Legal
Last updated: March 2026 · Effective date: March 2026
EmotionLock is a trading discipline tool developed and operated by EmotionLock, a registered trade name of BIB (sole proprietorship), based in the Netherlands. We are the data controller for the personal data described in this policy.
Trade name: EmotionLock (trading name of BIB)
KVK-nummer: 75526972
Contact for privacy matters: support@emotionlock.app
We only collect data that is strictly necessary to provide the EmotionLock service. EmotionLock does not have a traditional account system with email and password. Access is managed entirely through Apple In-App Purchase.
Device identifier (UUID)
On first launch, EmotionLock generates a random unique identifier (UUID) and stores it in your device's iOS Keychain. This identifier is used to link your device to your backend session. It persists across app reinstallations by design, so your settings and MT5 connection are retained. It is not linked to your Apple ID, email address, advertising identifier, or any hardware serial number. This identifier is permanently deleted upon account deletion (contact support@emotionlock.app).
Legal basis: Contract performance (Art. 6(1)(b) GDPR). Necessary to deliver and maintain the service.
MT5 connection data
To connect your MetaTrader 5 account we collect your MT5 server name, account number, and Investor Password. Your server name and account number are stored in our database (Supabase) to maintain your connection. Your Investor Password is transmitted via an encrypted connection to MetaAPI (our MT5 connectivity provider), who stores it on their infrastructure solely to maintain your read-only trading data connection. EmotionLock's own servers never store your Investor Password directly. You can revoke access at any time by disconnecting your MT5 account in the app, which removes credentials from both our database and MetaAPI's systems.
Legal basis: Contract performance (Art. 6(1)(b) GDPR). Necessary to provide the core trade-monitoring functionality.
Trade count and activity data
We receive the number of trades closed on your MT5 account for the current trading day (read-only). We do not receive trade details, instruments, positions, prices, profits or losses. Only the count. This data is used solely to determine whether your daily trade limit has been reached and resets at midnight in your local timezone.
Legal basis: Contract performance (Art. 6(1)(b) GDPR).
Push notification token
When you grant notification permission, your Apple APNs device token is transmitted to and stored on our backend server. This token is used exclusively to send you real-time alerts when your daily trade limit is reached. The token is deleted when you disconnect your MT5 account or request account deletion.
Legal basis: Consent (Art. 6(1)(a) GDPR). You explicitly grant notification permission via the iOS permission dialog.
App settings
Your configured daily trade limit, emergency token count, and preference settings (such as whether to count only winning trades) are stored on our servers linked to your device UUID to keep them in sync across sessions.
Legal basis: Contract performance (Art. 6(1)(b) GDPR).
App blocking selection (on-device only)
The apps you select for blocking via Screen Time are stored locally on your device only. EmotionLock's servers never receive information about which apps you have selected. Apple's Family Controls framework provides only cryptographic tokens to our app. We cannot identify app names or publishers from these tokens. No app usage data, screen time statistics or browsing history is ever collected or transmitted.
Legal basis: Consent (Art. 6(1)(a) GDPR). You explicitly set up and authorize blocking yourself.
Payment data
All in-app purchases are processed exclusively by Apple via StoreKit 2. EmotionLock does not process, store, or have access to your payment card details. Apple's Privacy Policy governs the processing of your payment data. We receive only an entitlement confirmation (purchased / not purchased) from Apple.
Legal basis: Contract performance and legal obligation (Art. 6(1)(b)(c) GDPR).
Marketing research (legitimate interest)
Our backend systems periodically scan publicly available posts on Reddit and X (formerly Twitter) using keyword searches related to trading discipline topics (such as "revenge trading" and "trading addiction"). We store the public URL, author username, public post text, and engagement metrics of matching posts in our internal database for marketing and outreach purposes only. This processing concerns public posts only. We do not contact the authors of these posts without separate consent.
Legal basis: Legitimate interests (Art. 6(1)(f) GDPR). Marketing research using publicly available content. You may object to this processing at any time by contacting support@emotionlock.app.
Review data (optional)
If you submit a review via our website, we collect your name (or display name) and the review text. Approved reviews may be displayed publicly on our website.
Legal basis: Consent (Art. 6(1)(a) GDPR). You submit voluntarily.
EmotionLock uses Apple's Family Controls / Screen Time API to block selected trading apps on your device when your daily trade limit is reached.
Legal basis: Consent (Art. 6(1)(a) GDPR). You explicitly set up and authorize the blocking yourself.
We use the following third-party processors. Each acts only on our instructions and is bound by a Data Processing Agreement (DPA) where applicable under GDPR.
