FCPO Journal is built for traders, not advertisers. We do not sell your data, we do not run ads, and your trading records are yours alone. This policy explains exactly what we collect, why we collect it, and how you can control it.
Overview
This Privacy Policy describes how FCPO Journal ("we", "us", "our") collects, uses, stores, and protects personal information when you use our platform at fcpojournal.com and any related services (collectively, "the Service").
This policy is written in compliance with the Personal Data Protection Act 2010 (PDPA) of Malaysia. By using the Service, you consent to the practices described in this policy.
If you have questions about how we handle your data, contact us at support@fcpojournal.com at any time.
Data We Collect
Information You Provide
| Data | When Collected | Purpose |
|---|---|---|
| Email address | Registration | Account identity, login, communication |
| Display name | Registration | Personalisation, coach/student display |
| Password (hashed) | Registration | Account authentication — never stored in plain text |
| Trade records | Journal usage | Core service functionality |
| Screenshots & images | Journal usage | Attached to trade entries for your review |
| Playbook notes | Playbook usage | Strategy documentation, stored per your account |
| Portfolio data | Portfolio usage | Account equity tracking |
| Payment information | Subscription checkout | Billing — card details handled entirely by Razorpay, not stored by us |
Information Collected Automatically
| Data | Purpose |
|---|---|
| IP address | Security, fraud prevention, session management |
| Browser type & version | Compatibility and bug diagnosis |
| Device type | Responsive design optimisation |
| Session tokens | Keeping you logged in securely (httpOnly cookies) |
| Login timestamps | Security audit trail, suspicious activity detection |
Information We Do NOT Collect
- Brokerage account credentials or API keys
- Real-time market data or live trade feeds
- Device contacts, location, or microphone/camera access
- Any data from third-party websites you visit
How We Use Your Data
We use the data we collect for the following purposes only:
- Providing the Service — storing and retrieving your trade records, notes, screenshots, and settings so the platform functions as intended
- Account management — verifying your identity, managing sessions, and enforcing plan limits
- Billing & subscriptions — processing payments, issuing receipts, managing renewals and cancellations via Razorpay
- Service communications — sending transactional emails such as payment confirmations, subscription renewal notices, and account security alerts
- Security & fraud prevention — detecting and preventing unauthorised access, abuse, and fraudulent activity
- Platform improvement — analysing aggregated, anonymised usage patterns to improve features and fix bugs
- Legal compliance — meeting obligations under Malaysian law including the PDPA 2010
We do not use your trading data, journal entries, or personal information for advertising, profiling, or sale to any third party. Your trading records are never used to train AI models or shared with financial institutions.
Data Sharing
We do not sell, rent, or trade your personal data. We share data only in the following limited circumstances:
Service Providers
| Provider | Purpose | Data Shared |
|---|---|---|
| Razorpay (Curlec) | Payment processing | Email, plan selected, payment amount — card details handled entirely by Razorpay |
| Cloud hosting provider | Server infrastructure | Encrypted database contents at rest |
All service providers are contractually bound to use your data only for the specified purpose and to maintain appropriate security measures.
Coach Access (Elite Plan)
If you are connected to a coach (Tutor account), your coach can see your name, email, plan, and active status for student management purposes. Your coach does not have access to your trade journal data, analytics, or performance metrics. Coaches can publish lessons to their student cohort. You may disconnect from a coach at any time.
Legal Requirements
We may disclose your information if required to do so by law, court order, or lawful request by a Malaysian government authority, or if we believe in good faith that disclosure is necessary to protect our rights, prevent fraud, or protect the safety of users.
Business Transfer
In the event of a merger, acquisition, or sale of all or part of our business, your data may be transferred to the acquiring entity. We will notify you via email and in-app notice at least 30 days before any such transfer, and you will have the option to delete your account before the transfer completes.
Storage & Security
Where Your Data Is Stored
Your data is stored on secured servers. We take reasonable technical and organisational measures to protect your personal data against unauthorised access, loss, destruction, or alteration.
