Privacy Policy
Last updated: 16 July 2026
1. Who we are / data controller
Position Lens Limited ("Position Lens", "we", "us") is a company registered in England and Wales, company number 17145629, registered office 11 The Shrubbery, Farnborough, England, GU14 0RQ, United Kingdom. We are the data controller for the personal data described in this policy. Contact us at [email protected] (also written out in plain text: [email protected]) for any privacy-related query.
2. What we collect
- Account data (Firebase Authentication): your email address; a password — managed entirely by Firebase; Position Lens never sees or stores your password; an optional display name; a Firebase user identifier (UID) and email-verified status. Google Sign-In is supported (this provides your Google account email and name via Firebase). We do not collect your phone number or profile photo. We do not maintain our own user database — Firebase is our identity provider and we reference your account solely by its Firebase user id.
- Payment data: handled by Paddle as Merchant of Record — we do not store or process card details ourselves; we receive only transaction/subscription status from Paddle.
- Brokerage-connection data (via SnapTrade, read-only): the brokerage login itself happens on SnapTrade's hosted flow — Position Lens never sees your brokerage username, password or credentials. Through SnapTrade's read-only access we receive and process: brokerage account identifiers (account id, name, institution name), account balances, positions and option holdings, orders, and transaction/activity history. We store a SnapTrade user identifier and an encrypted SnapTrade access secret to maintain the connection. This is sensitive financial data and we treat it accordingly.
- Journal notes: free-text notes you write in the app, which may contain information you choose to include.
- Usage & technical data: a session identifier, app version, device platform/OS version, and — once signed in — your Firebase user id, sent as telemetry to Honeycomb via our backend. Our infrastructure providers (Cloudflare; backend logs) process your IP address to deliver and secure the service.
- Market data (options prices, Greeks and related market data, e.g. from ThetaData) is not personal data.
3. How we use it / legal bases
We rely on the following UK GDPR Article 6 legal bases:
- Performance of a contract — to provide the service you sign up for.
- Contract — to process billing via Paddle.
- Legitimate interests — security, fraud prevention, and product improvement.
- Consent — marketing communications only, where you have opted in.
- Legal obligation — to meet our legal, accounting and regulatory duties (for example, retaining billing records).
4. Sub-processors / third parties we share data with
| Processor | Purpose | Region |
|---|---|---|
| Firebase / Google (privacy notice) | Authentication, push notifications | US (Google) |
| Paddle (privacy notice) | Payments, Merchant of Record | UK/EU + US |
| SnapTrade (privacy notice) | Brokerage data aggregation, read-only (balances, positions, orders, activity) | US |
| ThetaData / AxiomX LLC | Options market data feed | US |
| Cloudflare (privacy notice) | DNS / edge / security | Global |
| Zoho (Mail + Books) (privacy notice) | Business email & accounting | EU datacentre |
| Honeycomb (privacy notice) | Observability / telemetry (server-side) | EU (api.eu1.honeycomb.io) |
| Netcup | Application server & database hosting | Germany (EU) |
Honeycomb receives your Firebase user id and session/app metadata (app version, device platform) as part of our observability telemetry. It does not receive your IP address or any brokerage data.
We do not use any third-party web analytics tool (e.g. Google Analytics, Mixpanel). Telemetry is server-side OpenTelemetry data sent to Honeycomb only.
5. International transfers
Several of our sub-processors are based in the United States (Firebase, SnapTrade, ThetaData/AxiomX, and Paddle in part); Zoho and Honeycomb operate from EU datacentres. Where we transfer personal data outside the UK/EEA, we rely on appropriate safeguards such as the UK International Data Transfer Agreement (IDTA), Standard Contractual Clauses (SCCs), or adequacy decisions, as applicable.
6. Data retention
We retain your personal data for as long as your account is active. If you close your account or make a valid erasure request, we delete your personal data within 90 days — except where we must keep certain records longer to meet legal obligations, in particular billing and transaction records retained for 6 years to satisfy UK tax and accounting requirements. Erasure requests are handled on request; we do not currently offer automated self-service deletion. To request erasure or ask about our retention of your data, email [email protected].
7. Security
Data transmitted between you and our service is protected by TLS/HTTPS. At rest, we encrypt the most sensitive data — your SnapTrade access secret and your aggregated portfolio snapshot — using AES-256-GCM. Authentication uses Firebase-issued JSON Web Tokens (JWT). On your device, the session token is held in the platform's secure store (Keychain on iOS/macOS, encrypted storage on Android/web).
8. Cookies
We use only strictly necessary cookies and local storage — for example, to keep you signed in and secure your session. We do not use advertising or analytics cookies. Because we set no non-essential cookies, no cookie-consent banner is required under PECR. If we introduce non-essential cookies, we will add a consent mechanism first.
9. Your rights
Under UK GDPR you have the right to access, rectify, erase, restrict, or port your personal data, to object to processing, and to withdraw consent at any time. To exercise these rights, email [email protected] (plain text: [email protected]). You also have the right to lodge a complaint with the UK Information Commissioner's Office at ico.org.uk.
10. Children
Our service is intended for adults aged 18 and over and is not directed at children.
11. Data hosting region
Zoho Mail and Zoho Books operate from an EU datacentre; Honeycomb telemetry is hosted in the EU (api.eu1.honeycomb.io). Our application backend and database are hosted in the EU (Germany, via Netcup). Firebase Authentication is operated by Google (United States / globally). Honeycomb and Zoho operate from EU datacentres.
12. Changes to this policy
We may update this policy from time to time. Material changes will be reflected by an updated "last updated" date at the top of this page. Contact us at [email protected] (plain text: [email protected]). Last updated: 16 July 2026.