Privacy Policy
Last updated: 26 April 2026 · Applies to: thepropdna.com and all subdomains
This policy explains what personal data PropDNA collects, why, how long we keep it, and what rights you have under the EU GDPR (Regulation 2016/679) and the Cyprus Law Providing for the Protection of Natural Persons with regard to the Processing of Personal Data (L.125(I)/2018). We have written it to be readable rather than deliberately opaque.
1. Who We Are (Data Controller)
PropDNA is operated by MarketMingle Ltd, a private company limited by shares incorporated in the Republic of Cyprus (registration number HE46046), with registered office at 8 Aesopou Street, Agios Tychonas, 4521, Limassol, Cyprus. MarketMingle Ltd is the data controller for all personal data processed through thepropdna.com. For data protection queries, contact us at privacy@thepropdna.com. We do not currently have a designated Data Protection Officer; all data protection requests are handled directly by the data controller. We will review this position if processing activities expand materially.
2. Data We Collect and Why
We only collect data that is necessary for a specific, documented purpose.
| Data | Purpose | Lawful Basis | Retention |
|---|---|---|---|
| Email address & password hash | User account creation and login | Contract (Art. 6(1)(b)) | Until account deleted |
| Display name, country, trading experience | Public trader profile and review attribution | Contract (Art. 6(1)(b)) | Until account deleted |
| Review text, star rating, payout proof | Trust score calculation and public display | Contract (Art. 6(1)(b)) | Until review deleted by user or moderator |
| Hashed IP address (one-way SHA-256) | Deduplication of affiliate clicks — raw IP is never stored | Legitimate interest (Art. 6(1)(f)) | 2 years from collection |
| Firm tag, click type, referral source | Affiliate commission tracking | Legitimate interest (Art. 6(1)(f)) | 2 years from collection |
| Session cookie (Supabase auth) | Keeping you logged in across page loads | Necessary for service (Art. 6(1)(b)) | Session or 7 days (persistent login) |
We do not collect: payment card data, government IDs, precise geolocation, or any special-category data (Article 9 GDPR). We do not run advertising networks, sell data to third parties, or build behavioural profiles for marketing.
3. Cookies and Local Storage
| Name | Type | Purpose | Expiry |
|---|---|---|---|
| sb-*-auth-token | Necessary | Supabase authentication session | 7 days |
| cookie_consent | Necessary | Stores your cookie consent choice (localStorage) | 1 year |
| Google Fonts (CSS @import) | Functional | Loads IBM Plex Mono, Playfair Display, Crimson Pro typefaces — Google receives your IP on font load. No tracking cookie is set by Google Fonts in this usage. | No cookie set |
We do not use third-party advertising cookies, cross-site tracking pixels, or fingerprinting. You can clear cookies at any time through your browser settings. Refusing the session cookie means you cannot log in; all other functionality works without cookies.
4. Affiliate Click Tracking
When you click a “Start Challenge” or firm link, your request passes through /api/track before redirecting you to the prop firm's website. We record: the firm you clicked, the click type, the page you came from, and a one-way hash of your IP address. The hash cannot be reversed to recover your IP.
Lawful basis: Legitimate interest. Affiliate commission tracking is the commercial mechanism that makes free access to PropDNA sustainable. Our legitimate interest assessment concluded that this processing is proportionate, that users would reasonably expect it, and that it does not override individual rights — particularly because we hash (not store) the IP and do not link clicks to user accounts.
Right to object: You may opt out of click tracking via the cookie settings banner at any time. Opting out replaces tracked links with direct links to the firm's website.
5. Third-Party Processors
| Processor | Role | Location | Safeguard |
|---|---|---|---|
| Supabase Inc. | Database, auth, and file storage | EU (AWS eu-west-1 — Ireland) | Data stored within the EEA; no international transfer |
| Vercel Inc. | Web hosting and serverless functions | US / Edge (global) | Standard Contractual Clauses (SCCs) |
| Google LLC | Font delivery (Google Fonts CSS) | US / Global CDN | Google Fonts API does not use cookies or build user profiles in this usage |
| Anthropic PBC | AI advisor responses via /api/chat | US | Data processed but not retained for model training (API usage) |
All processors are bound by data processing agreements and may only process your data on our documented instructions. Transfers outside the UK/EEA are protected by Standard Contractual Clauses (SCCs) approved by the European Commission.
