Privacy Policy

1. Introduction & Scope

This Privacy Policy ("Policy") describes how Tradei ("we," "us," or "our") collects, uses, stores, shares, and protects information when you use our website at tradei.io, including all subdomains, mobile applications, APIs, and related services (collectively, the "Service").

By creating an account, accessing, or using any part of the Service, you acknowledge that you have read, understood, and agree to be bound by this Policy. If you do not agree, you must not use the Service.

Key Definitions:

"Personal Data" — any information that identifies or can be used to identify you, directly or indirectly.
"Trading Data" — account metrics, balances, equity, profit/loss, drawdown percentages, open positions, and trade history retrieved from your connected prop firm accounts.
"Credentials" — login usernames, passwords, API tokens, session cookies, or any other authentication data you provide to connect a prop firm account.
"User" or "you" — any individual who accesses or uses the Service.

2. Data Controller

Tradei is the data controller responsible for your Personal Data under applicable data protection laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), the UK Data Protection Act 2018, and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).

Entity: Tradei (operating entity registered in Ontario, Canada)
Privacy Contact: [email protected]
Data Protection Officer: Reachable at [email protected] with the subject line "DPO Request"

3. Information We Collect

3.1 Information You Provide

Account registration: Email address, name (optional), and password (hashed, never stored in plaintext).
Google OAuth: If you sign in with Google, we receive your email address, display name, and profile picture from Google.
Phone number: Optional, only if you enable SMS alerts (available on PRO and SUITE plans).
Prop firm credentials: Login usernames, passwords, MFA secrets, investor passwords, API tokens, or OAuth access tokens required to connect your trading accounts. See Section 6 for how we protect these.
Journal entries: Pre-session mood scores (mood, focus, energy on a 1–5 scale), emotion tags, strategy tags, lesson tags, and free-text reflections that you voluntarily enter.
Alert preferences: Threshold percentages, notification channel selections, digest frequency, quiet hours, and Telegram chat ID.
API key names: User-chosen labels for programmatic API keys you generate.
Referral codes: If you participate in our referral program.

3.2 Information Collected Automatically

Session cookies: HTTP-only authentication cookies (see Section 11).
Request logs: HTTP method, URL path, response status code, and response time for security monitoring and performance analysis. Request bodies are not logged.
IP addresses: Recorded in audit logs for security purposes (e.g., detecting unauthorized access). Not used for tracking or profiling.
Device information: Browser type and operating system, derived from standard HTTP headers for compatibility purposes.

3.3 Information from Third Parties

Google OAuth: Email, name, and profile picture (only if you choose Google sign-in).
Trading account metrics: Balance, equity, daily P&L, drawdown percentage, open position count, and account phase information — retrieved from your prop firm via MetaApi, cTrader Open API, TopStepX API, or Tradovate API.
Trade history: Deal IDs, trade types, symbols, volumes, execution prices, realized profit/loss, commissions, swaps, and execution timestamps — retrieved from your prop firm via MetaApi.

3.4 Information We Do NOT Collect

Credit card or payment card numbers. All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. We never see, store, or transmit your card details.
Trading strategies, signals, or algorithms. We monitor account metrics only.
Personal bank or brokerage accounts outside of the prop firm accounts you explicitly connect.

4. How We Use Your Information

Service delivery: Monitoring your prop firm accounts, computing analytics, and displaying dashboards.
Alerts and notifications: Sending real-time alerts via email, browser push, Telegram, or SMS when your accounts approach risk thresholds.
Authentication: Verifying your identity and managing sessions.
Payment processing: Managing subscriptions, billing, and referral rewards through Stripe.
Transactional communications: Sending password reset emails, email verification, billing receipts, and service announcements.
Security and fraud prevention: Rate limiting, audit logging, and detecting unauthorized access attempts.
Service improvement: Aggregated, anonymized analytics to improve performance and reliability. We do not build individual user profiles for marketing purposes.
Legal compliance: Responding to lawful requests from government authorities, tax obligations, and enforcing our Terms of Service.

5. Legal Bases for Processing

Under the GDPR, PIPEDA, and similar frameworks, we process your data on the following legal bases:

Legal Basis	Data & Purpose
Contract Performance	Account data, credentials, trading metrics, and alerts — necessary to provide the monitoring service you subscribed to.
Consent	SMS alerts, email digests, Telegram notifications, journal entries, and referral program participation — optional features you choose to enable.
Legitimate Interest	Security monitoring, rate limiting, fraud prevention, audit logging, and aggregated service improvement analytics.
Legal Obligation	Tax records, billing data retention, and responses to lawful government requests.

