Last updated: 3 June 2026
This Notice explains what personal data we process when you visit createimpacts.eu or use the Create Impacts trading journal, why we process it, who we share it with, how long we keep it, and what rights you have under the EU General Data Protection Regulation ("GDPR") and the Belgian Act of 30 July 2018. We aim to be plain-spoken. If anything is unclear, email support@createimpacts.eu.
Create Impacts, a sole proprietorship registered in Belgium under enterprise number BE0799405506, registered office at Rommeldonkstraat 17, 9940 Evergem, Belgium, is the data controller for the processing described in this Notice.
Contact for any privacy question, request, or complaint: support@createimpacts.eu. We are not required to appoint a Data Protection Officer under GDPR art. 37, but the founder personally handles every privacy request.
This Notice applies to the website createimpacts.eu (and any sub-domain we operate, such as preview and app sub-domains), the Create Impacts web application, the transactional and marketing emails we send, and any support interaction by email.
a) Account data
Email address, hashed password, display name, preferred language, optional avatar image, account creation date, last sign-in timestamp, and the authentication provider you used (email/password or Google).
b) Trading content you create or import
Trades, tags, setups, plans, checklists, journal notes, screenshots and PDFs you upload, calendar entries, backtests, reviews, discipline scores and any other content you enter into the Service. This content can contain personal information you choose to include (e.g. broker account references). You decide what to put in.
c) Subscription and billing data
Subscription plan, status, billing period, Paddle customer ID and Paddle transaction IDs. Payment card details and billing address are collected and stored directly by Paddle.com as Merchant of Record; we never see or store full card numbers.
d) Usage and device data
IP address, browser and device type, pages and routes visited, referrer, approximate location derived from IP, error and crash logs. Application and edge logs that contain IP addresses or request bodies are deleted after 72 hours. Aggregated metrics may be kept longer in anonymised form.
e) AI coach interactions (when enabled)
When you use AI-powered features, the prompt and a limited snapshot of your relevant journal data are sent to our AI gateway provider (Lovable Labs AB), which routes the request to the underlying model provider (OpenAI, Anthropic or Google). Per their data-processing terms, inputs are not used to train general-purpose models. Conversations are stored under your account.
f) Marketing and advertising data (consent only)
If you accept the cookie banner, we load the Meta (Facebook) Pixel in your browser and send a parallel server-side event to Meta's Conversion API. The events we send are PageView, Lead (you finished onboarding) and Purchase (you upgraded). The server-side call includes your email and user ID hashed with SHA-256, your IP address, and your user agent. We also load Google Analytics 4 with Google Consent Mode v2 to measure traffic. Without consent, none of this loads or fires.
g) Email engagement data
Whether you opened or clicked our transactional and product emails, your unsubscribe and bounce status, and the suppression list required by anti-spam law.
h) Support correspondence
Emails you send us and our replies, kept so we can follow up and improve the product.
| Processing | Legal basis |
|---|---|
| Account creation, authentication, providing the journal | Performance of contract, art. 6(1)(b) |
| Subscription management, invoicing | Contract + legal obligation, art. 6(1)(b) and (c) |
| Security logs, fraud prevention, debugging | Legitimate interests, art. 6(1)(f) |
| Transactional emails (account, billing, password) | Contract, art. 6(1)(b) |
| Product update emails to existing customers | Legitimate interests (soft opt-in) with one-click unsubscribe, art. 6(1)(f) |
| Meta Pixel, Meta Conversion API, Google Analytics | Consent, art. 6(1)(a) + ePrivacy art. 5(3) |
| AI coach features | Contract, art. 6(1)(b) |
| Statutory record-keeping (invoices, tax) | Legal obligation, art. 6(1)(c) |
We use the following processors. We do not sell personal data.
| Provider | Purpose | Location |
|---|---|---|
| Lovable Labs AB (Stockholm, Sweden) | Application hosting, build and deployment infrastructure, preview environments, AI gateway routing | EU |
| Supabase | Managed PostgreSQL database, authentication, file storage | EU (Frankfurt) |
| Cloudflare | Edge hosting, CDN, DDoS protection | Global edge, EU points of presence preferred |
| Paddle.com Market Ltd | Merchant of Record, checkout, payments, invoicing, sales tax | UK / EU (independent controller for payment data) |
| Meta Platforms Ireland Ltd | Meta Pixel and Conversion API for ad measurement (consent only) | EU / US (EU-US Data Privacy Framework) |
| Google Ireland Ltd | Google Analytics 4, Google Sign-In (consent only for GA4) | EU / US (EU-US Data Privacy Framework) |
| OpenAI, Anthropic, Google (AI model providers) | Underlying language models for AI coach features; inputs are not used to train general models | EU / US (SCCs) |
| Email delivery provider | Sending transactional and product emails, bounce and suppression handling | EU / US (SCCs) |
| Professional advisers | Accounting and legal advice, when strictly necessary | Belgium |
We may also disclose data to public authorities when we are legally required to do so.
