Privacy Policy

This policy explains what personal data Trading Agent collects, how we use it, and who we share it with. We try to keep it short and concrete — no “legalese for the sake of it.”

Trading Agent is operated by WU Capital Limited, a company incorporated in New Zealand. The “data controller” for the purpose of GDPR / CCPA is WU Capital Limited. Contact details at the bottom.

1. What we collect

• Account info — email and name you provide at signup.
• Authentication metadata — sign-in timestamps, IP for security checks (managed by Supabase).
• Consent records — which version of the Terms / Privacy / Disclaimer you agreed to at signup, plus the timestamp, IP, and user-agent of that consent (stored in our terms_acceptance table).
• Subscription state — plan tier, status, period end, customer + subscription IDs (mirrored from Stripe).
• Watchlist, alerts, paper-trading positions — tickers, thresholds, hypothetical positions you save.
• Prediction history — every prediction the model produces for you is logged in the public predictions_log table without your user_id attached (the log is anonymous, used for the public accuracy track record).
• Payment info — handled by Stripe directly; we never see card numbers. We retain only the customer / subscription identifiers Stripe issues us.
• Anonymous analytics — when you click “Accept” on our cookie banner, we send anonymous event data (pageviews, feature clicks) to PostHog. No PII; PostHog generates an anonymous distinct ID per browser. If you click “Reject” we don't initialise PostHog at all.
• Error reports — when something breaks we send the error stack trace to Sentry to debug. We strip query strings and don't capture form values; the report typically contains the URL, browser, and the error itself.
• Usage data — basic request logs from our hosting providers (Vercel and Render) for debugging and abuse prevention.

1a. Lawful basis for processing (EU / UK GDPR)

For users in the EU, UK, or EEA, we rely on these lawful bases under GDPR Article 6:

• Performance of a contract (Art. 6(1)(b))— we process your account, authentication, subscription, watchlist, prediction history, and payment-state data because it is necessary to provide the service you signed up for.
• Legitimate interest (Art. 6(1)(f))— we process minimal request logs, error reports (Sentry), and abuse- prevention metadata to keep the service secure and operational. Our legitimate interest in running a reliable, secure service is balanced against your right to privacy by the safeguards described below (data minimisation, short retention, no profiling).
• Consent (Art. 6(1)(a))— we set the PostHog analytics cookie only after you click “Accept” on the cookie banner. You may withdraw consent at any time by clearing the ta_consent entry from your browser storage or by emailing us; withdrawal does not affect the lawfulness of processing before withdrawal.
• Legal obligation (Art. 6(1)(c))— we retain certain billing and tax records as required by New Zealand revenue law and by Stripe's record-keeping requirements.

While our forecasts are produced by automated processes, you retain full discretion over any investment decision. We do not produce automated decisions that have legal or similarly significant effects on you within the meaning of GDPR Article 22. We do not profile individuals; our models operate on public market data, not on personal characteristics.

2. How we use it

• To run the service: authentication, paywall, watchlist persistence, predictions, paper trading.
• To bill you and process subscription state changes.
• To send transactional emails (account confirmation, trial reminders, plan changes, cancellations, opt-in daily digest).
• To investigate abuse, fraud, or security incidents.
• To understand which features matter and which marketing channels work (consent-gated PostHog only).
• To fix bugs when something breaks (Sentry).

We do not sell your data. We do not run ad networks on the site. We do not share data with marketing partners.

3. Who we share it with

The third-party services that act as data processors for Trading Agent (with links to each provider's public Data Processing Agreement):

• Supabase— database and authentication. Hosted in the region you select; default US. DPA
• Stripe— payment processing and subscription billing. Stripe is the controller of card data, not us. Stripe is certified to PCI-DSS Level 1(the highest level); view Stripe's compliance attestation at stripe.com/legal/ssa. DPA. Payment authentication for EU / UK customers complies with PSD2 Strong Customer Authentication requirements, handled by Stripe.
• Brevo— transactional and digest email delivery (free tier). Brevo SAS is headquartered in Paris, France, and processes email data primarily within the EU. DPA
• PostHog— product analytics. Loaded only after you click “Accept” on the cookie banner. US or EU region depending on our project setup. DPA
• Sentry— error tracking. Captures stack traces when bugs happen. Sampled at 10%. DPA
• Vercel — frontend hosting. Edge servers globally. DPA
• Render— backend hosting (FastAPI service that runs the ML model).
• Cloudflare / CDN— traffic acceleration. Sees request metadata only.

Each of these has its own privacy policy and processes data on our behalf under standard data-processing agreements. We don't share your data with any other third parties for marketing purposes.

3a. Quebec (Law 25)

Residents of Quebec, Canada are afforded specific rights under An Act to modernize legislative provisions as regards the protection of personal information (Law 25):

• The right to be informed when your personal information is communicated outside Quebec, and to know the safeguards we apply (we transfer to our processors in the US and EU under Standard Contractual Clauses; see §8).
• The right to be informed of any automated processing used to make decisions about you. As described above, our forecasts are automated statistical output and do not produce decisions about you within Article 22 GDPR territory.
• The right to data portability (machine-readable export).
• The right to lodge a complaint with the Commission d'accès à l'information du Québec.

We currently provide this policy in English only. A French-language version is available on request — email contact@tradingagentapp.com with subject “Quebec privacy policy” and we'll send a translated copy within 30 days.

