Legal Document

Privacy Policy

Effective: May 17, 2026 Last Updated: May 17, 2026

Table of Contents

1. Information We Collect 2. How We Use Your Information 3. Information Sharing and Disclosure 4. API Key and Credential Security 5. Data Retention 6. Security Measures 7. Your Rights (GDPR / CCPA) 8. Cookies and Tracking 9. International Data Transfers 10. Children's Privacy 11. Changes to This Policy 12. Contact

This Privacy Policy describes how TradingBot ("we," "us," "our") collects, uses, stores, and shares information about you when you use our Platform. By using the Service you consent to the practices described herein.

01 Information We Collect

Information You Provide

Category	Examples	Purpose
Account Information	Email address, password (hashed), display name	Authentication, account management
Payment Information	Billing data processed by Stripe (we never store raw card numbers)	Subscription billing
Broker Credentials	API keys and secrets you connect (stored encrypted)	Trade execution on your behalf
Configuration Data	Selected tickers, risk settings, strategy rules, Telegram settings	Bot operation and personalization
Communication	Support requests, feedback	Customer support

Information Collected Automatically

Trade Data: Every trade signal received, trade decision made, and order executed through your account is logged with timestamp, price, and outcome
Usage Logs: Pages visited, features used, login timestamps, and IP addresses for security monitoring
Technical Data: Browser type, operating system, and device identifiers for compatibility and fraud prevention
Performance Metrics: Win/loss ratios, P&L figures, and other analytics derived from your trading activity

02 How We Use Your Information

Service Delivery: Process webhooks, execute trades through connected broker APIs, display your portfolio and performance data
Account Management: Authenticate your identity, enforce subscription limits, manage billing
Security: Detect and prevent fraud, unauthorized access, and abuse
Communications: Send transactional emails (email verification, trade alerts, subscription notices). We do not send marketing emails without your explicit opt-in
Platform Improvement: Analyze aggregate, anonymized usage patterns to improve features. Individual user data is never sold for this purpose
Legal Compliance: Respond to lawful requests from government authorities and satisfy our legal obligations

We do not sell your personal data to third parties. We do not use your individual trading data or strategies to inform our own trading or to build competing products.

03 Information Sharing and Disclosure

We share your information only in the following circumstances:

Brokers (Alpaca, Kraken, etc.): Your API credentials and trade instructions are transmitted to your connected broker to execute trades. This is the core function of the Service.
Stripe: Payment information is processed by Stripe, Inc., under their own Privacy Policy. We receive only tokenized payment references.
Infrastructure Providers: We use cloud hosting (Render), database hosting, and other infrastructure providers who process data as data processors under our instructions and are bound by data processing agreements.
Legal Requirements: We may disclose information when required by law, subpoena, court order, or to protect the rights, property, or safety of TradingBot, our users, or the public.
Business Transfers: In the event of a merger, acquisition, or sale of all or substantially all assets, user data may be transferred. We will notify you before your data becomes subject to a materially different privacy policy.

04 API Key and Credential Security

All broker API keys and secrets you connect to TradingBot are encrypted using AES-256 (Fernet) symmetric encryption before storage. Encryption keys are stored separately from the database and are not accessible to our engineers in normal operations.

API keys are decrypted only in-memory at the time of trade execution and are never logged, displayed in full, or transmitted to any party other than your designated broker. Once entered, API keys are not retrievable in plain text through the Platform interface.

Despite these measures, no security system is impenetrable. You acknowledge that you assume all risk associated with connecting live broker credentials to any third-party platform.

05 Data Retention

Active Accounts: Data is retained for the duration of your active account
Closed Accounts: Following account closure or termination, account data is retained for up to 90 days before deletion
Trade Records: Trade history may be retained for up to 7 years where required by applicable financial regulations
Backups: Encrypted backup copies may persist for up to 30 additional days after deletion from primary systems
Legal Holds: Data subject to legal proceedings may be retained beyond normal retention periods until the matter is resolved

06 Security Measures

We implement industry-standard security measures including:

AES-256 encryption for stored credentials
TLS 1.2+ encryption for all data in transit
Bcrypt password hashing with strong work factors
Rate limiting on authentication endpoints
Regular security reviews and dependency updates
Access controls limiting employee access to production data

If we discover a security breach that affects your personal data, we will notify you by email within 72 hours of discovery, consistent with applicable breach notification laws.