Under PIPEDA, we obtain meaningful consent for the collection, use, and disclosure of your personal information. We limit collection to purposes that a reasonable person would consider appropriate in the circumstances, and we provide individual access rights upon request.

6. Credential Security

Your prop firm credentials are the most sensitive data we handle. We treat them with the highest level of protection:

Encryption at rest: All credentials are encrypted using AES-256-GCM (Advanced Encryption Standard with 256-bit key in Galois/Counter Mode) with a cryptographically random 96-bit initialization vector (IV) generated for each encryption operation. This is the same encryption standard used by banks and government agencies.
Key management: The master encryption key is stored exclusively as a server environment variable. It is never stored in the database, committed to source code, or transmitted over the network.
Minimal exposure: Credentials are decrypted only at the exact moment they are needed to authenticate with your prop firm's API. They are held in memory only for the duration of the API call and are never cached in plaintext, written to disk, or included in logs.
Read-only access: We use your credentials exclusively to read account metrics and trade history. We never execute trades, modify account settings, withdraw funds, or take any action on your prop firm account.
Immediate destruction: When you disconnect a prop firm account, the encrypted credentials are immediately and irreversibly deleted from our database.
Password hashing: Your Tradei account password is hashed using bcrypt with a cost factor of 12. We never store your Tradei password in plaintext.
API keys: Programmatic API keys are hashed at rest using a one-way hash. The original key is displayed once upon creation and cannot be recovered.

Important: By providing your prop firm credentials to Tradei, you acknowledge the inherent risks associated with sharing access credentials with any third-party service. You confirm that you have reviewed your prop firm's terms of service regarding third-party integrations and accept full responsibility for this decision.

7. Data Sharing & Third Parties

We do not sell, rent, lease, or trade your personal data to any third party. We share data only with the following categories of service providers, solely to operate the Service:

7.1 Sub-Processors

Provider	Data Shared	Purpose	Location
Stripe	Email, subscription plan, customer ID	Payment processing	USA
MetaApi	MT investor password, server name	MT4/MT5 account data access	EU
cTrader Open API	OAuth access tokens	cTrader account data	EU/UK
TopStepX API	API key, session token	TopStep account data	USA
Tradovate API	Bearer tokens	Apex account data	USA
Google	Email, name, profile picture	OAuth authentication	USA
Resend	Email address, message content	Email delivery	USA
Twilio	Phone number, SMS content	SMS alerts	USA
Telegram Bot API	Chat ID, alert messages	Telegram notifications	Global
Neon	All stored data (encrypted at rest)	PostgreSQL database hosting	USA
Railway	Application code, logs	Application hosting	USA
Upstash	Rate limit counters (no PII)	Redis caching	USA

Each sub-processor is bound by a data processing agreement (DPA) that restricts them to processing your data only as necessary to provide their service to us.

7.2 Other Circumstances

We may also disclose your data:

Legal requirements: When required by law, regulation, legal process, or enforceable governmental request.
Protection of rights: To enforce our Terms of Service, protect our rights, privacy, safety, or property, and that of our users or the public.
Business transfers: In connection with a merger, acquisition, reorganization, or sale of assets, in which case your data would remain subject to this Policy or a policy at least as protective.
With your consent: For any purpose to which you have explicitly consented.

8. International Data Transfers

Tradei is based in Toronto, Ontario, Canada. Your data is primarily stored in the United States (via Neon and Railway) and may be processed in the European Union (via MetaApi) and the United Kingdom (via cTrader Open API).

When we transfer Personal Data outside of your jurisdiction, we ensure appropriate safeguards are in place:

Standard Contractual Clauses (SCCs) approved by the European Commission for EU–US and EU–Canada transfers.
Adequacy decisions where the receiving country has been deemed to provide adequate data protection (Canada has an adequacy finding from the EU for PIPEDA-covered transfers).
Your consent as a supplementary transfer mechanism where applicable.

