Privacy Policy

1. Who we are

Trades Terminal (“we”, “us”) is the operator of tradesterminal.com and the related software product. We’re the data controller for the information described below.

For GDPR purposes our representative will be designated before EU general availability and listed here. For CCPA purposes we’re the “business” that collects your personal information.

2. What we collect

2.1 Information you give us

• Account. Email, display name, password (handled by our auth provider — never seen by us in plaintext), and any optional profile detail you fill in.
• Billing. Card details are handled by Stripe; we never see the full PAN. We store your Stripe customer id, plan, and renewal date.
• Broker credentials. If you connect a broker, we store the credential reference (or refresh token, depending on the broker) inside an encrypted vault. We use them only to connect on your behalf.
• Content you create. Workspaces, chart drawings, custom indicators, journal entries, saved screens, AI prompts, and anything else you type into the product.

2.2 Information we collect when you use the product

• Trading activity. Orders, fills, positions, balances, and account-rule evaluations fetched from your connected broker. This is the heart of the product.
• Usage. Which pages you visit, which features you interact with, error events, and rough performance timings. Used to make the product better and to catch bugs.
• Device + network. IP address, browser type, OS, and a session identifier. Used for security, fraud prevention, and access logs.

2.3 What we do NOT collect

We don’t buy data about you from data brokers. We don’t fingerprint your device across the web. We don’t sell your data to advertisers (see “Sale of personal information” below).

3. Why we collect it

• To run the product you signed up for (legitimate interest / contract).
• To process payments and prevent fraud (contract / legitimate interest).
• To send you operational email — receipts, password resets, security alerts (contract).
• To send you marketing email when you opt in (consent).
• To improve the product, debug crashes, and measure usage (legitimate interest).
• To comply with legal obligations — tax records, anti-fraud, law-enforcement requests we’re legally required to honor.

4. Who we share it with

We use a small set of vetted processors to actually run the product. Each one only sees what they need to do their job. As of the “last updated” date above:

• Clerk — auth (passkeys, password, session, TOTP). Sees email + display name + auth metadata.
• Stripe — payments. Sees email + card details + billing address + subscription state.
• Vercel — hosting + edge runtime + log drain. Sees request metadata + access logs.
• Neon — managed Postgres database. Holds the application data described in section 2.
• Sentry — error reporting. Sees stack traces + redacted user id + breadcrumbs. Sensitive fields are scrubbed before send.
• PostHog — product analytics. Sees page-view + feature-interaction events tied to your user id. Does NOT see trade content or AI prompts.
• Resend — transactional email delivery. Sees recipient email + email body.
• Anthropic— AI features (Claude models). Sees the prompt text you submit and the context the product attaches (chart symbol, recent trades summary, etc.). Anthropic’s API terms exclude using submitted content to train their models.

We may add or change processors as the product evolves; we’ll update this list and bump the “Last updated” date.

Beyond these processors, we don’t share your personal information with anyone unless: (a) you tell us to (e.g. you connect a broker), (b) we’re legally required (subpoena, court order, regulator), (c) we need to defend our rights or protect users from harm, or (d) we’re sold, merged, or acquired — in which case your data transfers under the same protections as this policy and you’ll be notified.

5. Sale of personal information

We do not sell your personal information. We don’t share it with third parties for their own advertising or marketing. Under CCPA, certain uses of analytics tools could be classified as a “sale” or “sharing”; if you’re a California resident and want to opt out anyway, email privacy@tradesterminal.com with the subject “Do Not Sell or Share”.

6. International transfers

Our processors operate primarily in the United States. When personal data is transferred from the EEA / UK / Switzerland to the US, we rely on the EU Standard Contractual Clauses (and the UK addendum where applicable) executed with each processor. Copies are available on request.

7. How long we keep it

• Account + trading data: for the life of your account and up to 24 months after you close it, so you can re-open inside that window without losing history. Audit logs are kept longer where required by law.
• Billing records: 7 years to satisfy US/EU tax-record retention.
• Server access logs: 30 days, then aggregated.
• Error reports: 90 days at Sentry.
• Backups: overlap with the above by up to 35 days while old generations age out.

On a deletion request (see section 9) we’ll honor shorter retention — the items above bound the maximum, not the minimum.

8. How we protect it

We use TLS in transit, encryption at rest, scoped IAM on our infrastructure, hardware-backed two-factor on production access, and an envelope-encrypted vault for broker credentials. We audit every state-changing operation. No system is unbreakable — if we learn of a breach that affects your data, we’ll notify you without undue delay and in any case within the timelines required by GDPR (72 hours) or applicable US state law.

9. Your rights

Depending on where you live, you have some or all of these rights:

• Access — get a copy of what we have.
• Correction — fix anything inaccurate.
• Deletion— have us delete your account and associated personal data (subject to the retention floor in section 7 for records we’re legally required to keep).
• Portability — get your trading data, journal entries, and saved layouts in a structured, machine-readable export.
• Objection / restriction — limit how we process your data for marketing or analytics.
• Withdraw consent — for anything we relied on consent for (e.g. marketing email).
• Complain to a regulator — your local DPA in the EU, the ICO in the UK, the relevant US state AG.

Exercise any of these by emailing privacy@tradesterminal.com from the email address on your account, or by using the export / delete buttons in the settings page. We respond within 30 days (60 if the request is complex).

10. Children

The product isn’t directed at anyone under 18. We don’t knowingly collect personal information from children. If you believe we have, email privacy@tradesterminal.com and we’ll delete it.

11. Cookies + similar technologies

We use cookies and local storage to keep you signed in, remember your workspace preferences, and (where you opt in) collect product-analytics events. We don’t use advertising cookies. You can disable cookies in your browser; the product won’t function without essential session cookies.

12. Changes to this policy

We’ll bump the “Last updated” date at the top whenever we change something material and notify you in-app or by email. If a change affects how we use data you’ve already given us, we’ll honor the terms under which it was collected unless you accept the new ones.

13. Contact

Email privacy@tradesterminal.com for anything privacy-flavored. For everything else, hello@tradesterminal.com gets a human.