Privacy Policy
Tradevanish ("Company", "we", "us") is committed to protecting your privacy. This policy describes how we collect, use, store, and share your personal data when you use our platform at www.tradevanish.com ("Service").
1. Information We Collect
1.1 Account Information
- Registration data: Email address, name, phone number (optional), password (stored as bcrypt hash)
- Authentication data: JWT session tokens, TOTP 2FA secrets (encrypted)
- Billing data: Processed by Stripe. We store your Stripe customer ID but never store credit card numbers
1.2 Broker Credentials
- API keys and OAuth tokens: Required to connect your broker accounts. Stored encrypted in our database
- Broker account IDs: Used to identify and operate your connected accounts
- Trade execution data: Order details, fills, positions, P&L — logged for your trade history and platform operation
We never share your broker credentials with third parties. Credentials are used solely to execute trades on your behalf according to your configuration.
1.3 Technical Data
- IP addresses: Your real IP (for security) and assigned proxy IPs (for trading)
- Device information: Browser type, operating system, screen resolution (via standard HTTP headers)
- Usage data: Pages visited, features used, session duration, error logs
- WebSocket connection data: Listener session timestamps, connection status, reconnection events
1.4 Trading Data
- Trade execution records (ticker, side, quantity, price, timestamp)
- Copy engine performance metrics (latency, fill rates, slippage)
- Risk rule configurations and trigger events
- Signal webhook payloads and execution history
- Account balances, equity, and performance statistics fetched from brokers
2. How We Use Your Data
| Purpose | Legal Basis |
|---|---|
| Operate the copy trading service | Contract performance |
| Execute trades on your connected accounts | Your explicit authorization |
| Send transactional emails (welcome, password reset, trade alerts) | Contract performance |
| Process subscription payments | Contract performance |
| Maintain security and prevent fraud | Legitimate interest |
| Improve platform performance and reliability | Legitimate interest |
| Comply with legal obligations | Legal requirement |
3. Data Storage & Security
3.1 Infrastructure
- Application hosting: Vercel (frontend), Railway (API and database)
- Database: PostgreSQL on Railway with encrypted connections
- Email: Resend (transactional email delivery)
- Payments: Stripe (PCI DSS compliant)
- Proxy network: BrightData (residential proxy provider)
3.2 Security Measures
- All data transmitted over HTTPS/TLS encryption
- Passwords hashed with bcrypt (12 rounds)
- Broker credentials encrypted at rest
- API keys stored as SHA-256 hashes (raw keys never stored)
- TOTP two-factor authentication available
- JWT tokens with 7-day expiration
- CORS restrictions and rate limiting on API endpoints
3.3 Data Retention
| Data Type | Retention Period |
|---|---|
| Account information | Duration of account + 30 days after deletion |
| Broker credentials | Deleted within 30 days of account disconnection |
| Trade execution logs | 90 days after account closure |
| Billing records | 7 years (legal/tax requirement) |
| Security logs | 12 months |
| Email delivery logs | 30 days |
4. Data Sharing
We do NOT sell your personal data. We share data only with:
- Broker platforms (TopStepX, Tradovate, NinjaTrader, Rithmic) — Only the credentials and order data necessary to execute trades on your behalf
- Stripe — Payment processing (name, email, payment method)
- Resend — Email delivery (email address, message content)
- BrightData — Proxy network access (no personal data shared; proxy sessions are anonymous)
- Law enforcement — Only when legally compelled by court order or subpoena
5. Cookies & Local Storage
- Authentication cookie: HttpOnly, Secure, SameSite=Lax — contains your session JWT
- localStorage: Stores authentication token for API requests. Cleared on logout
- We do NOT use advertising cookies, tracking pixels, or third-party analytics
6. Your Rights
Depending on your jurisdiction (including GDPR, CCPA), you may have the right to:
- Access: Request a copy of all personal data we hold about you
- Rectification: Correct inaccurate personal data
- Deletion: Request deletion of your account and associated data
- Portability: Receive your data in a structured, machine-readable format
- Restriction: Limit how we process your data
- Objection: Object to processing based on legitimate interest
- Withdraw consent: At any time, without affecting prior processing
To exercise these rights, contact privacy@tradevanish.com. We will respond within 30 days.
7. International Transfers
Your data may be processed in the United States and other countries where our service providers operate. We ensure appropriate safeguards are in place for international transfers, including standard contractual clauses where applicable.
8. Children's Privacy
Tradevanish is not intended for users under 18 years of age. We do not knowingly collect data from minors. If you believe a minor has created an account, contact us immediately.
9. Changes to This Policy
We may update this Privacy Policy periodically. Material changes will be communicated via email to your registered address at least 14 days before taking effect. The "Last updated" date at the top reflects the most recent revision.
10. Data Protection Officer
For privacy-related inquiries or to exercise your data rights:
Email: privacy@tradevanish.com
Subject: Privacy Request — [Your Name]
We aim to resolve all privacy requests within 30 calendar days.