Benton𖢘Building

Privacy Policy

Effective date: June 1, 2026  ·  Last updated: June 1, 2026

This Privacy Policy describes how Benton Building (“we,” “us,” or “our”) collects, uses, stores, and protects information when you use the Benton Building trading analytics platform (the “Service”), including the web application and the desktop application.

By creating an account or using the Service you agree to the practices described in this policy. If you do not agree, please do not use the Service.

1. Data We Collect

Account data. When you create an account we collect your email address and display name via Firebase Authentication. We also store an approval status flag and the timestamp of account creation.

Trading & journal data. The Service is designed to help you record and analyse your trading activity. Data you enter is stored and includes:

• Trade records — ticker, date/time, direction, entry price, stop loss, targets, P&L, risk size, categories, strategies, and free-form notes
• Daily journal entries — written reflections and performance summaries
• Screenshot uploads — chart images attached to trade records (stored in Firebase Storage under your account)
• Resources — links and reference material you save
• Price alerts — symbol, condition, and alert status

Exchange credentials. If you connect a Bitget account, we store your API key, secret, and passphrase. These credentials are encrypted at rest using AES-256-GCM with a per-user derived key and are never returned to the client after being saved. They are used solely to fetch your account summary and position history from Bitget on your behalf.

Equity & position history. When exchange credentials are connected, we periodically pull your account equity, unrealized P&L, and closed-position data from Bitget and store it in a private time-series database on our servers. This data is used to render your equity curve and performance analytics within the Service.

Device & session data. We store a server-side session token (derived from your Firebase ID token) to authenticate your requests to our backend. IP addresses appear in standard server access logs. The desktop application stores a local weight file for the on-device Kronos ML model and small UI-state caches; this data never leaves your device.

Browser local storage. The web application stores UI-preference keys in your browser’s localStorage (e.g., chart settings, sidebar state, last-viewed symbol). This data is local to your device and is not transmitted to our servers.

2. How We Use Your Data

• Service delivery. To operate the application, authenticate you, display your trades and journals, render charts, and provide analytics.
• Exchange reconciliation. To match your Bitget positions against the trades you log, so the reconciliation workflow can suggest matches for your review.
• Performance analytics. To compute statistics (win rate, R multiples, equity curves) shown within your account. This processing happens on our infrastructure using your data only.
• Desktop auto-updates. The desktop application checks the GitHub Releases API at regular intervals to determine whether an update is available. No personal data is transmitted during this check.
• Account administration. To manage the manual approval process required before new accounts gain access to the Service.

3. Third-Party Services

Google’s use of data collected through Firebase is governed by Google’s Privacy Policy. Firebase operates under the EU–US Data Privacy Framework where applicable.

4. Data We Do Not Collect

• We do not use analytics or behavioural tracking tools (no Google Analytics, Mixpanel, Segment, or similar).
• We do not use cookies of any kind.
• We do not use crash-reporting or error-monitoring services (no Sentry, Datadog, or similar).
• We do not sell, rent, or share your personal data or trading data with third parties for marketing or commercial purposes.
• We do not have access to your exchange funds. API keys stored in the Service are read-only or trading-only; we never request withdrawal permissions.

5. Data Security

We take reasonable technical and organisational measures to protect your data, including:

• Encryption in transit. All communication between your browser or desktop app and our servers uses HTTPS/TLS.
• Encryption at rest. Exchange API credentials are encrypted using AES-256-GCM with a per-user key derived via scrypt before being written to the database. The encryption key material is never stored alongside the credentials.
• Access controls. Firestore security rules restrict each user to their own data. A private Firestore subcollection containing credentials is accessible only via the server-side Admin SDK — it is never readable by the client.
• Session management. Short-lived session tokens (5-minute TTL) are used in place of raw Firebase ID tokens in backend requests to limit exposure in logs.
• Account approval gate. New accounts require explicit administrator approval before gaining access to the Service, reducing the risk of unauthorised access.

No method of transmission or storage is 100% secure. If you believe your account has been compromised, please contact us immediately at the address below.

6. Data Retention

We retain your account data, trade records, journals, and uploaded screenshots for as long as your account is active. If you request deletion of your account, we will delete your personal data within 30 days, except where retention is required by applicable law (for example, financial records required for regulatory purposes).

Equity snapshots and position history stored in our time-series database are deleted automatically when you remove your exchange credentials. Server access logs are retained for 90 days.

7. Your Rights

Under GDPR (EU/EEA/UK residents). You have the right to:

• Access — request a copy of the personal data we hold about you (Art. 15)
• Rectification — correct inaccurate or incomplete data (Art. 16)
• Erasure — request deletion of your data (“right to be forgotten”) (Art. 17)
• Portability — receive your data in a structured, machine-readable format (Art. 20)
• Restriction — restrict processing of your data in certain circumstances (Art. 18)
• Object — object to processing based on legitimate interests (Art. 21)
• Lodge a complaint with your local supervisory authority if you believe your rights have been violated

Under CCPA (California residents). You have the right to:

• Know what personal information we collect, use, disclose, and sell
• Request deletion of your personal information
• Opt out of the sale of your personal information (we do not sell personal information)
• Non-discrimination for exercising your privacy rights

To exercise any of these rights, please contact us using the details in Section 9. We will respond within 30 days (GDPR) or 45 days (CCPA) of receiving a verifiable request.

8. International Data Transfers

The Service is operated from the United States. If you access the Service from outside the United States, your data may be transferred to and processed in the United States. Firebase (Google) participates in the EU–US Data Privacy Framework and provides standard contractual clauses for data transfers from the European Economic Area.

9. Children’s Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If you believe a minor has provided us with personal data, please contact us and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes we will update the “Last updated” date at the top of this page. Continued use of the Service after changes are posted constitutes your acceptance of the updated policy.

11. Contact Us

← Back to app