Legal
Privacy Policy
📅 Last updated: 1 June 2026
⚖️ Jurisdiction: England & Wales · UK GDPR + EU GDPR
🏢 Controller: Lorenzo Bro Limited
Important: This Privacy Policy explains how
High Society FX ("
we", "
us", "
our") collects, uses, stores, and protects your personal data when you use HSFX Journal at
highsocietyfx.com. Please read this carefully. By creating an account or using our service, you acknowledge that you have read and understood this policy.
1. Who we are
Lorenzo Bro Limited, trading as High Society FX, is a company registered in England & Wales. Lorenzo Bro Limited is the data controller responsible for your personal data.
Company number: [YOUR COMPANIES HOUSE NUMBER]
Registered address: [YOUR REGISTERED ADDRESS — as shown on Companies House]
Country of incorporation: England & Wales
For all data protection enquiries, please contact us at:
privacy@highsocietyfx.com
This policy applies to all users of HSFX Journal globally. Specifically:
- For users in the United Kingdom: we operate in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, as overseen by the Information Commissioner's Office (ICO).
- For users in the European Union / European Economic Area: we operate in compliance with the EU General Data Protection Regulation (EU GDPR 2016/679). As a UK-based company offering services to EU residents, we are subject to EU GDPR obligations. We are assessing whether we are required to appoint an EU Representative under Article 27 EU GDPR and will do so if required. In the meantime, EU residents may raise concerns with their local national supervisory authority (a list is available at edpb.europa.eu).
We are currently assessing whether registration with the ICO is required based on our processing activities and will register if required.
2. What data we collect
We collect only data that is necessary to provide and improve the HSFX Journal service. The following categories of personal data may be collected:
2.1 Account & identity data
- First name and surname
- Email address
- Date of birth (used solely to verify you are 18 or over)
- Password (stored as a hashed credential via Firebase Authentication — we never store your plain-text password)
- Profile display name and avatar image (optional, user-uploaded)
2.2 Trading journal data
- Trade records you manually enter: currency pairs, trade direction, R:R ratios, P&L values, pip values, session notes, trade dates, and outcomes
- Chart screenshot images you choose to upload
- Weekly journal entries, reflections, and planner notes
- Goal tracker entries
This trading data belongs to you. We do not analyse it for commercial purposes, sell it, or share it with third parties except as described in Section 5.
2.3 Account preferences & settings
- Dashboard display preferences (metric type, currency, region)
- Notification preferences
- Theme preference
2.4 Subscription & billing data
- Subscription status (trialing, active, cancelled) and dates
- Stripe Customer ID and Subscription ID (references only — we do not store card numbers or full payment details)
- Payment and billing history is held by Stripe and governed by Stripe's Privacy Policy
2.5 Technical & usage data
- Authentication logs (sign-in times, auth events) via Firebase Authentication
- Firestore access logs (read/write operations) — these are infrastructure logs held by Google/Firebase
- IP address (collected by Firebase/Google infrastructure as part of standard service operation)
We do not currently use analytics cookies or behavioural tracking scripts beyond Firebase's core infrastructure.
3. How we use your data
| Purpose |
Data used |
Lawful basis |
| Create and manage your account |
Name, email, DOB, password |
Contract performance |
| Provide the trading journal service |
All journal, trade, and settings data |
Contract performance |
| Manage your subscription and payments |
Email, subscription status, Stripe IDs |
Contract performance |
| Verify minimum age (18+) |
Date of birth |
Legal obligation / Legitimate interests |
| Send account-related notifications (password resets, billing alerts) |
Email |
Contract performance / Legitimate interests |
| Respond to support requests |
Email, account information |
Legitimate interests |
| Prevent fraud and maintain security |
Auth logs, IP address, account data |
Legitimate interests / Legal obligation |
| Comply with legal obligations |
As required by applicable law |
Legal obligation |
We will never use your trading data for advertising, profiling, or sale to third parties.
4. Lawful basis for processing
Under UK GDPR Article 6, we process your personal data on the following lawful bases:
- Contract performance (Art. 6(1)(b)): Processing necessary to deliver the HSFX Journal service you have signed up for, including account creation, trade journalling functionality, and subscription management.
- Legitimate interests (Art. 6(1)(f)): Processing necessary for our legitimate business interests, such as preventing fraud, ensuring platform security, and improving the service — where these interests are not overridden by your rights and freedoms.
- Legal obligation (Art. 6(1)(c)): Processing required to comply with applicable law, including financial record-keeping obligations.
- Consent (Art. 6(1)(a)): For any optional marketing communications or analytics beyond core service delivery. You may withdraw consent at any time.
5. Data sharing and third parties
We do not sell, rent, or trade your personal data. We share data only in the following limited circumstances:
5.1 Service providers (data processors)
-
Google Firebase (Google LLC / Google Ireland Ltd) — We use Firebase Authentication, Cloud Firestore, and Firebase Storage to store and process your account and journal data. Firebase acts as our data processor. Google's servers are located in the EU/EEA and the US. Google is certified under the EU–US Data Privacy Framework and provides Standard Contractual Clauses for transfers. See Firebase Privacy.
-
Stripe, Inc. — We use Stripe to process subscription payments. When you subscribe, you interact with Stripe's payment infrastructure directly. Stripe holds your card and billing details under their own privacy policy. We receive only a Stripe Customer ID and subscription status. See Stripe's Privacy Policy.
