero.com with "Privacy Request" in the subject line. We respond to verifiable requests within 45 days, with one extension of 45 days available for complex requests.
9.4 Other U.S. state residents
If you reside in Virginia, Colorado, Connecticut, Utah, Texas, Oregon, or another U.S. state with a comprehensive consumer privacy law, you may have similar rights to access, delete, and correct your data. Send a request to privacy@sizeforzero.com and we will honour the broadest applicable rights granted by your jurisdiction.
10. Cookies
We use only essential, first-party cookies required for authentication and session management. These cookies are strictly necessary for the Service to function and cannot be disabled. We do not use analytics cookies, advertising cookies, fingerprinting, or third-party tracking.
| Cookie | Purpose | Duration |
|---|---|---|
| sfz_refresh | Session authentication (refresh token) | 14 days |
11. International data transfers
Your data is stored on servers located in North America (Google Cloud Platform, US-East region; Neon database in the United States). If you are accessing the Service from outside North America, your information may be transferred to, stored, and processed in Canada or the United States. By using the Service, you consent to this transfer, and we rely on the contractual protections in our subprocessor agreements to safeguard your data during transfer.
12. Children's privacy
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you are under 18, do not use the Service or send us any personal information. If we become aware that we have collected data from a child, we will delete it promptly and close the account.
13. Changes to this policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page, updating the "Last updated" date, and (for changes affecting how we process data — including any change of AI subprocessor) by sending you an email and showing an in-app banner for at least 30 days before the change takes effect. Your continued use of the Service after the change takes effect constitutes acceptance of the updated policy.
14. Contact us
If you have questions about this Privacy Policy, want to exercise a privacy right, or wish to file a complaint about our privacy practices, contact us at:
SizeForZero
Person Responsible for the Protection of Personal Information
Email: privacy@sizeforzero.com
For complaints regarding our privacy practices that we have not resolved to your satisfaction, you may also contact:
- Office of the Privacy Commissioner of Canada — priv.gc.ca
- Commission d'accès à l'information du Québec (Quebec residents) — cai.gouv.qc.ca
- California Privacy Protection Agency (California residents) — cppa.ca.gov