Privacy Policy

Last Updated: June 11, 2026

Journalit is designed with privacy as a core principle. Your trading data stays in your Obsidian vault, and network features are entirely optional.

Overview

This Privacy Policy covers both the Journalit website (journalit.co) and the Journalit Obsidian plugin. We are committed to protecting your privacy and being transparent about what data we collect.

What We Collect

Website (journalit.co)

When you use our website:

  • Account Information - Email address and name from your OAuth provider (Google, GitHub, Discord)
  • Session Data - Authentication tokens stored in secure cookies
  • Payment Information - Processed by Stripe (we never see your full card details)
  • Operational Telemetry - Limited performance metrics and error traces used to keep the web app reliable. This does not include your trading journal content.
  • Website Analytics - First-party analytics used to understand landing-page performance, downloads, sign-ups, checkout starts, subscriptions, and enterprise enquiry flow. We do not send trade journal content, broker files, email addresses, names, company names, phone numbers, or message text to analytics tools.
  • Referral Attribution Data - If you open a Journalit referral or affiliate link, we may record the partner or link identifier, landing path, referrer host, and hashed browser or network metadata needed to attribute the referral, prevent abuse, and reconcile commissions.

For a detailed breakdown, see Data, privacy and offline.

Obsidian Plugin

The plugin operates locally by default. No data is transmitted unless you enable sync features:

  • Local Data - All trades, notes, and settings stay in your Obsidian vault
  • Plugin Settings - Stored locally in your vault's plugin folder
  • Cache Data - Query results and indexes for performance, never transmitted

Optional Sync Features

When you enable backend integration:

  • Email Address - For authentication via verification code
  • MetaTrader Trades - Synced trade data (symbol, times, prices, P&L)
  • Vault Identifier - SHA-256 hashed identifier for sync coordination
  • MT Account Info - Account IDs and display names

Optional Trade Import

Trade Import is an optional Pro feature that processes selected broker exports on Journalit backend servers. It is not part of the offline manual journalling workflow.

  • Uploaded Files - When you choose to import a broker export, the selected CSV, XLSX, XLS, HTML, or broker statement file is uploaded for processing.
  • Possible File Contents - Broker exports may contain account identifiers, trade history, symbols, timestamps, prices, quantities, fees, balances, and P&L.
  • Import Context - The plugin may send the selected account name, broker/file/mapping choices, custom field definitions and saved options, and limited local open-trade context needed for broker-specific matching such as IBKR open-position matching.
  • Processing Behaviour - Raw files are processed for the requested import and are not stored by default. The backend returns preview data; final note creation remains local in your Obsidian vault.
  • Control - Trade Import requires sign-in and an active Pro subscription before upload. The plugin shows an upload acknowledgement before processing each view session.

What We Do NOT Collect

  • Manual trades you create in Obsidian
  • Trade notes or personal analysis
  • Screenshots or attachments
  • Contents of your Obsidian vault
  • Third-party advertising trackers or ad-network profiles
  • Your trading journal content for marketing analytics
  • Trading account passwords or API keys
  • Manual trades, personal notes, screenshots, or attachments unless you explicitly use a network-backed feature that discloses what it uploads

How We Use Your Data

  • Authentication - To verify your identity and maintain your session
  • Trade Synchronization - To sync MetaTrader trades to your Obsidian vault
  • Trade Import Processing - To analyse selected broker exports, generate import previews, apply broker-specific matching logic, and return structured preview data to the plugin
  • Subscription Management - To manage your premium subscription status
  • Security - FTP login attempts are logged for abuse prevention
  • Referral Attribution and Fraud Prevention - To understand which referral link led to a subscription sign-up or subscription checkout, enforce affiliate program rules such as self-referral blocking, and reconcile internal commission records

Data Security

  • All network communications use HTTPS (TLS 1.2+)
  • Authentication tokens encrypted locally with AES-256-GCM
  • Passwords hashed with bcrypt
  • Database protected by Row-Level Security - users can only access their own data

Third-Party Services

OAuth Providers

We use Google, GitHub, and Discord for authentication. Their privacy policies apply to data they collect during sign-in.

Stripe (Payments)

Subscription and one-time payments are processed by Stripe. We receive billing and subscription status updates but never see your full payment details.

Email Delivery

Verification codes are sent via email service provider. Only your email address and verification code are transmitted.

Website Analytics

We use website analytics to measure aggregate site performance and product-funnel events such as downloads, sign-up starts, checkout starts, subscriptions, and enterprise form submissions. Analytics events must not contain personal identifiers or trading journal content.

Data Retention

  • Account Data - Stored until you request deletion
  • Synced Trades - Stored until account deletion
  • Trade Import Files - Processed for the requested import and not stored by default
  • Session Tokens - Expire after 30 days
  • Authentication Codes - Deleted within 24 hours
  • Security Logs - Older entries periodically cleaned
  • Referral Attribution Records - Kept only as long as reasonably necessary to reconcile affiliate referrals, investigate abuse, and maintain accounting records

Your Rights

Data Access

All your local data is accessible in your Obsidian vault. For backend data, contact us for an export.

Data Deletion

  • Local Data - Delete by removing the plugin or deleting files
  • Backend Data - Contact contact@journalit.co for complete account deletion

Opt-Out

You can use the plugin 100% offline with no network features. Disable sync in Settings to stop all data transmission.

Cookies

We use a small number of first-party cookies:

  • Session Cookie - Maintains your login state (expires when you sign out or after 30 days)
  • Referral Attribution Cookie - Set only when you arrive through a Journalit affiliate or referral link so we can attribute that visit to the correct partner during subscription sign-up or subscription checkout. This cookie is not used for third-party advertising.
  • Analytics Cookies or Identifiers - Used to measure aggregate website usage and SEO/product-funnel performance. They are not used for third-party advertising or retargeting.

We do not use third-party advertising cookies, retargeting cookies, or ad-network trackers.

Children's Privacy

Journalit is not intended for users under 18 years of age. We do not knowingly collect data from minors.

Changes to This Policy

We will notify users of material changes through:

  • Plugin update notes
  • Discord community announcements
  • GitHub release notes

Contact

Privacy questions or concerns:

Compliance

This service adheres to:

  • Obsidian Developer Policies
  • Obsidian Plugin Guidelines
  • GDPR principles (data minimization, purpose limitation, transparency)