07 CCPA — Complete Data Inventory (California Residents)

Under the California Consumer Privacy Act (CCPA), we are required to disclose every category of personal information we collect, why we collect it, and how long we keep it.

Category	Specific Data Points	Why We Collect It	Retention Period
Identifiers	Email address, UUID account ID, IP address at login, session token	Authentication, security monitoring, account management	Active account + 90 days after closure
Financial Information	Broker API key references (encrypted), paper/live trading mode, virtual account balance, cumulative P&L figures	Execute trades through your connected broker; display portfolio performance to you	Active account + 90 days; trade records up to 7 years per financial regulations
Commercial/Transaction Data	Subscription plan, Stripe customer ID, subscription status, payment history (processed by Stripe — we store only references)	Billing, subscription enforcement, fraud prevention	7 years per tax/financial record requirements
Internet/Network Activity	Pages visited within the Platform, API endpoints called, login timestamps, browser type, operating system	Security monitoring, debugging, service improvement	90 days in access logs
Trading Activity	Every webhook signal received, trade decision (BUY/SELL/HOLD) and reason, order ID, entry/exit price, stop-loss, take-profit, outcome (WIN/LOSS), P&L per trade, pattern name, session, timestamps	Bot operation; display trade history and analytics to you; improve the scoring model (aggregate/anonymized)	Active account + 90 days; up to 7 years per financial regulations
Configuration Data	Selected tickers, risk percent, risk:reward ratio, custom strategy rules, Telegram bot token (encrypted), Telegram chat ID, display name	Operate the bot according to your settings	Active account + 90 days after closure
Communications	Support emails you send to us	Customer support	3 years

We do not sell your personal information. We do not share personal information with third parties for their direct marketing purposes. We do not use your trading data or strategies to inform our own trading activity.

07b Your Rights (CCPA / GDPR)

Depending on your jurisdiction, you may have the following rights:

Right to Know: Request the specific pieces and categories of personal information we have collected about you in the past 12 months
Right to Delete: Request deletion of personal information we collected from you, subject to legal retention exceptions
Right to Correct: Request correction of inaccurate personal information
Right to Portability: Receive your data in a machine-readable format (EU/EEA and California users)
Right to Opt-Out of Sale: We do not sell personal information — this right is automatically satisfied
Right to Non-Discrimination: We will not deny service, charge different prices, or provide a different level of service because you exercised any of these rights

To exercise any of these rights, email privacy@usetradingbot.com with the subject line "Privacy Request." We will respond within 45 days (CCPA) or 30 days (GDPR). We may require identity verification before fulfilling requests. California residents may designate an authorized agent to make requests on their behalf.

08 Cookies and Tracking

The Platform uses an HTTP-only, Secure session cookie (session_token) for authentication. This is a strictly necessary cookie — it cannot be disabled without breaking login. We do not use advertising cookies, third-party tracking pixels, or analytics services. Google Fonts are loaded from Google CDN, which may log your IP address per Google's Privacy Policy.

09 International Data Transfers

TradingBot is operated from the United States. If you access the Service from outside the US, your information may be transferred to and processed in the US, which may have different data protection laws than your home country. By using the Service you consent to this transfer. For EU/EEA users, such transfers are made with appropriate safeguards as required by GDPR.

10 Children's Privacy

The Service is strictly for users 18 years of age and older. We do not knowingly collect personal information from anyone under 18. If we become aware that a user is under 18, we will immediately terminate their account and delete all associated data.

11 Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email and/or in-app notification with at least 14 days' notice before the changes take effect. Continued use of the Service after the effective date constitutes acceptance of the revised Policy.

12 Contact

For privacy-related questions, data requests, or concerns: privacy@tradingbot.app

→ Terms of Service → Risk Disclosure Statement ← Back to Dashboard