6. Your Rights Under UK/EU GDPR
You have the following rights, exercisable free of charge. We will respond within 30 days.
| Right | What it means in practice |
|---|---|
| Access (Art. 15) | Request a copy of all personal data we hold about you. |
| Rectification (Art. 16) | Ask us to correct inaccurate or incomplete data. |
| Erasure / Right to be forgotten (Art. 17) | Request deletion of your account, reviews, and click logs. We will action within 30 days. |
| Restriction of processing (Art. 18) | Ask us to pause processing while a dispute is resolved. |
| Data portability (Art. 20) | Receive your reviews and profile data in a machine-readable format (JSON/CSV). |
| Object to processing (Art. 21) | Object to processing based on legitimate interest, including affiliate click tracking. |
| Withdraw consent | Where we relied on consent, withdraw it at any time via cookie settings without affecting prior processing. |
| Lodge a complaint | Complain to your national supervisory authority. UK: ICO (ico.org.uk). EU members listed at the EDPB. |
To exercise any right, email privacy@thepropdna.com from the address associated with your account. We may ask you to verify your identity before processing the request.
If you believe we have not handled your request properly, you have the right to lodge a complaint with a supervisory authority. The lead supervisory authority for MarketMingle Ltd is the Cyprus Office of the Commissioner for Personal Data Protection (dataprotection.gov.cy). EU residents may also contact their national authority — find them at the EDPB member list.
7. Automated Decision-Making & Profiling (Article 22 GDPR)
The Trader DNA™ assessment produces an automated psychological and trading-style profile. This profile is used to match you with prop firms that suit your assessed archetype. This constitutes automated profiling under Article 22 GDPR.
What we disclose, as required by Article 22(2)(b):
- Logic involved: Your responses to the Trader DNA™ questionnaire are scored across dimensions including risk tolerance, discipline orientation, time horizon, and market preference. The resulting archetype (e.g. “The Scalper”, “The Swing Strategist”) is matched against firm profiles based on their rules, evaluation structure, and verified payout data.
- Significance: The assessment influences which firms are highlighted to you and in what order. It does not prevent you from viewing or evaluating any firm.
- Consequences: The matching is a recommendation aid only. You are not excluded from any firm based on your profile. No legal or similarly significant effects arise from this processing.
- Right to human review: You may request a human review of your Trader DNA™ result at any time by emailing privacy@thepropdna.com.
- Right to contest: You may retake the assessment at any time or contact us to have your profile reset.
Lawful basis: Consent (Article 6(1)(a) and Article 22(2)(c)). You provide explicit consent before beginning the Trader DNA™ assessment. You may withdraw consent and request deletion of your assessment data at any time.
8. Security
Passwords are hashed using bcrypt via Supabase Auth — we never store plaintext passwords. All connections are encrypted in transit (TLS 1.2+). IP addresses are processed only as one-way SHA-256 hashes. Row-level security policies in Supabase ensure users can only access their own data. We conduct periodic reviews of access controls and processor agreements.
In the event of a personal data breach likely to result in a high risk to your rights and freedoms, we will notify you without undue delay and, where required, notify the relevant supervisory authority within 72 hours of becoming aware.
9. Children
PropDNA is not directed at children under 18. We do not knowingly collect data from minors. If you believe a minor has submitted data, contact us and we will delete it promptly.
10. Changes to This Policy
We will post any material changes here and update the “last updated” date. For significant changes affecting how we use your data, we will notify logged-in users by email at least 14 days in advance. Continued use of the site after that date constitutes acceptance.
11. Contact
All privacy queries: privacy@thepropdna.com
We aim to acknowledge all requests within 5 business days and resolve them within 30 calendar days.