9. Data Retention

We retain your data only as long as necessary for the purposes described in this Policy:

Data Category	Retention Period	Deletion Method
User account	Duration of account + 30 days	Soft delete, then permanent removal
Prop firm credentials	Until account disconnected	Immediate cryptographic destruction
Account snapshots	Latest 50 per account (rolling)	Oldest automatically purged
Trade history	Duration of account	Deleted with account
Journal entries	Duration of account	Deleted with account
Scraper job logs	7 days	Automatic purge
Audit logs	90 days	Automatic purge
Password reset tokens	24 hours	Automatic expiry
Email verification tokens	48 hours	Automatic expiry
Billing records	As required by tax law (~7 years)	Retained at Stripe
Rate limit / cooldown data	Minutes to hours (TTL)	Automatic expiry

10. Your Rights

Depending on your jurisdiction, you may have the following rights:

Under GDPR, UK DPA, and PIPEDA

Right of Access: Request a copy of all data we hold about you. You can export your data via Settings or by emailing [email protected].
Right to Rectification: Update or correct your personal data via your account Settings.
Right to Erasure: Delete your account and all associated data via Settings > Account > Danger Zone. Credentials are destroyed immediately.
Right to Restriction: Request that we restrict processing of your data by contacting [email protected].
Right to Data Portability: Export your data in JSON format via the API or by request.
Right to Object: Opt out of non-essential data processing.
Right to Withdraw Consent: Disable optional features (SMS alerts, digests, Telegram, journal) at any time without affecting prior processing.
Right to Lodge a Complaint: File a complaint with your local supervisory authority (e.g., the Office of the Privacy Commissioner of Canada, the UK ICO, or your EU member state's data protection authority).

Under CCPA (California Residents)

Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected.
Right to Delete: Request deletion of your personal information.
Right to Opt-Out of Sale: We do not sell your personal information. No opt-out action is required.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

Response Times: We will respond to verifiable requests within 30 days (GDPR/PIPEDA) or 45 days (CCPA). Identity verification may be required before processing access or deletion requests.

11. Cookies & Tracking Technologies

We use only strictly necessary cookies. We do not use tracking, advertising, or third-party analytics cookies.

Cookie	Purpose	Type	Expiry
Session token	Authentication	HTTP-only, Secure, SameSite=Lax	30 days of inactivity
Cookie consent	Remembers your cookie preference	localStorage	Persistent

Stripe's JavaScript library (loaded on payment pages) may set functional cookies required for payment processing. These are governed by Stripe's Privacy Policy.

We do not use browser fingerprinting, pixel tracking, or cross-site tracking of any kind.

12. Children's Privacy

The Service is not directed at individuals under the age of 18. The financial nature of the Service (monitoring leveraged trading accounts) requires that all users be legal adults in their jurisdiction. We do not knowingly collect Personal Data from anyone under 18. If we learn that we have inadvertently collected data from a minor, we will promptly delete it. If you believe a minor has provided us with their data, please contact [email protected].

13. Security Measures

We implement industry-standard technical and organizational measures to protect your data:

Encryption: AES-256-GCM for credentials at rest; bcrypt (cost 12) for password hashing; TLS/HTTPS for all data in transit.
Transport security: HSTS enforced (max-age 2 years), Content Security Policy, X-Frame-Options (SAMEORIGIN), X-Content-Type-Options (nosniff), strict Referrer-Policy.
Rate limiting: 5 login attempts per IP per 15 minutes; 3 signups per IP per hour; 100 API requests per user per minute.
Session security: HTTP-only cookies with Secure and SameSite=Lax flags. All sessions are invalidated immediately upon password change.
Log security: Our logging system automatically redacts sensitive fields including passwords, credentials, tokens, secrets, API keys, authorization headers, and cookies. Full email addresses are never logged.
Access control: Users can only access their own data. Every API route enforces ownership checks. All data mutations are recorded in an audit trail.

No system is 100% secure. While we implement measures that meet or exceed industry standards, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials and for any activity that occurs under your account.

14. Data Breach Notification

In the event of a confirmed data breach affecting your Personal Data:

We will notify affected users within 72 hours of confirmation, as required by the GDPR, PIPEDA, and other applicable laws.
We will notify the relevant supervisory authority (e.g., the Office of the Privacy Commissioner of Canada) within 72 hours where legally required.
Notification will include: the nature of the breach, the categories of data affected, the measures taken to address it, and a contact point for questions.
Notifications will be sent via email to your registered address.
Post-breach measures: We will force rotation of all potentially compromised credentials, invalidate all active sessions, and require password resets where appropriate.

15. Automated Decision-Making

Tradei uses automated systems to check your account metrics against your configured alert thresholds (e.g., daily loss warning at 70% of your firm's limit). These thresholds are fully configured by you, not determined by us.

We do not engage in automated profiling or make automated decisions that produce legal effects or similarly significant effects on you.
All analytics displayed on your dashboard are informational only and do not constitute financial advice, trading signals, or recommendations.
You retain full control over all alert thresholds and notification preferences.

