Legal

Privacy Policy

Last updated: 16 July 2026

1. Who we are / data controller

Position Lens Limited ("Position Lens", "we", "us") is a company registered in England and Wales, company number 17145629, registered office 11 The Shrubbery, Farnborough, England, GU14 0RQ, United Kingdom. We are the data controller for the personal data described in this policy. Contact us at admin@positionlens.com (also written out in plain text: admin@positionlens.com) for any privacy-related query.

2. What we collect

  • Account data (Firebase Authentication): your email address; a password — managed entirely by Firebase; Position Lens never sees or stores your password; an optional display name; a Firebase user identifier (UID) and email-verified status. Google Sign-In is supported (this provides your Google account email and name via Firebase). We do not collect your phone number or profile photo. We do not maintain our own user database — Firebase is our identity provider and we reference your account solely by its Firebase user id.
  • Payment data: handled by Paddle as Merchant of Record — we do not store or process card details ourselves; we receive only transaction/subscription status from Paddle.
  • Brokerage-connection data (via SnapTrade, read-only): the brokerage login itself happens on SnapTrade's hosted flow — Position Lens never sees your brokerage username, password or credentials. Through SnapTrade's read-only access we receive and process: brokerage account identifiers (account id, name, institution name), account balances, positions and option holdings, orders, and transaction/activity history. We store a SnapTrade user identifier and an encrypted SnapTrade access secret to maintain the connection. This is sensitive financial data and we treat it accordingly.
  • Journal notes: free-text notes you write in the app, which may contain information you choose to include.
  • Usage & technical data: a session identifier, app version, device platform/OS version, and — once signed in — your Firebase user id, sent as telemetry to Honeycomb via our backend. Our infrastructure providers (Cloudflare; backend logs) process your IP address to deliver and secure the service.
  • Market data (options prices, Greeks and related market data, e.g. from ThetaData) is not personal data.

4. Sub-processors / third parties we share data with

Processor Purpose Region
Firebase / Google (privacy notice)Authentication, push notificationsUS (Google)
Paddle (privacy notice)Payments, Merchant of RecordUK/EU + US
SnapTrade (privacy notice)Brokerage data aggregation, read-only (balances, positions, orders, activity)US
ThetaData / AxiomX LLCOptions market data feedUS
Cloudflare (privacy notice)DNS / edge / securityGlobal
Zoho (Mail + Books) (privacy notice)Business email & accountingEU datacentre
Honeycomb (privacy notice)Observability / telemetry (server-side)EU (api.eu1.honeycomb.io)
NetcupApplication server & database hostingGermany (EU)

Honeycomb receives your Firebase user id and session/app metadata (app version, device platform) as part of our observability telemetry. It does not receive your IP address or any brokerage data.

We do not use any third-party web analytics tool (e.g. Google Analytics, Mixpanel). Telemetry is server-side OpenTelemetry data sent to Honeycomb only.

5. International transfers

Several of our sub-processors are based in the United States (Firebase, SnapTrade, ThetaData/AxiomX, and Paddle in part); Zoho and Honeycomb operate from EU datacentres. Where we transfer personal data outside the UK/EEA, we rely on appropriate safeguards such as the UK International Data Transfer Agreement (IDTA), Standard Contractual Clauses (SCCs), or adequacy decisions, as applicable.

6. Data retention

We retain your personal data for as long as your account is active. If you close your account or make a valid erasure request, we delete your personal data within 90 days — except where we must keep certain records longer to meet legal obligations, in particular billing and transaction records retained for 6 years to satisfy UK tax and accounting requirements. Erasure requests are handled on request; we do not currently offer automated self-service deletion. To request erasure or ask about our retention of your data, email admin@positionlens.com.

7. Security

Data transmitted between you and our service is protected by TLS/HTTPS. At rest, we encrypt the most sensitive data — your SnapTrade access secret and your aggregated portfolio snapshot — using AES-256-GCM. Authentication uses Firebase-issued JSON Web Tokens (JWT). On your device, the session token is held in the platform's secure store (Keychain on iOS/macOS, encrypted storage on Android/web).

8. Cookies

We use only strictly necessary cookies and local storage — for example, to keep you signed in and secure your session. We do not use advertising or analytics cookies. Because we set no non-essential cookies, no cookie-consent banner is required under PECR. If we introduce non-essential cookies, we will add a consent mechanism first.

9. Your rights

Under UK GDPR you have the right to access, rectify, erase, restrict, or port your personal data, to object to processing, and to withdraw consent at any time. To exercise these rights, email admin@positionlens.com (plain text: admin@positionlens.com). You also have the right to lodge a complaint with the UK Information Commissioner's Office at ico.org.uk.

10. Children

Our service is intended for adults aged 18 and over and is not directed at children.

11. Data hosting region

Zoho Mail and Zoho Books operate from an EU datacentre; Honeycomb telemetry is hosted in the EU (api.eu1.honeycomb.io). Our application backend and database are hosted in the EU (Germany, via Netcup). Firebase Authentication is operated by Google (United States / globally). Honeycomb and Zoho operate from EU datacentres.

12. Changes to this policy

We may update this policy from time to time. Material changes will be reflected by an updated "last updated" date at the top of this page. Contact us at admin@positionlens.com (plain text: admin@positionlens.com). Last updated: 16 July 2026.