Privacy Policy

This Privacy Policy describes how Trade Tracer ("Trade Tracer," "we," "us," "our"), an entity organized under the laws of the State of Utah, collects, uses, discloses, and protects information about users of the website at tradetracer.io and related services (collectively, the "Service"). We collect the minimum information needed to operate the Service, do not sell or share personal information for cross-context behavioral advertising, and do not run third-party ad networks on the Service. By using the Service you agree to the processing of your information as described in this Privacy Policy.

2.1 Information you provide directly. Email address, a hashed password (we never see or store your plain-text password), an optional display name, and the content of any communications you send to us.

2.2 Billing information. Your name, billing address, and payment-method details are collected and stored by our third-party payment processor, Stripe, Inc. Trade Tracer never sees or stores your full payment-card number. We receive only a Stripe customer identifier, Subscription status, last four digits of the card, and card brand.

2.3 Usage and device data. IP address, approximate location derived from IP, browser type and version, device type and operating system, pages and features accessed, referring URL, request timestamps, and error logs. We use this information for security, troubleshooting, and product improvement.

2.4 Cookies and similar technologies. Authentication session tokens, preference cookies (chart toggles, UI theme), and first-party usage measurement. We do not use third-party advertising cookies. See Section 9.

2.5 What we do not collect. Trade Tracer does not collect brokerage account credentials, real-time trading positions, bank account numbers, Social Security numbers, government identifiers, biometric identifiers, precise geolocation (within 1,750 feet), or sensitive personal information as defined in the California Privacy Rights Act. Trade Tracer never asks for any of these.

We collect information directly from you (e.g., at registration), from your device automatically (e.g., usage logs), and from third-party service providers (e.g., Stripe sends us subscription events).

We use the information we collect to:

• Authenticate users and maintain account sessions (legal basis under the GDPR: performance of a contract, Article 6(1)(b));
• Process subscriptions, prevent payment fraud, and comply with anti-money-laundering and tax obligations (performance of a contract and legal obligation, Article 6(1)(b) and 6(1)(c));
• Deliver the Service, including charts, signals, AI reports, and related Content (performance of a contract);
• Send transactional and onboarding emails — for example welcome, password reset, billing receipts, important service announcements (performance of a contract);
• Diagnose technical issues, secure the Service, and prevent abuse (legitimate interests, Article 6(1)(f));
• Improve, develop, and analyze the Service (legitimate interests);
• Comply with legal, regulatory, and law-enforcement obligations (legal obligation);
• Send marketing communications where you have opted in or where permitted by applicable law, including under existing customer exemptions (consent or legitimate interests with right to opt out, Article 6(1)(a) or 6(1)(f)).

We will not use your information for any purpose materially different from the purposes described in this Privacy Policy without first providing notice and, where required by law, obtaining consent.

We disclose information only to service providers and third parties as necessary to operate the Service. We maintain appropriate data protection terms with each of the following recipients:

• Supabase, Inc. — hosts our database, authentication, and user records;
• Stripe, Inc. — processes subscription payments and stores billing data;
• Vercel Inc. — hosts the web frontend and stores request logs;
• Railway Corp. — hosts the backend API and the nightly scanner pipeline;
• Anthropic, PBC — provides the AI models that generate analytical reports. We do not transmit user personal information to Anthropic; we transmit only ticker symbols, scanner output, and other market data;
• Polygon.io — provides market data. We do not transmit user information to Polygon.io;
• Email delivery provider — transmits transactional and marketing email on our behalf;
• Analytics provider (if and when adopted) — provides aggregated usage analytics on a first-party basis.

We may also disclose information when required by law, subpoena, court order, or other legal process; to enforce our Terms; to protect our rights, property, or safety, or the rights, property, or safety of users or third parties; or in connection with a merger, acquisition, financing, reorganization, or sale of substantially all of our assets, subject to confidentiality obligations and successor obligations under this Privacy Policy.

We do not sell personal information to advertisers or data brokers, and we do not share personal information for cross-context behavioral advertising. See Section 10.

Our service providers operate primarily in the United States. If you access the Service from outside the United States, your information will be transferred to and processed in the United States. Where information about data subjects in the European Economic Area, the United Kingdom, or Switzerland is transferred to the United States, such transfers are made under the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or another lawful transfer mechanism, including supplementary measures where appropriate.

We retain information for the periods described below or for as long as necessary to satisfy the purposes for which it was collected, whichever is longer:

• Account records (email, hashed password, account preferences): for the life of your account plus up to 90 days following deletion, except where a longer period is required by law;
• Billing records (Stripe customer ID, Subscription status, invoices): seven (7) years from the date of the transaction, to comply with U.S. federal and state tax record-retention requirements;
• Server logs (IP, request metadata): up to 90 days, then aggregated or deleted;
• Support correspondence (email threads): up to three (3) years following the last interaction;
• Marketing consent records: for as long as your consent remains valid plus seven (7) years following withdrawal.