-
Google Fonts (Google LLC) — Our pages load fonts from Google Fonts, which may log your IP address. See Google's Privacy Policy.
5.2 Legal disclosure
We may disclose your data if required to do so by law, court order, or a regulatory authority, or if we reasonably believe disclosure is necessary to protect our legal rights or the safety of any person.
5.3 Business transfer
In the event of a merger, acquisition, or sale of business assets, your data may be transferred as part of that transaction. We will notify you before your data is transferred and becomes subject to a different privacy policy.
5.4 International transfers
Firebase (Google) and Stripe may process your data outside the UK and EEA, including in the United States. These transfers are protected by:
- For UK users: Google's participation in the UK International Data Transfer Agreement (IDTA) framework, and Standard Contractual Clauses approved under UK GDPR.
- For EU/EEA users: Standard Contractual Clauses (SCCs) under EU GDPR, and Google's certification under the EU–US Data Privacy Framework.
By using our service, you acknowledge that your data may be transferred internationally under the safeguards described above.
6. Data retention
We retain your personal data for as long as necessary to provide the service and comply with our legal obligations. Specifically:
| Data type |
Retention period |
Reason |
| Account data (name, email, DOB) |
Duration of account + 30 days after deletion request |
Service delivery; grace period for accidental deletion |
| Trade journal data |
Duration of account; deleted on account deletion request |
Service delivery |
| Uploaded chart images |
Duration of account; deleted on account deletion request |
Service delivery |
| Subscription & billing records |
7 years from transaction date |
HMRC financial record-keeping obligations (UK law) |
| Authentication logs |
Up to 90 days (held by Firebase/Google) |
Security and fraud prevention |
| Support correspondence |
3 years from resolution |
Legitimate interests; legal claims |
When your account is deleted, we will initiate deletion of all associated personal data within 30 days, except where retention is required by law (e.g. billing records).
7. Your rights under UK GDPR & EU GDPR
Whether you are based in the UK or the European Union/EEA, you have the following rights regarding your personal data. You can exercise these at any time by contacting us at privacy@highsocietyfx.com:
Right of access
Request a copy of all personal data we hold about you.
Right to rectification
Request correction of inaccurate or incomplete data.
Right to erasure
Request deletion of your personal data ("right to be forgotten").
Right to data portability
Request your data in a structured, machine-readable format (e.g. JSON).
Right to restrict processing
Request that we limit how we use your data in certain circumstances.
Right to object
Object to processing based on legitimate interests, including direct marketing.
How to exercise your rights
You can:
- Export your data at any time from the Settings → Data & Privacy page within the app.
- Delete your account from Settings → Delete Account. This will initiate deletion of your data.
- Contact us by email at privacy@highsocietyfx.com for any other request, including full data access requests, rectification, or restriction.
We will respond to all verifiable requests within 30 days as required by UK GDPR Article 12. If your request is complex, we may extend this by a further 60 days and will notify you.
Right to complain
If you believe we have mishandled your data, you have the right to lodge a complaint with your relevant supervisory authority:
- UK users: The Information Commissioner's Office (ICO) — ico.org.uk · Phone: 0303 123 1113
- EU/EEA users: Your national data protection authority. A full list of EU supervisory authorities is available at edpb.europa.eu
We would always appreciate the opportunity to address your concerns directly before you contact a supervisory authority — please email us first at privacy@highsocietyfx.com.
8. Security
We take the security of your data seriously and implement appropriate technical and organisational measures to protect it:
- Authentication: Passwords are never stored in plain text. Firebase Authentication uses industry-standard cryptographic hashing.
- Transport encryption: All data is transmitted over HTTPS/TLS.
- Access controls: Firestore Security Rules ensure that each user can only access their own data. No other user can read your trades, settings, or journal entries.
- Storage: Uploaded chart images are stored in Firebase Storage with access controls linked to your authenticated user account.
- Infrastructure security: We rely on Google Firebase (Google Cloud), which maintains SOC 2, ISO 27001, and other security certifications.
Despite these measures, no system is completely secure. We cannot guarantee the absolute security of data transmitted over the internet. If you believe your account has been compromised, please contact us immediately at privacy@highsocietyfx.com.
In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority (ICO for UK users; relevant EU national authority for EU users) within 72 hours, and notify affected users without undue delay where required.
9. Cookies
We use a limited number of cookies and similar technologies. Please see our Cookie Policy for full details.
In summary, we use:
- Strictly necessary cookies: Firebase Authentication session tokens required for you to stay logged in. These cannot be disabled without breaking the service.
- Third-party font loading: Google Fonts may set cookies and log your IP when fonts are loaded.
We do not currently use advertising cookies or third-party analytics cookies (e.g. Google Analytics). If this changes, we will update this policy and obtain your consent where required.
10. Children
HSFX Journal is intended for users who are 18 years of age or older. We collect date of birth during registration and do not permit users under 18 to create accounts.
If we become aware that we have inadvertently collected personal data from a person under 18, we will delete that data promptly. If you believe we hold data about a minor, please contact us at privacy@highsocietyfx.com.
11. Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the "Last updated" date at the top of this page.
- Notify you by email at the address associated with your account (for significant changes).
- Where required by law, seek your consent before applying changes that affect the basis on which we process your data.
We encourage you to review this policy periodically. Continued use of the service af