← Back

Privacy Notice

Last updated: 3 June 2026

This Notice explains what personal data we process when you visit createimpacts.eu or use the Create Impacts trading journal, why we process it, who we share it with, how long we keep it, and what rights you have under the EU General Data Protection Regulation ("GDPR") and the Belgian Act of 30 July 2018. We aim to be plain-spoken. If anything is unclear, email support@createimpacts.eu.

1. Who we are (data controller)

Create Impacts, a sole proprietorship registered in Belgium under enterprise number BE0799405506, registered office at Rommeldonkstraat 17, 9940 Evergem, Belgium, is the data controller for the processing described in this Notice.

Contact for any privacy question, request, or complaint: support@createimpacts.eu. We are not required to appoint a Data Protection Officer under GDPR art. 37, but the founder personally handles every privacy request.

2. Scope

This Notice applies to the website createimpacts.eu (and any sub-domain we operate, such as preview and app sub-domains), the Create Impacts web application, the transactional and marketing emails we send, and any support interaction by email.

3. What personal data we process

a) Account data

Email address, hashed password, display name, preferred language, optional avatar image, account creation date, last sign-in timestamp, and the authentication provider you used (email/password or Google).

b) Trading content you create or import

Trades, tags, setups, plans, checklists, journal notes, screenshots and PDFs you upload, calendar entries, backtests, reviews, discipline scores and any other content you enter into the Service. This content can contain personal information you choose to include (e.g. broker account references). You decide what to put in.

c) Subscription and billing data

Subscription plan, status, billing period, Paddle customer ID and Paddle transaction IDs. Payment card details and billing address are collected and stored directly by Paddle.com as Merchant of Record; we never see or store full card numbers.

d) Usage and device data

IP address, browser and device type, pages and routes visited, referrer, approximate location derived from IP, error and crash logs. Application and edge logs that contain IP addresses or request bodies are deleted after 72 hours. Aggregated metrics may be kept longer in anonymised form.

e) AI coach interactions (when enabled)

When you use AI-powered features, the prompt and a limited snapshot of your relevant journal data are sent to our AI gateway provider (Lovable Labs AB), which routes the request to the underlying model provider (OpenAI, Anthropic or Google). Per their data-processing terms, inputs are not used to train general-purpose models. Conversations are stored under your account.

f) Marketing and advertising data (consent only)

If you accept the cookie banner, we load the Meta (Facebook) Pixel in your browser and send a parallel server-side event to Meta's Conversion API. The events we send are PageView, Lead (you finished onboarding) and Purchase (you upgraded). The server-side call includes your email and user ID hashed with SHA-256, your IP address, and your user agent. We also load Google Analytics 4 with Google Consent Mode v2 to measure traffic. Without consent, none of this loads or fires.

g) Email engagement data

Whether you opened or clicked our transactional and product emails, your unsubscribe and bounce status, and the suppression list required by anti-spam law.

h) Support correspondence

Emails you send us and our replies, kept so we can follow up and improve the product.

4. Legal bases (GDPR art. 6)

ProcessingLegal basis
Account creation, authentication, providing the journalPerformance of contract, art. 6(1)(b)
Subscription management, invoicingContract + legal obligation, art. 6(1)(b) and (c)
Security logs, fraud prevention, debuggingLegitimate interests, art. 6(1)(f)
Transactional emails (account, billing, password)Contract, art. 6(1)(b)
Product update emails to existing customersLegitimate interests (soft opt-in) with one-click unsubscribe, art. 6(1)(f)
Meta Pixel, Meta Conversion API, Google AnalyticsConsent, art. 6(1)(a) + ePrivacy art. 5(3)
AI coach featuresContract, art. 6(1)(b)
Statutory record-keeping (invoices, tax)Legal obligation, art. 6(1)(c)

5. Who we share data with (sub-processors)

We use the following processors. We do not sell personal data.

ProviderPurposeLocation
Lovable Labs AB (Stockholm, Sweden)Application hosting, build and deployment infrastructure, preview environments, AI gateway routingEU
SupabaseManaged PostgreSQL database, authentication, file storageEU (Frankfurt)
CloudflareEdge hosting, CDN, DDoS protectionGlobal edge, EU points of presence preferred
Paddle.com Market LtdMerchant of Record, checkout, payments, invoicing, sales taxUK / EU (independent controller for payment data)
Meta Platforms Ireland LtdMeta Pixel and Conversion API for ad measurement (consent only)EU / US (EU-US Data Privacy Framework)
Google Ireland LtdGoogle Analytics 4, Google Sign-In (consent only for GA4)EU / US (EU-US Data Privacy Framework)
OpenAI, Anthropic, Google (AI model providers)Underlying language models for AI coach features; inputs are not used to train general modelsEU / US (SCCs)
Email delivery providerSending transactional and product emails, bounce and suppression handlingEU / US (SCCs)
Professional advisersAccounting and legal advice, when strictly necessaryBelgium

We may also disclose data to public authorities when we are legally required to do so.

