Aurafy ← Back to aurafy.dev

Privacy Policy

Last updated: May 12, 2026 · Effective immediately

Aurafy is a trading journal built by one person. This page explains, in plain English, what data we collect, why, and what we do with it. The short version: your trade data lives on your machine unless you choose to use the web app, and we never sell or share your data with third parties for advertising.

1. Who we are

Aurafy is operated by the Aurafy team and serves users worldwide. The desktop app runs locally on your computer (Electron). The web app runs on Cloudflare's global infrastructure (Pages + D1 + R2). For any privacy-related question or formal request, please reach us through the contact form.

2. What we collect

Desktop app (local-first)

The desktop app stores everything on YOUR machine in a local SQLite database. We do not send your trades, journal entries, recordings, or attachments to any server. The app does send anonymous telemetry to our update server so we know how many people use it and which version they're on:

• An anonymous install ID (random UUID, regenerated on reinstall)
• App version, OS family (Mac/Windows), and basic feature usage counters
• Crash reports (only if you opt in via the prompt)

This telemetry contains no email, no trade data, no personal information.

Web app (cloud)

If you create an account on app.aurafy.dev, we store:

• Your email + a password hash (PBKDF2; we never see your raw password)
• Your trades, journal entries, accounts, settings, playbook entries, backtest sessions
• Account metadata (signup date, plan, last login, email-verification status)
• If you upgrade to Pro: a Stripe customer ID + subscription ID (Stripe stores the card data, not us)

All web data is stored on Cloudflare (D1 database for structured data, R2 for attachments/recordings). Cloudflare is the data processor; Aurafy is the data controller.

Marketing site (aurafy.dev)

We log page views (anonymized to IP + user-agent hash, never the raw IP), referrer headers, and signup funnel events. This is used to understand which pages convert. No personally identifiable information is associated with these events unless you explicitly sign up.

3. Why we collect it

• To run the product. Storing your trades is the product. Same for sending verification emails, billing you, and showing you your stats.
• To know what's working. Page views + signup events tell us which features people find. Without this, we'd be flying blind.
• To debug. Crash reports and error logs let us fix bugs before they hit you.

4. Who we share it with

We do not sell your data. We do not share it with advertisers. We share it only with these processors, and only what's strictly required for them to do their job:

• Cloudflare — hosts the web app + database + file storage. Their privacy policy.
• Stripe — processes Pro payments. We send them your email and a Stripe customer ID. They handle the card details. Their privacy policy.
• Resend — sends transactional emails (verification, password-change confirmation). They see your email address and the email body. Their privacy policy.

5. Cookies + local storage

The marketing site sets a small number of first-party cookies/localStorage entries:

• A randomly-generated visitor ID for funnel analytics (no third-party tracking)
• An A/B test variant assignment so you see a consistent version across visits
• If you sign up: an authentication token (JWT) in localStorage to keep you logged in

We do not use Google Analytics, Facebook Pixel, or any other third-party tracker.

6. Your rights

You can:

• See your data — everything we store about you is visible in the app itself
• Export it — Settings → Export trades CSV gives you a clean dump
• Delete it — Settings → Delete account permanently wipes your row and all associated data within 30 days (Cloudflare backups are auto-purged on that schedule)
• Change your email or password — Settings → Email & password
• Email us at our contact form with any privacy question — you'll get a reply from a real person

If you're in the EU/UK/EEA, you have additional rights under GDPR (access, rectification, erasure, portability, restriction, objection). To exercise them: email the address above.

7. Data retention

We keep your data as long as your account is active. If you delete your account, your row is removed from the database immediately and any associated R2 attachments are removed within 30 days. Anonymous telemetry (no personal data) is retained indefinitely for trend analysis.

8. Security

Passwords are hashed with PBKDF2 (100,000 iterations of SHA-256). Database access requires an authentication token over HTTPS. We follow Cloudflare's security best practices and use Stripe's PCI-compliant infrastructure for payments — we never see card numbers.

That said: no online service is 100% secure. If you discover a vulnerability, please email our contact form and we'll respond within 48 hours.

9. Changes to this policy

If we make material changes (e.g. we start sharing data with a new processor), we'll email all registered users at least 14 days before the change takes effect. Trivial wording fixes happen without notice.