16. Changes to This Policy

We reserve the right to update this Policy at any time to reflect changes in our practices, legal requirements, or the Service.
Material changes (e.g., new categories of data collected, new third-party sharing, changes to your rights) will be communicated via email at least 14 days before they take effect.
Non-material changes (e.g., formatting, clarifications) take effect immediately upon posting.
Continued use of the Service after changes take effect constitutes your acceptance of the revised Policy.
The "Last Updated" date at the top of this page will always reflect the most recent revision.

17. Disclaimers & Limitations of Liability

17.1 "As-Is" Disclaimer

All Trading Data displayed by Tradei is provided "as-is" and "as-available" without warranty of any kind, express or implied, including but not limited to warranties of merchantability, fitness for a particular purpose, accuracy, or non-infringement. Trading Data may be delayed, incomplete, or inaccurate due to factors beyond our control, including but not limited to prop firm API changes, network latency, or service outages.

17.2 No Fiduciary Relationship

Tradei is a monitoring and informational tool. It does not constitute investment advice, financial advice, trading signals, or a recommendation to take or refrain from any trading action. No fiduciary, advisory, or professional-client relationship is created between you and Tradei by your use of the Service.

17.3 No Responsibility for Trading Decisions

You are solely and exclusively responsible for all trading decisions you make. Tradei is not liable for any trading losses, missed trading opportunities, prop firm rule violations, account terminations, margin calls, or any other financial consequences arising from or related to your use of the Service, including but not limited to reliance on alerts, analytics, or data displayed by Tradei.

17.4 Third-Party Platform Risk

Tradei relies on third-party APIs and platforms to retrieve your Trading Data. Changes to, outages of, or discontinuation of these platforms may affect the availability, accuracy, or timeliness of the Service. Tradei is not responsible for any actions taken by your prop firm, including but not limited to account suspension, termination, or rule changes.

17.5 Credential Risk

By providing your prop firm credentials to Tradei, you acknowledge and accept the inherent risk associated with sharing access credentials with any third-party service, regardless of the security measures employed.

17.6 Maximum Liability

To the maximum extent permitted by applicable law, Tradei's total aggregate liability to you for all claims arising out of or relating to this Policy or the Service shall not exceed the total fees you paid to Tradei in the twelve (12) months immediately preceding the event giving rise to the claim, or one hundred Canadian dollars (CAD $100), whichever is greater.

17.7 Force Majeure

Tradei shall not be liable for any failure or delay in performance resulting from circumstances beyond our reasonable control, including but not limited to: internet service disruptions, third-party API changes or outages, natural disasters, acts of government, cyberattacks, pandemics, or infrastructure failures.

17.8 Exclusion of Consequential Damages

To the maximum extent permitted by applicable law, in no event shall Tradei be liable for any indirect, incidental, special, consequential, exemplary, or punitive damages, including but not limited to loss of profits, data, goodwill, trading opportunities, or other intangible losses, regardless of whether we have been advised of the possibility of such damages.

18. Governing Law & Dispute Resolution

This Policy and any disputes arising out of or relating to it shall be governed by and construed in accordance with the laws of the Province of Ontario and the federal laws of Canada applicable therein, including the Personal Information Protection and Electronic Documents Act (PIPEDA), without regard to conflict of law principles.

Informal Resolution: Before initiating formal proceedings, you agree to contact us at [email protected] and allow a 30-day period for good-faith resolution.
Binding Arbitration: If informal resolution fails, disputes exceeding CAD $500 shall be resolved by binding arbitration conducted on an individual basis in Toronto, Ontario, in accordance with the arbitration rules of the ADR Institute of Canada. The language of arbitration shall be English.
Small Claims Exception: Claims under CAD $500 may be brought in the Ontario Small Claims Court.
Class Action Waiver: You agree that disputes will be resolved on an individual basis only. You waive any right to participate in a class action, class arbitration, or representative proceeding against Tradei.
Severability: If any provision of this Policy is held to be unenforceable, the remaining provisions shall remain in full force and effect.
Entire Agreement: This Policy, together with our Terms of Service, constitutes the entire agreement between you and Tradei regarding privacy and data protection matters.

19. Contact Information

If you have questions, concerns, or requests regarding this Policy or our data practices:

Privacy inquiries: [email protected]
General support: [email protected]
Data protection requests: Email [email protected] with the subject line "Data Protection Request"
Mailing address: Tradei, Toronto, Ontario, Canada

We will acknowledge receipt of your request within 48 hours and provide a substantive response within 30 days.