Skip to main content
Candlne
Sign inStart 3-day trial
Back to home

Privacy Policy

Last updated 11 May 2026. We take your privacy seriously.

1. Who we are

Candlune Studio (“we”, “us”, “our”) operates candlune.com (“the Service”). We are the data controller for personal data processed through the Service. For privacy-related enquiries, contact us at privacy@candlune.com.

2. Data we collect

When you use Candlune, we collect the following data:

  • Account data — your email address, display name, username, and hashed password. Optionally, whether you opt in to product emails, plus records showing when you accepted the Terms and Privacy Policy.
  • Session data — hashed session tokens stored in a cookie to keep you signed in.
  • Trade and practice data — simulated trades, chart drawings, notes, journal entries, and performance metrics you create within the Service.
  • Billing data — subscription status and Stripe customer ID. Full payment card details are processed by Stripe and never stored on our servers.
  • Technical data — IP address, browser type, and device type, collected automatically when you access the Service.
  • Analytics data — if you accept optional cookies, we collect page path, referrer, visitor and session identifiers, user agent, device type, browser, operating system, and viewport width to understand product usage and improve the Service.
  • Marketing lead data — if you join a replay challenge without creating an account, we collect your email address, consent status, unsubscribe status, and optional attribution parameters such as UTM source or referral code.

3. How we use your data

We use your data only for the following purposes:

  • To create and maintain your account.
  • To authenticate you and keep your session secure.
  • To provide the Service’s core features (replay sessions, trade journal, dashboard, cloud sync).
  • To process subscriptions and billing through Stripe.
  • To send essential service communications (password resets, billing notices, account changes).
  • With your explicit opt-in, to send occasional product updates and release notes, trial reminders, replay challenges, and practice prompts by email.
  • To monitor and improve the security and performance of the Service.
  • With your cookie consent, to measure aggregate traffic, product usage, and conversion through first-party analytics and PostHog.

4. Legal basis for processing (UK & EU users)

Under the UK GDPR and EU GDPR, we rely on the following lawful bases:

  • Contractual necessity — processing your account data, session data, trade data, and billing data to provide the Service you have subscribed to.
  • Legitimate interests — maintaining the security and integrity of the Service, preventing fraud, and improving our infrastructure (technical data and essential security cookies).
  • Consent — marketing emails, optional product analytics, and loading fonts from third-party CDNs (see Section 7 on cookies).

5. Data retention

We retain your data for the following periods:

  • Account and trade data — retained for the lifetime of your account. On account deletion, your data is deleted within 30 days, except where we are required to retain it by law.
  • Billing records — retained for the period required by applicable tax and accounting law (typically 6 years from the end of the relevant financial year).
  • Session cookies — expire 30 days from login.
  • Email verification codes — deleted after use or expiry (15 minutes).
  • Server logs — retained for up to 90 days for security monitoring.
  • Analytics events — retained for up to 13 months unless we anonymise or aggregate them earlier.

6. Data sharing and third parties

We share your data with the following service providers:

  • Stripe — processes subscription payments. Stripe receives your email, name, and payment details. Stripe’s privacy policy applies to data they process. Payment card details are never stored on Candlune servers.
  • Supabase — hosts our database infrastructure. Your account data, session data, and practice data are stored in Supabase’s EU (Ireland) region. Access is restricted by row-level security.
  • Resend — delivers transactional and opt-in marketing emails (signup confirmations, password resets, billing notices, trial reminders, and replay challenges). Resend receives your email address and the content of the email.
  • Vercel — hosts the Service. Vercel may process IP addresses and technical data as part of request handling.
  • PostHog — provides optional product analytics when you accept optional cookies. Session recording, surveys, and web experiments are disabled.

We do not sell your personal data to third parties or share it for cross-context behavioural advertising. We may disclose data if required by law, court order, or to protect our legal rights.

