Security & Data Handling

Security and privacy are not afterthoughts at MAV. Your trade journal, your strategies, your P&L — that's some of the most personal data a trader has. Here is exactly how we handle it, who we trust to help us, and what we will never do.

Where your data lives

  • **Database & authentication:** [Supabase](https://supabase.com) (SOC 2 Type II certified). Your account, journal entries, trades, playbooks, settings, and screenshots are stored in a Supabase Postgres database hosted on AWS infrastructure. All data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
  • **Application hosting:** [Railway](https://railway.app). Our backend (FastAPI) and frontend (Next.js) run on Railway with HTTPS-only ingress. We do not log request bodies that contain journal content.
  • **Payments:** [Stripe](https://stripe.com) (PCI DSS Level 1 certified). Stripe handles all card data. MAV never sees, stores, or transmits raw card numbers, CVCs, or full card details. We only store Stripe customer IDs and subscription state.
  • **Email:** [Resend](https://resend.com). Transactional email only — account confirmations, password resets, billing receipts. We do not sell your email address.

Third-party services we send your data to

To deliver MAV's core features we share specific pieces of your data with these providers — and only the minimum needed for the feature to work:

  • **Anthropic (Claude API)** — When you ask the AI Coach a question, your journal context (trades, notes, recent activity that you choose to surface in the conversation) is sent to Anthropic's Claude API to generate the response. Anthropic does not train on API-submitted data by default, and we do not opt in to training. [Anthropic privacy policy](https://www.anthropic.com/legal/privacy).
  • **Finnhub** — Live news headlines and sentiment labels come from Finnhub's market news API. We send no user data to Finnhub; we only fetch their public news feed.
  • **Databento** — Market data (price history, contract specs) is fetched server-side from Databento. No user data is sent.
  • **TradingView (charting library, optional embeds)** — Chart rendering happens client-side in your browser. We do not transmit your account identity to TradingView.

Authentication

  • Email + password authentication is handled by Supabase Auth. Passwords are hashed with bcrypt and never stored in plaintext.
  • Sessions use short-lived JWT access tokens with refresh-token rotation.
  • You can delete your account from Settings at any time, which removes your auth record and associated data (see retention below).

What we will never do

  • We will **never sell your trade data, your journal contents, or your email address** to third parties. Ever.
  • We will **never use your private journal to train public models**. Your data is yours.
  • We will **never ask you for your broker password, API keys with trading permissions, or banking credentials**. MAV is a journal and analytics tool — we do not need order-entry access.
  • We will **never share individual user data with advertisers**.

CSV imports from brokers / journals

When you import trades from a CSV (Apex, Topstep, Tradovate, NinjaTrader, IBKR, or any broker that exports trade data), MAV parses the file server-side and creates trade records in your account. The original CSV file is stored alongside the parsed trades so you can re-import, audit, or re-process the source data later if a parser update improves how a specific broker's format is handled. The CSV lives in the same encrypted Supabase storage as the rest of your account data, scoped to your user ID, and is deleted when you delete your account (see retention below).

Data retention

  • **Active accounts:** We retain your data as long as your account is active.
  • **Cancelled subscription:** Your data stays in place — you can still log in, view history, and export. You just lose access to gated features.
  • **Account deletion:** When you delete your account from Settings, your journal data, trades, and personal information are removed from our active database within 7 days. Stripe customer records are retained as required for tax and audit (typically 7 years), but contain no trading data — only the billing record.
  • **Backups:** Encrypted Supabase backups may retain deleted data for up to 30 days before being purged on rotation.

Your data is portable

You own your journal. From Settings → Data, you can export your full journal and trade history as CSV at any time, no questions asked, no friction. If MAV ever shuts down, we will provide at least 30 days notice and a final export window.

Reporting a security issue

If you find a vulnerability, please email **marketmavericks11@gmail.com** with details. We acknowledge reports within 24 hours during the open beta. Please do not publicly disclose until we have had a chance to fix the issue.

Open beta caveat

MAV is in open beta. While we follow security best practices and rely on certified providers (Supabase, Stripe, Railway), no software is bug-free. We treat security reports as top priority, but we want you to know the operating context. Sensitive professional traders should evaluate whether MAV's current stage suits their risk tolerance before relying on it for record-keeping that has tax or compliance implications.