6. International data transfers

We host the application and database in the EU. Some processors (notably Meta, Google and certain AI providers) may transfer data to the United States or other third countries. Those transfers are protected by an EU adequacy decision (the EU-US Data Privacy Framework where the recipient is self-certified) or by Standard Contractual Clauses approved by the European Commission, together with supplementary technical measures such as encryption in transit.

7. How long we keep data

DataRetention
Account and trading contentFor as long as your account is active; deleted or anonymised within 90 days after account deletion
Application and edge logs (including IPs)72 hours, then automatically purged
Subscription recordsDuration of the subscription + 90 days, except where law requires longer
Invoices and tax records7 years (Belgian accounting law)
Email suppression listIndefinitely, to honour your unsubscribe
Marketing events sent to Meta / GoogleUp to 24 months at the processor; we do not retain a copy beyond logs (72h)
Support emails3 years from the last interaction

8. Your rights under GDPR

You have the right to:

  • Access the personal data we hold about you (art. 15).
  • Have inaccurate data corrected (art. 16).
  • Have your data erased, including by deleting your account (art. 17).
  • Restrict processing in certain cases (art. 18).
  • Receive your data in a portable format (art. 20).
  • Object to processing based on our legitimate interests, including direct marketing (art. 21).
  • Withdraw any consent you gave us, at any time, without affecting the lawfulness of processing before withdrawal (art. 7).
  • Not be subject to fully automated decisions with legal effect (art. 22); we do not perform such decisions.

Exercise any of these rights by emailing support@createimpacts.eu. We respond within one month and free of charge, in line with art. 12 GDPR. You also have the right to lodge a complaint with the Belgian Data Protection Authority (dataprotectionauthority.be, Drukpersstraat 35, 1000 Brussels) or with the supervisory authority of your country of residence.

9. Cookies and local storage

We use strictly necessary cookies and local-storage entries to keep you signed in and remember your preferences (theme, language, dismissed banners, consent choice). With your consent we also load marketing and analytics scripts that set their own cookies.

Name / providerTypePurposeLifetime
Supabase Auth tokens (local storage)Strictly necessaryKeep you signed inUntil sign-out or token expiry
ci_consent_marketingStrictly necessaryRemember your cookie banner choiceUntil you clear browser storage
UI preferences (theme, language, dismissed tours)Strictly necessaryRemember your interface preferencesUntil you clear browser storage
Meta Pixel (_fbp)Marketing, consentAd attribution and measurementUp to 90 days
Google Analytics 4 (_ga, _ga_*)Analytics, consentAggregate traffic measurementUp to 2 years
Paddle (during checkout only)Strictly necessary for paymentFraud prevention during a checkout you initiatedSession / short-lived

You can withdraw your consent at any time by clearing the ci_consent_marketing entry in your browser's site data and reloading the page, or by blocking third-party scripts in your browser. After withdrawal we stop loading Meta and Google scripts and stop firing server-side Conversion API events.

10. Marketing and advertising tracking

When you grant consent, two parallel channels measure ad performance:

  • Browser pixel, Meta Pixel loaded in your browser sends events to Meta with a Pixel-issued cookie ID.
  • Server-side Conversion API, our server sends the same event to Meta with a shared event_id for de-duplication, your hashed email (SHA-256), your hashed user ID (SHA-256), your IP address and your user agent. Hashing is required by Meta and means Meta cannot reverse the values to plain text.

We use this only to measure whether our ads work. We do not run audience uploads, lookalikes built from your data, or retargeting that uses your personal data, unless and until we update this Notice and ask for consent again. Meta acts as an independent controller for ad-platform purposes; their terms are at facebook.com/legal/terms/businesstools.

11. Automated decision-making and profiling

We do not make decisions about you that produce legal or similarly significant effects based solely on automated processing (GDPR art. 22).

12. Children

The Service is not directed to people under 16. Do not create an account if you are under 16. If we learn we have collected personal data from a child without a guardian's consent, we will delete it.

13. Security

We protect your data with TLS encryption in transit, encryption at rest in our managed database, row-level security so that account data is only readable by the account that owns it, hashed passwords (bcrypt/argon2 via Supabase Auth), least-privilege service credentials, and short log retention (72 hours). No system is perfectly secure, but we apply state-of-the-art practice for an EU SaaS of our size.

14. Personal data breaches

If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the Belgian Data Protection Authority within 72 hours of becoming aware of it, in line with GDPR art. 33, and we will notify affected users without undue delay where art. 34 requires it.

15. Changes to this Notice

We may update this Notice as the product or the law evolves. The "Last updated" date at the top changes with every revision. Material changes will be announced by email or in-app at least 14 days before they take effect. See also our Terms of Service.

16. Contact

Create Impacts, Rommeldonkstraat 17, 9940 Evergem, Belgium · support@createimpacts.eu