Privacy Policy

Tradapt ("we", "us", "our") operates the trading journal and analytics platform at tradapt.com ("the Service"). We are the data controller for personal data collected through the Service.

For data protection enquiries, contact us at support@tradapt.com. Our registered address is available upon request.

UK GDPR. This Privacy Policy is compliant with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. If you are located in the European Economic Area (EEA), the EU GDPR also applies, and we process your data under Standard Contractual Clauses for any transfers to the UK.

Account data: Name, email address, and hashed password when you register. Optionally, your trading experience level and account type during onboarding.

Trade data: Instrument symbols, entry/exit prices, trade dates and times, profit/loss, position sizes, notes, tags, setup labels, emotional state entries, screenshots, and any other information you voluntarily add to your trade journal.

Usage data: Pages visited, features used, button clicks, time spent in the app, browser type, operating system, and approximate location (country level) derived from IP address. Collected via Vercel Analytics.

Payment data: Subscription plan, billing history, and payment method metadata (last four digits, expiry date, card type). Full card numbers are never stored by us — they are handled directly by Stripe, our PCI-compliant payment processor.

Communications: If you contact us via the contact form or email, we retain the content of that communication and your email address.

AI interaction data: Messages sent to the AI Coach and AI-generated responses, stored to maintain conversation context and improve the Service.

We process your personal data under the following legal bases:

Contract (Article 6(1)(b)). Processing necessary to provide the Service you have subscribed to, including storing your trade data, processing payments via Stripe, and delivering AI features.

Legitimate interests (Article 6(1)(f)). Processing for our legitimate business interests, including: service security and fraud prevention, improving our AI models using aggregated anonymous data, sending service-related notifications, and usage analytics. We have assessed that these interests do not override your rights.

Consent (Article 6(1)(a)). Where we send marketing communications, we rely on your explicit consent. You can withdraw consent at any time by clicking "Unsubscribe" in any marketing email.

Legal obligation (Article 6(1)(c)). Processing required to comply with applicable laws, including financial record-keeping and responding to lawful requests from regulatory authorities.

We use your data to:

• Provide, operate, and maintain the Service.
• Process subscription payments and manage billing.
• Generate AI-powered insights, coaching responses, and weekly digests.
• Send transactional notifications (account activity, payment receipts, service updates).
• Respond to support requests and enquiries.
• Detect and prevent fraud, abuse, and security incidents.
• Analyse usage patterns (using aggregated, anonymised data) to improve the Service.
• Comply with legal obligations.

We do not use your personal trade data for advertising or sell it to third parties.

The Service uses artificial intelligence to generate insights, coaching responses, and performance analyses. These AI-generated outputs are informational and advisory only — they do not produce legal effects or similarly significant decisions about you.

The AI processes your trade data and journal entries to identify patterns and provide personalised feedback. No fully automated decisions with significant legal or financial impact are made about you based on AI outputs alone.

You may request human review of any AI output you believe is inaccurate or misleading by contacting support@tradapt.com.

We share your data only with trusted subprocessors necessary to provide the Service. We do not sell your personal data. Our key subprocessors are:

Supabase (United States) — Database storage and authentication. Your trade data and account information is stored on Supabase infrastructure. Transfer mechanism: Standard Contractual Clauses (SCCs).

Stripe (United States) — Payment processing. Handles subscription billing and payment method storage. Stripe's own Privacy Policy governs their processing. Transfer mechanism: SCCs.

Vercel (United States) — Hosting and edge infrastructure. Serves the web application. Transfer mechanism: SCCs.

OpenAI (United States) — Powers certain AI features (batch insights, weekly digest). Data sent to OpenAI is governed by OpenAI's API data usage policy; we do not use the zero data retention API. Transfer mechanism: SCCs.

Anthropic (United States) — Powers AI Coach, trade analysis, and contextual insights. Transfer mechanism: SCCs.

SMTP2Go (Australia/United States) — Transactional email delivery. Transfer mechanism: SCCs.

Vercel Analytics — Anonymised usage analytics. No cookies; IP addresses are not stored.

We may also disclose data where required by law, court order, or to protect the rights, property, or safety of Tradapt, our users, or the public.

In the event of a business sale, merger, or acquisition, your data may be transferred to the acquiring entity under equivalent protection commitments.

Tradapt is operated from the United Kingdom. Our subprocessors are primarily based in the United States. When we transfer personal data outside the UK to countries without an adequacy decision, we rely on UK-approved Standard Contractual Clauses (SCCs) as the transfer mechanism to ensure adequate protection of your data.

If you are in the EEA, transfers from the EEA to the UK are covered by the UK's adequacy decision under EU GDPR. Transfers from the EEA to the United States rely on EU SCCs where applicable.

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption of data at rest (AES-256) and in transit (TLS 1.2+).
• Access controls limiting data access to authorised personnel.
• Regular security reviews of our infrastructure.
• Supabase row-level security to ensure users can only access their own data.

No method of transmission or storage is 100% secure. In the event of a data breach that is likely to result in risk to your rights and freedoms, we will notify you and the Information Commissioner's Office (ICO) within 72 hours of becoming aware, as required by UK GDPR.

To report a security concern, contact support@tradapt.com.

We retain your personal data for as long as your account is active or as needed to provide the Service.

When you delete your account:

• Personal data (name, email, trade data, journal entries) is permanently deleted within 30 days.
• Payment records are retained for 7 years to comply with UK tax and financial record-keeping obligations.
• Anonymised, aggregated data (with all identifying information removed) may be retained indefinitely for service improvement.

You may export a copy of your data at any time from Settings > Export Data before account deletion.

As a UK data subject, you have the following rights:

Right of access. Request a copy of the personal data we hold about you.

Right to rectification. Request correction of inaccurate or incomplete personal data.

Right to erasure. Request deletion of your personal data where there is no compelling reason for us to continue processing it (subject to legal retention obligations).

Right to data portability. Receive your personal data in a structured, machine-readable format (available via Settings > Export Data).

Right to object. Object to processing based on legitimate interests, including profiling.

Right to restrict processing. Request that we limit processing of your data in certain circumstances.

Rights related to automated decision-making. Request human review of AI-generated analyses.

To exercise any of these rights, contact support@tradapt.com. We will respond within one month (extendable by two months for complex requests). We may ask you to verify your identity before processing your request.

Right to lodge a complaint. If you believe we have not handled your data lawfully, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk | 0303 123 1113.

Essential cookies (no consent required): Authentication tokens (Supabase session), CSRF protection tokens, and user preference settings. These are strictly necessary for the Service to function.

Analytics (privacy-preserving): We use Vercel Analytics, which does not use cookies and does not collect personally identifiable information or IP addresses.

We do not use advertising cookies, tracking pixels, or share cookie data with advertising networks.

You can manage cookies through your browser settings. Disabling essential cookies will prevent you from logging in.

The Service is not directed to persons under 18 years of age. We do not knowingly collect personal data from anyone under 18. If you become aware that a child has provided us with personal data without parental consent, please contact support@tradapt.com and we will delete that information promptly.

We may update this Privacy Policy from time to time. For material changes, we will notify you by email or in-app notification at least 14 days before the changes take effect.

The date at the top of this page indicates when this Policy was last updated. We encourage you to review it periodically.

For privacy-related enquiries, requests, or complaints:

Email: support@tradapt.com Response time: We aim to respond within 5 business days. Registered address: Available upon request via support@tradapt.com

Use the same address for security, legal, or general enquiries — a clear subject line helps us route your message.