← Back to ClearFlow

Privacy Policy

Effective Date: April 13, 2026

getclearflow.io

This policy explains what ClearFlow collects, how broker-synced trading data is handled, and what you control.

1. What Data We Collect

Account Information

  • Name and email address when you register
  • Profile details you choose to add (display name, bio, etc.)

Trading Data (via Broker Integrations)

When you connect a supported broker, we collect only the account data needed to power your journal:

  • Trade history (symbol, direction, quantity, price, timestamps)
  • Open and closed position data
  • P&L information associated with your trades

We use broker access only for read-only sync. We do not place, modify, or cancel trades, withdraw funds, transfer assets, or initiate account activity.

Usage Data

  • Pages you visit and features you use
  • Device type, browser, and approximate location (country/region level)
  • Timestamps of key actions (login, trade sync, etc.)

Cookies & Analytics

We use basic analytics cookies to understand how people use ClearFlow. We don't use invasive tracking or third-party ad networks. See Section 7 for details.

2. How We Use Your Data

We use your data to:

  • Run the platform — display your trades and maintain your journal according to your visibility settings
  • Show your trades publiclyaccording to your privacy settings (you control what's visible)
  • Sync broker data — pull your trades automatically when you connect a broker
  • Improve the service — understand usage patterns, fix bugs, build new features
  • Send important notices — account updates, security alerts, policy changes
  • Comply with legal obligations — when required by law or regulation

We do not use your data to make automated trading decisions or profiling for advertising.

AI Features

Private AI tools are optional and owner-only. ClearFlow only generates a review when you click the review button for a journal and date range.

  • Private AI Review:sends a limited snapshot of closed-trade performance data for that range, such as summary stats, realized P&L, tickers, directions, holding-time buckets, notable trades, and recent closed trades. It excludes full private notes.
  • Private Commentary Review: sends selected saved commentary notes from closed trades in that range only when you explicitly generate the review. It is used to look for wording, themes, unresolved questions, and journaling gaps.
  • What is not sent: broker credentials, raw tokens or API keys, account IDs, open positions, buying power, portfolio value, or raw order IDs.
  • How it is used: the AI provider processes the selected snapshot only to return owner-only reflection notes and journaling prompts for your request. ClearFlow stores the generated review so you can view it again.
  • Privacy: AI reviews are visible only to the journal owner, are never shown on public journals, and are not investment advice, coaching, recommendations, signals, or predictions.

ClearFlow does not use your trades, journal data, or AI review outputs to train AI models, and our AI providers do not use API inputs or outputs to train their models.

3. Data Sharing

We do not sell your data. Full stop. We don't sell, rent, or trade your personal information to anyone.

We Share Only When Necessary

Broker Integrations (OAuth)

When you connect a broker, we exchange OAuth tokens to authenticate with their API. We pass only what's needed to complete the connection.

Service Providers

We use a small number of trusted third-party providers (hosting, email delivery, analytics) who process data on our behalf under strict data processing agreements. They don't have independent rights to use your data.

Legal Requirements

We may disclose data if required by law, court order, or to protect the rights and safety of users or the public.

Business Transfers

If ClearFlow is acquired or merges with another company, your data may transfer as part of that transaction. We'll notify you and give you the option to delete your account beforehand.

4. Broker OAuth Data

When you connect a broker, here's exactly what happens:

  1. You authorize the connection through the broker's own OAuth flow
  2. We receive an encrypted access token — we never see your broker password
  3. Broker API keys, OAuth tokens, and refresh tokens are stored in Supabase Vault
  4. We use it only to read supported account data — we cannot place, modify, or cancel trades, withdraw funds, transfer assets, or initiate account activity
  5. You can revoke access at any time from your ClearFlow account settings or directly from your broker's app

Tokens are refreshed automatically when they expire. Broker API keys, OAuth tokens, and refresh tokens are stored in Supabase Vault. Plaintext credential columns are blanked and protected by database constraints. Decrypted secrets are accessible only server-side via service role for sync operations. If a broker token is revoked outside ClearFlow, we stop using it once detected and remove stored access promptly.

When you disconnect a broker:

  • Your OAuth tokens and API keys are deleted immediately from our systems
  • Your journal entries and trade history remain on your account — this is your data and we don't delete it just because you disconnected a broker
  • To delete your trade history from a specific broker, you can remove individual trades from your journal

5. Public vs. Private Data

Each journal has its own visibility setting — private, unlisted, or public — and you control it per journal.

