Privacy Policy

Last Updated: April 2, 2026

Journalit is designed with privacy as a core principle. Your trading data stays in your Obsidian vault, and network features are entirely optional.

Overview

This Privacy Policy covers both the Journalit website (journalit.co) and the Journalit Obsidian plugin. We are committed to protecting your privacy and being transparent about what data we collect.

What We Collect

Website (journalit.co)

When you use our website:

  • Account Information - Email address and name from your OAuth provider (Google, GitHub, Discord)
  • Session Data - Authentication tokens stored in secure cookies
  • Payment Information - Processed by Stripe (we never see your full card details)
  • Operational Telemetry - Limited performance metrics and error traces used to keep the web app reliable. This does not include your trading journal content.
  • Referral Attribution Data - If you open a Journalit referral or affiliate link, we may record the partner or link identifier, landing path, referrer host, and hashed browser or network metadata needed to attribute the referral, prevent abuse, and reconcile commissions.

For a detailed breakdown, see Data, privacy and offline.

Obsidian Plugin

The plugin operates locally by default. No data is transmitted unless you enable sync features:

  • Local Data - All trades, notes, and settings stay in your Obsidian vault
  • Plugin Settings - Stored locally in your vault's plugin folder
  • Cache Data - Query results and indexes for performance, never transmitted

Optional Sync Features

When you enable backend integration:

  • Email Address - For authentication via verification code
  • MetaTrader Trades - Synced trade data (symbol, times, prices, P&L)
  • Vault Identifier - SHA-256 hashed identifier for sync coordination
  • MT Account Info - Account IDs and display names

What We Do NOT Collect

  • Manual trades you create in Obsidian
  • Trade notes or personal analysis
  • Screenshots or attachments
  • Contents of your Obsidian vault
  • Third-party advertising trackers or ad-network profiles
  • Your trading journal content for marketing analytics
  • Trading account passwords or API keys

How We Use Your Data

  • Authentication - To verify your identity and maintain your session
  • Trade Synchronization - To sync MetaTrader trades to your Obsidian vault
  • Subscription Management - To manage your premium subscription status
  • Security - FTP login attempts are logged for abuse prevention
  • Referral Attribution and Fraud Prevention - To understand which referral link led to a subscription sign-up or subscription checkout, enforce affiliate program rules such as self-referral blocking, and reconcile internal commission records

Data Security

  • All network communications use HTTPS (TLS 1.2+)
  • Authentication tokens encrypted locally with AES-256-GCM
  • Passwords hashed with bcrypt
  • Database protected by Row-Level Security - users can only access their own data

Third-Party Services

OAuth Providers

We use Google, GitHub, and Discord for authentication. Their privacy policies apply to data they collect during sign-in.

Stripe (Payments)

Subscription and one-time payments are processed by Stripe. We receive billing and subscription status updates but never see your full payment details.

Email Delivery

Verification codes are sent via email service provider. Only your email address and verification code are transmitted.

Data Retention

  • Account Data - Stored until you request deletion
  • Synced Trades - Stored until account deletion
  • Session Tokens - Expire after 30 days
  • Authentication Codes - Deleted within 24 hours
  • Security Logs - Older entries periodically cleaned
  • Referral Attribution Records - Kept only as long as reasonably necessary to reconcile affiliate referrals, investigate abuse, and maintain accounting records

Your Rights

Data Access

All your local data is accessible in your Obsidian vault. For backend data, contact us for an export.

Data Deletion

  • Local Data - Delete by removing the plugin or deleting files
  • Backend Data - Contact contact@journalit.co for complete account deletion

Opt-Out

You can use the plugin 100% offline with no network features. Disable sync in Settings to stop all data transmission.

Cookies

We use a small number of first-party cookies:

  • Session Cookie - Maintains your login state (expires when you sign out or after 30 days)
  • Referral Attribution Cookie - Set only when you arrive through a Journalit affiliate or referral link so we can attribute that visit to the correct partner during subscription sign-up or subscription checkout. This cookie is not used for third-party advertising.

We do not use third-party advertising cookies, retargeting cookies, or ad-network trackers.

Children's Privacy

Journalit is not intended for users under 18 years of age. We do not knowingly collect data from minors.

Changes to This Policy

We will notify users of material changes through:

  • Plugin update notes
  • Discord community announcements
  • GitHub release notes

Contact

Privacy questions or concerns:

Compliance

This service adheres to:

  • Obsidian Developer Policies
  • Obsidian Plugin Guidelines
  • GDPR principles (data minimization, purpose limitation, transparency)