7. Cookies and similar technologies

Candlune uses cookies and similar technologies. Here is what we set and why:

  • replay_session — essential. Contains a random session token to keep you signed in. The server stores only a hash of this token. HttpOnly, SameSite=Lax. 30 days from login.
  • csrf_token — essential. Prevents cross-site request forgery attacks. Not HttpOnly. 30 days.
  • cookie-consent — essential. Stores your cookie preferences. 1 year.
  • theme — stored in localStorage (not a cookie). Remembers your light/dark theme preference.
  • candlune_visitor_id — optional analytics. Random first-party visitor identifier. 1 year. Set only after you accept optional cookies.
  • candlune_session_id — optional analytics. Random first-party session identifier. 30 minutes. Set only after you accept optional cookies.
  • candlune_visitor_id and candlune_session_id in localStorage or sessionStorage — optional analytics identifiers used for client-side route changes after you accept optional cookies.
  • candlune_marketing_attribution — optional analytics localStorage. Stores sanitized first/last campaign, referral, and landing-path fields after you accept optional cookies so we can understand which pages and campaigns lead to demo usage and signups.
  • candlune:replay-session:v2 — localStorage cache used to restore your current replay session in the browser.
  • candlune_demo_signup_handoff — sessionStorage and localStorage data used to carry a completed no-signup demo replay into signup and import it into your journal after checkout. Demo trade details are kept in browser storage rather than normal URL parameters, and we strip legacy demo handoff parameters from analytics paths and billing URLs after import.
  • candlune:onboarding-complete and related onboarding keys — localStorage preferences used to avoid showing completed onboarding steps repeatedly.

Third-party fonts. With your consent, we load fonts from Google Fonts (fonts.googleapis.com, fonts.gstatic.com) and Fontshare (api.fontshare.com, cdn.fontshare.com). These services may receive your IP address when fonts are fetched. You can opt out via the cookie consent banner and the Service will use system fonts instead.

Stripe Checkout and Billing Portal. When you continue to Stripe Checkout or the Stripe Billing Portal, Stripe may set its own cookies as described in Stripe’s cookie policy.

Analytics. Optional analytics do not run until you select “Accept all” in the cookie banner. If you select “Essential only”, we do not set analytics identifiers or initialise PostHog for that browser. You can change your choice later using the Cookie settings link in the site footer.

8. International data transfers

Your data is primarily stored in the European Economic Area (EEA). Some of our service providers (Stripe, Supabase, Resend, Vercel) may process data in the United States. Where data is transferred outside the UK or EEA, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or reliance on the provider’s UK Extension to the EU-US Data Privacy Framework where applicable.

9. Your data protection rights

Under UK GDPR and EU GDPR, you have the following rights:

  • Right of access — you can request a copy of the personal data we hold about you.
  • Right to rectification — you can ask us to correct inaccurate or incomplete data.
  • Right to erasure — you can ask us to delete your personal data in certain circumstances.
  • Right to restrict processing — you can ask us to limit how we use your data.
  • Right to data portability — you can request your data in a machine-readable format.
  • Right to object — you can object to processing based on legitimate interests or for direct marketing.
  • Right to withdraw consent — where processing is based on your consent, you can withdraw it at any time.

To exercise any of these rights, email us at privacy@candlune.com. We will respond within one month. You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk or your local supervisory authority.

10. Data security

We implement appropriate technical and organisational measures to protect your data: passwords are hashed with scrypt, session tokens are hashed with SHA-256, all data access is protected by row-level security, communications are encrypted in transit (TLS), and we maintain Content Security Policy and CSRF protections.

In the event of a personal data breach, we will notify affected users and the relevant supervisory authority within 72 hours where required by law.

11. Children’s privacy

The Service is not intended for anyone under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

12. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the Service. Continued use after changes take effect constitutes acceptance of the updated policy.

13. Contact

For privacy enquiries or to exercise your rights, contact us at privacy@candlune.com.