Apple (StoreKit / APNs) Payments and push notifications
Apple processes all in-app purchases via StoreKit 2 and delivers push notifications via APNs. EmotionLock does not receive or store your payment card details. Apple Privacy Policy
Supabase Database
Supabase stores your device UUID, MT5 server name and account number, app settings, emergency token count, and push notification token. Supabase is SOC 2 Type 2 certified. Data may be stored on servers in the US or EU under Standard Contractual Clauses. Supabase Privacy Policy
Railway Backend server hosting
Railway hosts our backend API that handles trade polling, push notification dispatch, and settings synchronisation. All persistent data is stored in Supabase; Railway processes requests in memory only.
MetaAPI MT5 connection infrastructure
MetaAPI provides the cloud infrastructure that enables EmotionLock to read your MT5 trade count in read-only mode. Your MT5 server name, account number, and Investor Password are transmitted to MetaAPI to establish and maintain this connection. MetaAPI stores the Investor Password on their infrastructure for as long as the connection is active. Disconnecting your MT5 account in EmotionLock removes these credentials from MetaAPI's systems. Data is stored on servers in the UK and US. MetaAPI Privacy Policy
We do not sell, rent or share your personal data with any third party for marketing or advertising purposes. We do not use your data for profiling or automated decision-making that produces legal or similarly significant effects on you.
Some of our third-party processors (Supabase, MetaAPI, Railway) may process or store data outside the European Economic Area (EEA), including in the United States. Where this occurs, we ensure appropriate safeguards are in place, specifically Standard Contractual Clauses (SCCs) approved by the European Commission, to ensure your data receives an equivalent level of protection to that required under EU law.
Device UUID: retained for as long as your connection is active, plus up to 3 years afterward for record-keeping obligations. Deleted immediately upon account deletion request.
MT5 server name and account number: retained until you disconnect your MT5 account or request account deletion.
MT5 Investor Password: never stored on EmotionLock servers. Stored by MetaAPI for the duration of the active connection only. Deleted by MetaAPI upon disconnection.
Trade count data: processed in real time and reset at midnight in your local timezone. Not retained long-term.
Push notification token: retained until you disconnect your MT5 account or request account deletion.
App settings: retained until you request account deletion.
Marketing research data (Reddit/X posts): retained for up to 12 months, then deleted automatically.
Review data: retained until you request deletion.
If you are based in the EU or EEA, you have the following rights regarding your personal data:
Right to be informed
You have the right to know what data we collect and how we use it. This privacy policy fulfils that obligation.
Right of access (Art. 15)
You can request a copy of all personal data we hold about you.
Right to rectification (Art. 16)
You can request that we correct inaccurate or incomplete data.
Right to erasure (Art. 17)
You can request deletion of your personal data. You can initiate this by emailing support@emotionlock.app.
Right to restriction of processing (Art. 18)
You can ask us to pause processing of your data under certain circumstances.
Right to data portability (Art. 20)
You can request your data in a machine-readable format (JSON/CSV) so you can transfer it to another service.
Right to object (Art. 21)
You can object to processing based on legitimate interests (including our marketing research activity) at any time.
Rights related to automated decision-making (Art. 22)
EmotionLock does not use fully automated decision-making or profiling that produces legal or similarly significant effects.
To exercise any of these rights, contact us at support@emotionlock.app. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority (in the Netherlands: Autoriteit Persoonsgegevens).
You can request deletion of your EmotionLock data and device identifier at any time:
Upon deletion, your personal data will be removed from our systems within 30 days. Your MT5 Investor Password will be removed from MetaAPI's systems upon disconnection, before or independently of account deletion.
Our website uses only essential session cookies required for authentication. We do not use advertising, tracking or analytics cookies.
The EmotionLock iOS app does not use tracking technologies, does not access your advertising identifier (IDFA), and does not participate in cross-app tracking. We do not share data with any data broker.
EmotionLock is intended for use by individuals who are at least 18 years old. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, please contact us at support@emotionlock.app and we will delete it promptly.
We implement industry-standard security measures including encrypted data transmission (HTTPS/TLS), Keychain-based identifier storage on device, and access-controlled infrastructure. However, no internet transmission is 100% secure. In the event of a data breach affecting your rights and freedoms, we will notify the relevant supervisory authority within 72 hours as required by GDPR, and will inform you directly if the breach poses a high risk to you.
We may update this privacy policy from time to time. We will notify you of material changes via a notice in the app. The updated date at the top of this page always reflects the most recent revision. Continued use of EmotionLock after changes constitutes acceptance of the updated policy.