← AI-TRADE

Privacy Policy

Last updated: 2026-04-30

This policy explains what personal data AI-TRADE collects, how we use it, with whom we share it, and what rights you have under the EU General Data Protection Regulation (GDPR). We try to use plain language; please contact us at privacy@ai-trade.io if anything is unclear.

1. Controller

The data controller responsible for processing your personal data is:

[Company Name]
[Street Address]
[Postal Code, City, Country]
Email: privacy@ai-trade.io

2. Categories of Personal Data

  • Account data — name, email address, password hash, account creation timestamp.
  • Session data — authentication cookies, IP address (for security), user-agent.
  • Payment data — billing email, subscription tier, plan history. Card details are handled by Stripe; we only store metadata (Stripe customer ID, last4, expiry).
  • Usage data — page views, feature interactions, signal-list views, watchlist entries.
  • Paper-trading data — signals you viewed, paper trades you simulated. No real-money trading occurs through this service.
  • Support data — content of any messages you send to support@ai-trade.io.

3. Purposes of Processing

  • Account creation and authentication.
  • Subscription billing and invoicing.
  • Delivering the signal service (generating, storing, and displaying signals).
  • Security, fraud prevention, and abuse mitigation.
  • Product analytics and service improvement (only with your consent).
  • Responding to user requests and legal obligations.

4. Legal Bases (Art. 6 GDPR)

  • Art. 6(1)(b) — contract: account, billing, signal delivery.
  • Art. 6(1)(a) — consent: non-essential cookies, product analytics.
  • Art. 6(1)(f) — legitimate interest: security, fraud prevention, network and systems integrity.
  • Art. 6(1)(c) — legal obligation: tax/accounting retention.

5. Recipients and Sub-Processors

We use the following service providers (sub-processors) to operate AI-TRADE. Each is bound by a Data Processing Agreement under Art. 28 GDPR.

  • Vercel Inc. (USA) — web hosting and CDN. Privacy policy.
  • Railway Corp. (USA) — backend API and worker hosting. Privacy policy.
  • Neon Inc. (USA, EU region) — managed Postgres database. Privacy policy.
  • Anthropic PBC (USA) — Claude API for signal generation. We do not send personal data to Claude. Privacy policy.
  • Stripe Inc. (USA, EU subsidiary) — payment processing. Privacy policy.
  • TwelveData Inc. (USA) — market data provider. We do not send personal data to TwelveData. Privacy policy.
  • Resend Inc. (USA) — transactional email delivery. Privacy policy.
  • Cloudflare Inc. (USA) — Turnstile bot protection on signup. Privacy policy.
  • Sentry / Functional Software Inc. (USA) — error monitoring. Privacy policy.
  • Vercel Analytics — privacy-friendly product analytics, only loaded after you consent. Details.

6. Transfers to Third Countries

Several sub-processors are based in the United States. Transfers occur on the basis of the EU Standard Contractual Clauses (SCCs) under Art. 46(2)(c) GDPR and, where available, the EU–US Data Privacy Framework. Where a provider offers an EU region, we use it (e.g. Neon EU, Stripe EU).

7. Retention

  • Account data: for the lifetime of your account, plus 30 days after deletion (recovery window).
  • Billing and invoice data: 10 years (German GoBD / §147 AO).
  • Server logs: 30 days, then deleted or anonymised.
  • Analytics data (if consented): 24 months.
  • Support correspondence: 24 months after the case is closed.

8. Your Rights

Under Art. 15–22 GDPR you have the right to:

  • Access your personal data (Art. 15).
  • Rectify inaccurate data (Art. 16).
  • Erase your data (Art. 17).
  • Restrict processing (Art. 18).
  • Receive your data in a portable format (Art. 20).
  • Object to processing based on legitimate interest (Art. 21).
  • Withdraw consent at any time (without affecting prior lawful processing).

To exercise any of these rights, email privacy@ai-trade.io. We respond within 30 days. You also have the right to lodge a complaint with your competent data-protection supervisory authority.

9. Automated Decision-Making

Our trading signals are generated by AI models, but we do not perform automated decision-making about you within the meaning of Art. 22 GDPR. We do not profile users, score them, or make decisions with legal effect based on automated processing.

10. Cookies and Local Storage

We use the minimum cookies required to operate the service, plus optional analytics cookies that only load if you give consent.

  • Essential (always set):
    • better-auth.session_token — authentication session, ~30 days.
    • cookie-consent-2026-04-30 — your consent choice, 12 months.
    • paper-banner-dismissed — UI preference, 30 days.
    • theme — light/dark preference, persistent.
  • Analytics (only if you consent): Vercel Analytics — anonymous page-view metrics.

You can change or withdraw your consent at any time via the cookie banner (clear your cookie-consent-2026-04-30 entry to re-trigger it).

11. Data Security

All traffic is encrypted in transit (TLS 1.2+). Data at rest in our Postgres database (Neon) is encrypted. Passwords are hashed with the algorithm implemented by Better-Auth (scrypt-based by default). Access to production systems is restricted and logged.

12. Children

AI-TRADE is not intended for users under 18. We do not knowingly collect personal data from minors.

13. Updates to This Policy

We may update this policy as the service evolves. Material changes will be announced via email and on this page. The “Last updated” date at the top reflects the current version.

14. Contact

Questions, requests, or complaints: privacy@ai-trade.io. For an Impressum (TMG §5) see /impressum.