๐ Plain-language summary: We collect only what we need to run Tradexa. We never sell your data. You own your trading data and can export or delete it at any time. This policy explains exactly what we collect, why, and your rights under GDPR and CCPA.
1. Who We Are
Tradexa, Inc. ("Tradexa," "we," "us," "our") is a Delaware corporation operating the Tradexa platform at tradexa.io. We act as the data controller for the personal data described in this policy.
Data Protection Officer: privacy@tradexa.io
Registered address: Tradexa, Inc., 2093 Philadelphia Pike #3182, Claymont, DE 19703, USA
EU representative: eu-privacy@tradexa.io
2. What Data We Collect
Account Data
- Name, email address, and password (hashed with bcrypt, never stored in plaintext)
- Profile information you voluntarily provide: trading experience, markets, timezone, bio
- Billing information (processed by Stripe โ we store only the last 4 digits, card type, and expiry)
- Profile photo (optional, stored in AES-256 encrypted object storage)
Trading Data
- Trade journal entries: date/time, instrument, direction, entry/exit prices, size, P&L, notes, tags, emotion state, setup type, screenshots
- Backtesting strategy notes, results, and lessons
- Weekly review notes and AI-generated insights specific to your account
- Broker API connection tokens (read-only, encrypted at rest)
Usage Data
- Pages visited, features used, and time spent (privacy-first, no cross-site tracking)
- Browser type, operating system, screen resolution
- IP address (anonymized after 24 hours; not linked to trade data)
- Session information: login time, device type, approximate location (city-level)
What We Never Collect
- Government IDs, social security numbers, or passport numbers
- Your brokerage account balance or the ability to place trades (all broker connections are read-only)
- Cross-site tracking data or advertising profiles
- Data sold to or received from data brokers
3. Legal Basis for Processing (GDPR)
| Data Type | Legal Basis | Purpose |
|---|
| Account & billing data | Contract performance | Creating and managing your account, processing payments |
| Trading journal data | Contract performance | Delivering journaling, analytics, and AI features |
| Usage analytics | Legitimate interest | Improving the platform and fixing bugs |
| Security audit logs | Legitimate interest | Detecting fraud and protecting your account |
| Marketing emails | Consent | Sent only with explicit opt-in; unsubscribe anytime |
4. How We Use Your Data
- AI Coach: Your trade history is analyzed server-side to generate personalized insights. Results are stored only in your account.
- Weekly Reviews: AI-generated summaries use your journal data and are displayed exclusively to you.
- Platform improvement: Aggregated, anonymized usage patterns help us prioritize features. Individual trade data is never used for this.
- Security: Login events and IP addresses are used to detect suspicious activity and notify you.
- Billing: Processing subscriptions, sending invoices, managing plan changes.
- Support: Your support tickets are retained for 12 months to provide consistent service.
- Communications: Transactional emails (receipts, security alerts, weekly review notifications). Marketing emails only with your consent.
We will never use your individual trading data to train AI models shared with other users without your explicit opt-in consent.
5. Who We Share Your Data With
We do not sell your data. We share it only with vendors necessary to operate the platform, each bound by a Data Processing Agreement (DPA):
| Vendor | Purpose | Data Shared | Region |
|---|
| Stripe | Payment processing | Billing info only | US / EU |
| SendGrid | Email delivery | Email, name | US |
| AWS | Hosting & storage | All encrypted data | US-East, EU-West |
| Cloudflare | CDN & security | IP, traffic metadata | Global |
| Sentry | Error monitoring | Error logs (no trade data) | US |
We may disclose data if required by law (e.g., valid court order). We will notify you unless legally prohibited from doing so.
6. How Long We Keep Your Data
- Account & trading data: Active account life + 30 days after deletion request
- Billing records: 7 years (legal requirement for financial records)
- Security audit logs: 90 days
- Support tickets: 12 months after resolution
- Usage analytics (anonymized): Up to 24 months in aggregate form
After deletion, your data is permanently purged from all systems within 30 days per GDPR Article 17.
7. Your Rights
Under GDPR (EU / EEA users)
- Right to access โ Request a copy of all data we hold about you
- Right to rectification โ Correct inaccurate personal data
- Right to erasure โ Request deletion ("right to be forgotten")
- Right to restrict processing โ Limit how we use your data
- Right to data portability โ Receive your data in JSON or CSV format
- Right to object โ Object to processing based on legitimate interests
- Right to withdraw consent โ Revoke marketing consent at any time
Under CCPA (California residents)
- Right to know what personal information we collect and how we use it
- Right to delete personal information we've collected
- Right to opt-out of the "sale" of personal information (we don't sell data)
- Right to non-discrimination for exercising your rights
To exercise any right: go to App โ Data & Backups โ Export Your Data, or email privacy@tradexa.io. We respond within 30 days.
8. Cookies
We use cookies to keep you logged in, remember your preferences, and understand how the platform is used. See our full Cookie Policy for details. Manage your cookie preferences at any time via the cookie consent banner or under Settings โ Privacy.
9. Security
- AES-256 encryption at rest for all stored data
- TLS 1.3 encryption in transit for all communications
- SOC 2 Type I certified (report available on request)
- Cross-region database replication (US-East + EU-West)
- Multi-factor authentication available on all accounts
- All broker API connections are read-only โ we cannot place trades on your behalf
- Regular penetration testing and vulnerability scans
To report a vulnerability: security@tradexa.io
10. Children's Privacy
Tradexa is not directed at children under 18. We do not knowingly collect data from minors. If you believe a minor has created an account, contact privacy@tradexa.io and we will promptly delete it.
11. International Data Transfers
Your data is primarily stored in the United States (AWS US-East-1) with a replica in the EU (AWS EU-West-1). For EU/EEA users, transfers to the US are made under the EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs) as required by GDPR Chapter V.
12. Changes to This Policy
We will notify you of material changes by email at least 30 days before they take effect. Continued use of the platform after the effective date constitutes acceptance of the updated policy.