We host the application and database in the EU. Some processors (notably Meta, Google and certain AI providers) may transfer data to the United States or other third countries. Those transfers are protected by an EU adequacy decision (the EU-US Data Privacy Framework where the recipient is self-certified) or by Standard Contractual Clauses approved by the European Commission, together with supplementary technical measures such as encryption in transit.
| Data | Retention |
|---|---|
| Account and trading content | For as long as your account is active; deleted or anonymised within 90 days after account deletion |
| Application and edge logs (including IPs) | 72 hours, then automatically purged |
| Subscription records | Duration of the subscription + 90 days, except where law requires longer |
| Invoices and tax records | 7 years (Belgian accounting law) |
| Email suppression list | Indefinitely, to honour your unsubscribe |
| Marketing events sent to Meta / Google | Up to 24 months at the processor; we do not retain a copy beyond logs (72h) |
| Support emails | 3 years from the last interaction |
You have the right to:
Exercise any of these rights by emailing support@createimpacts.eu. We respond within one month and free of charge, in line with art. 12 GDPR. You also have the right to lodge a complaint with the Belgian Data Protection Authority (dataprotectionauthority.be, Drukpersstraat 35, 1000 Brussels) or with the supervisory authority of your country of residence.
We use strictly necessary cookies and local-storage entries to keep you signed in and remember your preferences (theme, language, dismissed banners, consent choice). With your consent we also load marketing and analytics scripts that set their own cookies.
| Name / provider | Type | Purpose | Lifetime |
|---|---|---|---|
| Supabase Auth tokens (local storage) | Strictly necessary | Keep you signed in | Until sign-out or token expiry |
ci_consent_marketing | Strictly necessary | Remember your cookie banner choice | Until you clear browser storage |
| UI preferences (theme, language, dismissed tours) | Strictly necessary | Remember your interface preferences | Until you clear browser storage |
Meta Pixel (_fbp) | Marketing, consent | Ad attribution and measurement | Up to 90 days |
Google Analytics 4 (_ga, _ga_*) | Analytics, consent | Aggregate traffic measurement | Up to 2 years |
| Paddle (during checkout only) | Strictly necessary for payment | Fraud prevention during a checkout you initiated | Session / short-lived |
You can withdraw your consent at any time by clearing the ci_consent_marketing entry in your browser's site data and reloading the page, or by blocking third-party scripts in your browser. After withdrawal we stop loading Meta and Google scripts and stop firing server-side Conversion API events.
When you grant consent, two parallel channels measure ad performance:
event_id for de-duplication, your hashed email (SHA-256), your hashed user ID (SHA-256), your IP address and your user agent. Hashing is required by Meta and means Meta cannot reverse the values to plain text.We use this only to measure whether our ads work. We do not run audience uploads, lookalikes built from your data, or retargeting that uses your personal data, unless and until we update this Notice and ask for consent again. Meta acts as an independent controller for ad-platform purposes; their terms are at facebook.com/legal/terms/businesstools.
We do not make decisions about you that produce legal or similarly significant effects based solely on automated processing (GDPR art. 22).
The Service is not directed to people under 16. Do not create an account if you are under 16. If we learn we have collected personal data from a child without a guardian's consent, we will delete it.
We protect your data with TLS encryption in transit, encryption at rest in our managed database, row-level security so that account data is only readable by the account that owns it, hashed passwords (bcrypt/argon2 via Supabase Auth), least-privilege service credentials, and short log retention (72 hours). No system is perfectly secure, but we apply state-of-the-art practice for an EU SaaS of our size.
If a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the Belgian Data Protection Authority within 72 hours of becoming aware of it, in line with GDPR art. 33, and we will notify affected users without undue delay where art. 34 requires it.
We may update this Notice as the product or the law evolves. The "Last updated" date at the top changes with every revision. Material changes will be announced by email or in-app at least 14 days before they take effect. See also our Terms of Service.
Create Impacts, Rommeldonkstraat 17, 9940 Evergem, Belgium · support@createimpacts.eu