4. Cookies + tracking

We use three categories of cookies / local storage:

• Essential — authentication sessions (Supabase), CSRF tokens, locale preference. Required for the site to function; no consent needed under GDPR.
• Analytics — PostHog distinct ID + event queue. Set only if you click Accept on the cookie banner. Click Reject and we don't set these at all.
• Consent state — your accept / reject choice itself is stored in your browser's localStorage under ta_consent so we don't re-prompt on every visit. This is “strictly necessary” under GDPR as it's required to honour your preference.

Service-worker cache is also active when you use the site — we cache API responses for offline / cold-start fallback. No personal data leaves your device through the cache.

5. Your rights

• Access — view your account info from /account.
• Delete — email us at contact@tradingagentapp.com to delete your account. Subscription billing data may be retained to the extent required by Stripe and tax authorities.
• Export / data portability — email us and we'll send you a JSON export of your data within 30 days.
• Correct / rectify — update your profile from /account or email us.
• Restrict or object (EU/UK users) — you can ask us to restrict processing or object to legitimate-interest processing. Email us with details.
• Withdraw consent — for any processing based on consent (currently analytics only), you can withdraw at any time.
• Lodge a complaint with a supervisory authority — if you believe we have mishandled your personal data you have the right to complain to your local data-protection authority. Examples: the Office of the Privacy Commissioner in New Zealand (privacy.org.nz), the Information Commissioner's Office in the UK (ico.org.uk), or your member state's DPA in the EU. We'd appreciate it if you raised the issue with us first so we can try to resolve it directly.

We respond to verified rights requests within 30 days for GDPR users, 45 days for CCPA/CPRA users (California), and as soon as reasonably practicable for everyone else.

6. Data retention

Specific retention periods per data category (longer figures are legal-retention minimums, not internal preferences):

7. Security

Authentication is handled by Supabase using industry-standard hashing (Argon2id) and JWT sessions. Payment information is handled by Stripe and never touches our servers. All traffic is served over HTTPS with HSTS. Production secrets are stored in Vercel environment variables; access to the production database is restricted to a single service-role key held only on the server side. Two-factor authentication is available on every account via Account → Security.

In the event of a personal-data breach likely to result in a risk to your rights or freedoms, we will notify the appropriate supervisory authority (the NZ Office of the Privacy Commissioner, the EU member-state DPA, or the UK Information Commissioner's Office as applicable) within 72 hours of becoming aware of the breach, and notify you without undue delay where required. Our internal incident-response procedure is documented in INCIDENT_RESPONSE.md in the project repository.

8. International transfers

Our processors operate globally. By using Trading Agent you consent to your data being processed in the regions where these services run (primarily US and EU regions for Stripe / Brevo / Vercel; whichever region you select for Supabase and Render).

For transfers of EU / UK personal data outside the EEA, we rely on the European Commission's Standard Contractual Clauses (the 2021 modular SCCs, with the UK International Data Transfer Addendum where applicable) executed between Trading Agent and each sub-processor that requires them. Where a processor offers Data Processing Addenda based on those SCCs as part of their standard terms (Stripe, Brevo, Supabase, Vercel, Sentry, PostHog), we rely on those DPAs.

For Japan / South Korea users, data is transferred to our processors in the US and EU. We are not currently large enough to require a designated representative under APPI Art 75-3 (Japan) or PIPA Art 30-2 (South Korea). If we cross those thresholds we will appoint one and update this policy.

8a. U.S. state privacy rights

If you are a U.S. resident, your state may give you specific rights regarding your personal information. We honour these rights for all users globally, but they are guaranteed by statute for residents of the states listed below.

California (CCPA / CPRA). If you are a California resident, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) gives you specific rights regarding your personal information.

Other comprehensive state privacy laws.Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Delaware (DPDPA), Tennessee (TIPA), Montana (MCDPA), Iowa (ICDPA), Indiana (INCDPA), New Jersey (NJDPA), New Hampshire (NHPA), Minnesota (MCDPA), Maryland (MODPA), and other states with comprehensive privacy laws are afforded substantially similar rights; the procedure to exercise them is the same as for California residents (email us — see below).

In the prior 12 months we have:

• Collectedthe categories of personal information listed in section 1 (identifiers, account credentials, commercial information, internet activity, inference data from product use). We do not collect the “sensitive personal information” categories defined in Cal. Civ. Code §1798.140(ae) other than account login credentials.
• Used personal information for the business purposes listed in section 2.
• Disclosed personal information only to the processors listed in section 3, under written processor agreements that restrict their use of the data to providing the service to us.
• Not sold and not sharedpersonal information for cross-context behavioural advertising, monetary or other consideration. We do not have a “Do Not Sell or Share My Personal Information” link because there is no such selling or sharing to opt out of. If this ever changes, we will add the required link before any such activity begins.

California users have the right to:

• Know what personal information we have collected, used, and disclosed
• Delete personal information we hold about them (subject to legal-retention exceptions)
• Correct inaccurate personal information
• Opt out of sale or sharing (not applicable — we do neither)
• Limit our use of sensitive personal information (not applicable beyond credentials)
• Non-discrimination for exercising these rights

To exercise any of these rights, email contact@tradingagentapp.com with “CCPA request” in the subject. We will acknowledge within 10 business days and respond substantively within 45 calendar days (extendable once by 45 days with notice). We verify your identity by matching the email address on file with the account.

9. Changes to this policy

We'll update this page when our processors or practices change. The “last updated” date at the top reflects the latest version. Material changes will be communicated by email.

10. Contact

Questions about this policy? Email contact@tradingagentapp.com.