We implement commercially reasonable administrative, technical, and physical safeguards designed to protect the information we collect: HTTPS in transit, encryption at rest (provided by our hosting providers), secrets management for API credentials, Row-Level Security policies on user data in our database, bcrypt-style password hashing, rate limiting on authentication endpoints, and segregation of production and development environments.

No method of transmission or storage is perfectly secure, and we cannot guarantee absolute security. In the event of a personal data breach affecting your information, we will notify affected users and applicable regulators as required by applicable law.

We use the following categories of cookies and similar local-storage technologies:

• Strictly necessary — authentication session tokens, security tokens, load-balancing identifiers. Without these the Service cannot function. These are not optional.
• Functional — preference cookies that remember your chart toggles, theme, and UI choices.
• Performance / analytics — first-party measurement of feature usage in aggregated form, used to improve the Service.

We do not use cookies for cross-site advertising, retargeting, or any comparable third-party tracking. You may block or delete cookies through your browser settings; doing so may prevent you from staying signed in or using certain features.

If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively "CCPA/CPRA") grants you specific rights regarding your personal information, including the right to know what categories and specific pieces of personal information we have collected, the right to know to whom we disclose it, the right to request deletion, the right to request correction, the right to limit the use of sensitive personal information, the right to opt out of sales and sharing for cross-context behavioral advertising, and the right not to be discriminated against for exercising any of these rights.

Trade Tracer does not "sell" or "share" personal information as those terms are defined under the CCPA/CPRA. We do not disclose personal information to third parties in exchange for monetary or other valuable consideration, and we do not disclose personal information for cross-context behavioral advertising.

To exercise CCPA/CPRA rights, email blake@tradetracer.io from the address associated with your account. We will respond within 45 days, with one 45-day extension where reasonably necessary and permitted by law. We may need to verify your identity before processing the request. An authorized agent may submit a request on your behalf with proof of authorization.

If you are a data subject in the European Economic Area, the United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR), the UK GDPR, or equivalent law:

• Access (Article 15): obtain confirmation of processing and a copy of your personal data;
• Rectification (Article 16): correct inaccurate or incomplete data;
• Erasure (Article 17): request deletion of your data, subject to applicable retention obligations;
• Restriction (Article 18): limit the processing of your data in certain circumstances;
• Portability (Article 20): receive your data in a structured, commonly used, machine-readable format and transmit it to another controller;
• Objection (Article 21): object to processing based on legitimate interests, including direct marketing;
• Withdraw consent: where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of pre-withdrawal processing;
• Complaint: lodge a complaint with your local data-protection supervisory authority.

To exercise any of these rights, email blake@tradetracer.io. We will respond within 30 days, with extensions only where permitted by applicable law and only after notifying you of the extension and the reasons for it.

If you are a resident of Colorado, Connecticut, Utah, Virginia, or another U.S. state with applicable privacy law in effect, you may have rights comparable to those described in Sections 10 and 11, including the rights to access, correct, delete, and opt out of certain processing. To exercise these rights, contact us at blake@tradetracer.io.

The Service includes AI-generated written analysis produced by large language models from inputs we provide. These outputs do not constitute automated decision-making that produces legal effects or similarly significant effects on you within the meaning of GDPR Article 22. We do not use the AI to make decisions about your access to credit, insurance, employment, housing, or any other significant legal or contractual right.

AI outputs are general-purpose educational analysis and should not be relied on as a substitute for human judgment. See our Risk Disclosure.

The Service is not directed to and we do not knowingly collect personal information from individuals under the age of 18. Use of the Service by individuals under 18 is prohibited by Section 1 of our Terms of Service. If we learn that we have collected information from a person under 18, we will promptly delete it. Parents or guardians who believe a child has provided us with personal information may contact us at blake@tradetracer.io.

The Service may contain links to third-party websites and services. We are not responsible for the privacy practices of those third parties, and this Privacy Policy does not apply to them. We encourage you to review the privacy policies of any third-party services before providing them with personal information.

We may update this Privacy Policy from time to time. We will post the updated policy on this page with a new Effective Date. Material changes will be communicated by email when reasonably possible. Where required by applicable law, we will obtain renewed consent before any new processing of your information.

For all privacy-related questions, requests, or complaints, contact us at blake@tradetracer.io. For EU/UK data subjects, this address also serves as our designated contact point for data-protection matters.