Security Measures
- All data in transit is encrypted using TLS (HTTPS)
- Passwords are hashed using bcrypt with a cost factor of 12 — never stored in plain text
- Session tokens are stored as SHA-256 hashes in the database
- Refresh tokens are set as httpOnly, SameSite=Strict cookies
- Database access is restricted to application servers only
- Screenshot uploads are stored in an access-controlled directory
Payment Security
We do not store credit card numbers, FPX bank credentials, or any sensitive payment instrument data on our servers. All payment processing is handled by Razorpay, which is PCI-DSS compliant. We store only the transaction reference, amount, plan, and status for billing records.
While we implement strong security practices, no internet-based system is 100% secure. In the event of a data breach that is likely to result in a risk to your rights, we will notify you and the relevant authorities as required under Malaysian law within 72 hours of becoming aware of the breach.
Data Retention
We retain your personal data for as long as your account is active or as needed to provide the Service. Specific retention periods are as follows:
| Data Type | Retention Period |
|---|---|
| Account information (email, name) | Until account deletion + 30 days |
| Trade records & journal entries | Until account deletion (Free plan: 7 days rolling) |
| Screenshots & uploaded files | Until deleted by user or account deletion |
| Payment records | 7 years (required for financial record-keeping under Malaysian law) |
| Session tokens | 30 days or until logout |
| Server logs (IP, access logs) | 90 days |
When you delete your account, all personal data (except payment records retained for legal compliance) is permanently deleted within 30 days. Anonymised, aggregated data that cannot be linked back to you may be retained indefinitely for analytical purposes.
Your Rights
Under the Personal Data Protection Act 2010 (Malaysia) and as a matter of our commitment to you, you have the following rights regarding your personal data:
Right to Access
You may request a copy of the personal data we hold about you at any time. Requests can be made via support@fcpojournal.com. We will respond within 21 days.
Right to Correction
You may update your name and email address at any time from the Profile section in Settings. For other corrections, contact us and we will action the request within 21 days.
Right to Export
Pro and Elite subscribers can export all trade data to CSV from within the platform at any time. You may also request a full data export (including account information and payment history) by emailing us.
Right to Deletion
You may delete your account and all associated data at any time from Settings → Account → Delete Account. Deletion is permanent and irreversible. Payment records are retained for 7 years as required by law.
Right to Withdraw Consent
Where we process your data based on consent, you may withdraw that consent at any time. Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal.
Right to Lodge a Complaint
If you believe your personal data has been mishandled, you may lodge a complaint with the Department of Personal Data Protection Malaysia (JPDP) at www.pdp.gov.my.
Cookies
FCPO Journal uses a minimal set of cookies strictly necessary to operate the Service. We do not use advertising cookies, tracking pixels, or third-party analytics cookies.
| Cookie | Type | Purpose | Expiry |
|---|---|---|---|
| fcpo_refresh | Essential | Stores your encrypted refresh token to keep you logged in securely. httpOnly and SameSite=Strict — inaccessible to JavaScript. | 30 days |
Because we use only a single essential cookie required for authentication, we do not display a cookie consent banner — essential cookies do not require consent under applicable law. You may disable cookies in your browser settings, but doing so will prevent you from staying logged in.
Children's Privacy
The Service is not directed at or intended for use by individuals under the age of 18. We do not knowingly collect personal data from anyone under 18. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@fcpojournal.com and we will delete the data promptly.
Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal obligations. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page
- Send an email notification to all registered users
- Display an in-app notice for at least 14 days
Your continued use of the Service after the updated policy takes effect constitutes your acceptance of the revised terms. We encourage you to review this policy periodically.
Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or how we handle your personal data, please contact us:
- Email: support@fcpojournal.com
- Response time: We aim to respond to all privacy-related enquiries within 2 business days
For data access or deletion requests, please include your registered email address and the nature of your request. We will verify your identity before processing any data request.