Legal

Privacy Policy

How we collect, use, and protect your personal data

Last updated: May 17, 2026
01

Data Controller

The data controller for personal data collected through ZB Capital is:

ZB Capital S.R.L. is responsible for the lawful, fair, and transparent processing of your personal data in accordance with EU Regulation 2016/679 (GDPR) and the Italian Legislative Decree 196/2003 as amended by Legislative Decree 101/2018.

02

Data We Collect

We collect only the data necessary to provide our service:

  • Account data: email address and password (stored as a hashed credential) when you create an account
  • Trading journal data: trade entries, notes, performance metrics, and any other content you voluntarily input into the platform
  • Usage data: log data, IP address, browser type, operating system, pages visited, and timestamps — collected automatically when you access the service
  • Device data: device identifiers, screen resolution, and timezone, used solely to deliver and improve the service

We do not collect financial account credentials, brokerage access tokens (unless you explicitly connect a broker integration), or payment card details (payment is processed directly by our payment processor and we do not store card data).

03

Legal Basis for Processing

Under GDPR Art. 6, we process your data on the following legal bases:

  • Contract performance (Art. 6(1)(b)): processing your account data and journal content is necessary to deliver the service you signed up for
  • Legitimate interests (Art. 6(1)(f)): we process usage and device data to maintain security, prevent fraud, and improve our service
  • Consent (Art. 6(1)(a)): for optional analytics cookies and marketing communications, only where you have given explicit consent
  • Legal obligation (Art. 6(1)(c)): we may process data when required to comply with Italian or EU legal requirements
04

How We Use Your Data

Your personal data is used exclusively to:

  • Create and maintain your account and provide access to the platform
  • Store and display your trade journal entries and performance analytics
  • Send transactional emails (account verification, password reset, service notices)
  • Diagnose technical issues, monitor service health, and prevent abuse
  • Comply with legal and regulatory obligations

We do not sell, rent, or trade your personal data to third parties for marketing purposes. We do not use your trading data to train AI models or share it with financial institutions.

05

Third-Party Processors

We use a limited number of trusted sub-processors to deliver the service. Each has been assessed for GDPR compliance and is bound by a Data Processing Agreement (DPA):

  • Supabase, Inc. (USA): database hosting and authentication. Data is stored in EU-region servers where available. Transfers to the US are covered by Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914/EU).
  • Vercel, Inc. (USA): application hosting and edge delivery. Transfers covered by SCCs.
  • Stripe, Inc. (USA): payment processing. Stripe is responsible for PCI-DSS compliance on payment data. We receive only a tokenised reference, not card details. Transfers covered by SCCs.

Analytics data, where collected, is anonymised before processing and is never associated with an identifiable individual.

06

International Data Transfers

ZB Capital is based in Italy (EU). Some of our sub-processors are located in the United States, which does not provide an adequacy decision equivalent to the EU. For all such transfers we rely on:

  • Standard Contractual Clauses (SCCs) pursuant to European Commission Implementing Decision 2021/914/EU
  • Transfer impact assessments conducted on a per-processor basis
  • Technical safeguards including encryption in transit (TLS 1.2+) and at rest (AES-256)

You may request a copy of the applicable SCCs by contacting us at support@disapline.eu.

07

Data Retention

We retain personal data only for as long as necessary:

  • Account and journal data: retained for the duration of your account and deleted within 30 days of account closure upon request
  • Usage logs: retained for up to 12 months for security and diagnostic purposes, then automatically deleted
  • Billing records: retained for 10 years as required by Italian fiscal law (D.P.R. 633/1972)
  • Legal hold: data subject to a legal proceeding may be retained beyond these periods until resolution
08

Your Rights Under GDPR

As a data subject under GDPR you have the following rights, exercisable at any time by contacting support@disapline.eu:

  • Right of access (Art. 15): obtain confirmation of whether we process your data and receive a copy
  • Right to rectification (Art. 16): request correction of inaccurate or incomplete data
  • Right to erasure (Art. 17): request deletion of your data where no overriding legal basis applies
  • Right to restriction (Art. 18): request that we limit processing in certain circumstances
  • Right to data portability (Art. 20): receive your data in a structured, machine-readable format
  • Right to object (Art. 21): object to processing based on legitimate interests or for direct marketing
  • Right to withdraw consent (Art. 7(3)): withdraw consent at any time without affecting lawfulness of prior processing

We will respond to verifiable requests within 30 days. We may need to verify your identity before processing the request.

09

Right to Lodge a Complaint

If you believe we have processed your data unlawfully, you have the right to lodge a complaint with the competent supervisory authority:

  • Garante per la protezione dei dati personali
    Piazza Venezia 11, 00187 Roma, Italy
    Web: www.garanteprivacy.it
    Tel: +39 06 696771

You may also contact the supervisory authority of your EU member state of habitual residence.

10

Security

We implement appropriate technical and organisational measures to protect your personal data, including:

  • Encryption in transit using TLS 1.2 or higher
  • Encryption at rest using AES-256
  • Password hashing using bcrypt with salting
  • Row-level security (RLS) policies ensuring users can only access their own data
  • Regular security assessments and access control reviews

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Garante within 72 hours and, where required, notify affected individuals without undue delay.

11

Cookies

We use cookies and similar technologies to operate the service and, where you consent, to analyse usage. For full details see our Cookie Policy.

12

Changes to This Policy

We may update this Privacy Policy from time to time. Where changes are material, we will notify you by email or by a prominent notice on the platform at least 15 days before the change takes effect. Continued use of the service after the effective date constitutes acceptance of the revised policy.

The current version and its effective date are shown at the top of this page.

13

Contact

For any questions about this Privacy Policy or to exercise your rights, contact us at:

We aim to respond to all enquiries within 5 business days.