Privacy Policy

Last updated: 25 April 2026

This Privacy Policy explains how detilt (operated by DroidBender BV, a Belgian company) collects, uses, and protects your personal data, and what rights you have under the EU General Data Protection Regulation (GDPR) and Belgian law.

Plain English: we collect what we need to run the coach, store it under your account, never sell it, never feed it into AI training, and delete it permanently when you delete your account.

1. Who we are

We are DroidBender BV, a Belgian private limited company. Registered office and company number: company number BE 0556.808.902. Contact: info@websitesbymartijn.be.

We are the data controller for the personal data we process through detilt.app.

2. What personal data we collect

  • Account data — email address, name (you provide), hashed password (handled by our auth provider).
  • Profile data — your trading rules, prop firm, daily loss limit, what you struggle with, sessions you trade, timezone. Provided by you during onboarding and editable any time in Settings.
  • Conversations — every message you send the coach and every coach response, stored under your account so the coach has continuity day to day.
  • Journal entries — short summaries written by the coach from your conversations.
  • Session logs — pre/post-session check-ins.
  • Technical data — IP address (used for rate-limiting and security), user agent, basic event analytics through Vercel Analytics (privacy-respecting, no cookies, no fingerprinting).
  • Communications with us — emails you send to info@websitesbymartijn.be and our replies.

We do not knowingly collect special categories of data (health, religion, biometrics, etc.). Please do not share special-category data with the coach.

3. How we use your data

  • Provide the Service. Load your profile and rules on every coaching message; generate your daily journal; show your conversation history.
  • Operate and secure the platform. Rate-limit abuse, debug errors, prevent fraud.
  • Improve the product. Aggregated, anonymised metrics on how the coach is used (without reading your conversations).
  • Communicate with you. Account verification, password reset, important service announcements.

We do not: sell your data, share it with advertisers, build a profile of you for marketing, feed your conversations into AI training pipelines, or use your data for any purpose unrelated to providing detilt.

4. Legal basis for processing (GDPR Art. 6)

  • Contract performance (Art. 6(1)(b)) — to deliver the Service you signed up for.
  • Legitimate interest (Art. 6(1)(f)) — to secure the platform, prevent abuse, and improve the product. We have assessed that our legitimate interest does not override your rights.
  • Legal obligation (Art. 6(1)(c)) — when we must process data to comply with the law (e.g. tax records for paid subscriptions).
  • Consent (Art. 6(1)(a)) — for any optional communications you opt in to.

5. Who we share your data with (processors)

We use a limited number of trusted processors. Each is bound by a data processing agreement and may only process your data on our instructions and for the purpose of delivering the Service.

  • Anthropic, Inc. (United States) — processes the messages you send the coach to generate AI responses. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission for this transfer. Anthropic does not use API customer data to train models by default, and we do not enable any opt-in that would allow them to.
  • Supabase — hosts your account, profile, and conversation data. We use the EU region.
  • Vercel — hosts the application and provides privacy-respecting analytics (no cookies, no fingerprinting).
  • Email provider (e.g. Resend, Postmark, or similar) — sends transactional emails such as signup verification and password reset. [Confirm provider before going live.]
  • Stripe — when paid plans launch, Stripe processes payments. Stripe is the data controller for payment data; we never see your card number.

We do not share data with anyone else except where required by law (e.g. court order) or to protect our rights, users, or the public.

6. International transfers

Anthropic is located in the United States. Where personal data is transferred outside the European Economic Area, we rely on appropriate safeguards under GDPR Art. 46 — primarily the European Commission's Standard Contractual Clauses (SCCs) — together with supplementary technical and organisational measures.

7. How long we keep your data

  • Active accounts. Your data is kept for as long as your account exists.
  • Account deletion. When you delete your account (Settings → Account → Delete account), we permanently wipe all profile, conversation, journal, and session data within minutes. There is no soft delete and no shadow copy.
  • Operational backups. Encrypted Supabase backups are retained for up to 30 days for disaster recovery only and then auto-expire.
  • Billing records. When paid plans launch, invoice records may be retained as required by Belgian/EU tax law (typically 7 years), even after account deletion.
  • Support emails. Retained up to 24 months from the last interaction.

8. Your rights under GDPR

You have the following rights:

  • Right of access (Art. 15) — get a copy of the personal data we hold about you.
  • Right to rectification (Art. 16) — correct inaccurate or incomplete data. Most fields are editable directly in Settings.
  • Right to erasure (Art. 17) — delete your data. You can do this yourself in Settings → Account → Delete account, or email us.
  • Right to restrict processing (Art. 18).
  • Right to data portability (Art. 20) — we will send you a JSON export on request.
  • Right to object (Art. 21) — object to processing based on legitimate interest.
  • Right to withdraw consent — for any processing based on consent.
  • Right to lodge a complaint — with the Belgian Data Protection Authority (gegevensbeschermingsautoriteit.be / autoriteprotectiondonnees.be) or your local supervisory authority.

To exercise any right, email info@websitesbymartijn.be. We respond within 30 days.

9. Cookies and tracking

We use only essential authentication cookies. We do not use advertising or tracking cookies. See our Cookie Policy for details.

10. Security

  • TLS in transit, encryption at rest.
  • Row-level security in the database — your account can only read its own rows.
  • Short-lived auth tokens; password reset throttled.
  • Limited access by personnel; only what is strictly necessary.

No system is impenetrable. If we ever become aware of a personal data breach affecting you, we will notify you and the relevant supervisory authority within 72 hours as required by GDPR Art. 33–34.

11. Children

detilt is not intended for users under 18. We do not knowingly collect data from children. If you believe a child has created an account, contact us and we will delete it.

12. Automated decision-making

The AI coach generates responses based on your messages and profile, but it does not make decisions that produce legal or similarly significant effects on you. You are always free to ignore the coach and to delete your account at any time.

13. Changes to this Policy

We may update this Privacy Policy from time to time. If changes are material, we will notify you by email at least 14 days before they take effect.

14. Contact

Questions, requests, or complaints? Email info@websitesbymartijn.be.

detilt is operated by DroidBender BV (Belgium).
Back to detilt.appContact