  • Private — visible only to you when logged in
  • Unlisted — accessible only via a direct link with an unlisted token; not listed in the public directory
  • Public — listed in the ClearFlow public directory and visible to anyone

What is always private:

  • Your email address
  • Your broker credentials and raw broker secrets
  • Raw OAuth tokens, refresh tokens, and API keys
  • Raw broker account numbers, raw order IDs, raw fill/transaction IDs, and the private broker fill ledger
  • Usage logs and internal analytics
  • Portfolio value and buying power (visible only to you, the journal owner)

Permanence of public content

Important: once you make a journal public, third parties (search engines, the Internet Archive, other users, screenshot tools) may cache, archive, or copy its contents.

When you change a journal to private or delete it, ClearFlow removes it from our platform immediately, but we cannot reach external caches, archives, or copies that already exist elsewhere. Treat anything you choose to publish as potentially permanent.

You can change a journal's visibility at any time from the journal page, delete individual trades, or delete your entire account from account settings.

6. Your Rights

Regardless of where you live, you have the right to:

  • Access — Request a copy of all data we hold about you
  • Delete — Delete your account and have your data removed
  • Export — Download your trade history and journal data in a portable format (CSV/JSON)
  • Correct — Ask us to fix inaccurate data
  • Revoke broker access — Disconnect any broker integration at any time
  • Selectively delete — Remove trade data from a specific broker while keeping the rest of your journal
  • Opt out of communications — Unsubscribe from non-essential emails at any time

California residents (CCPA):You have the additional right to know the categories of personal information we've collected and the right to non-discrimination for exercising your privacy rights.

EU/EEA/UK residents: ClearFlow is intended for US residents only (see Terms §2). We do not knowingly offer the service to, or process personal data about, EU/EEA/UK residents. If you believe you are an EU/EEA/UK resident and have an account, you may request deletion under GDPR Article 17 by emailing privacy@getclearflow.io and we will remove your data. Where any processing of EU personal data occurs incidentally, our legal basis is contractual necessity (Art. 6(1)(b)) and legitimate interests (Art. 6(1)(f)).

International data transfers.ClearFlow's infrastructure is primarily in the United States (hosting: Vercel, Inc.; database: Supabase, Inc.). If you access the service from outside the US, your data will be transferred to and processed in the US, which may not offer the same level of data protection as your home jurisdiction. By using the service, you consent to this transfer to the extent permitted by applicable law.

To exercise any of these rights, email privacy@getclearflow.io or use the account settings dashboard. We'll respond within 30 days.

7. Cookies

We use cookies for:

  • Session management — keeping you logged in
  • Basic analytics — understanding which pages are used (we use privacy-respecting analytics, not Google Analytics)
  • Preferences — remembering your display settings

We do not use cookies for advertising, tracking across other websites, or building behavioral profiles.

You can disable cookies in your browser settings. Disabling session cookies will prevent you from staying logged in.

8. Data Retention

Account dataUntil you delete your account
Trade historyUntil you delete your account or individual trades
Broker tokensUntil revoked, then deleted within 24 hours
Broker connection events90 days
Private broker fill ledgerUntil related account/trade deletion, or account deletion
AI review outputsUntil account/journal deletion unless separately deleted
Usage logs12 months, then anonymized
BackupsUp to 90 days after deletion

When you delete your account, your public profile and trades are removed immediately. Backups are purged on a rolling 90-day cycle.

9. Security

We take security seriously:

  • All data is transmitted over TLS/HTTPS
  • Broker API keys, OAuth tokens, and refresh tokens are stored in Supabase Vault; plaintext credential columns are blanked
  • Access to production data is limited to authorized personnel only
  • We conduct regular security reviews and dependency audits
  • We will notify you promptly if a breach affects your personal data

No system is 100% secure. If you discover a security issue, please email privacy@getclearflow.io responsibly.

10. Children's Privacy

ClearFlow is for users 18 and older. We do not knowingly collect personal data from anyone under 18. If we become aware that a user is underage, we will delete their account and data immediately.

If you believe a minor has registered, please contact us at privacy@getclearflow.io.

11. Changes to This Policy

We may update this Privacy Policy as the platform evolves. When we make significant changes, we'll notify you via email or an in-app notice at least 14 days before the changes take effect. The effective date at the top of this document will always reflect the latest version.

12. Contact

Questions, requests, or concerns about your privacy? Email us at privacy@getclearflow.io

We're a small team and we take these seriously.