Legal

Privacy Policy.

What data we collect, why, and what we don't do with it. Written in plain English.

Last updated April 22, 2026

1. TL;DR

We collect the minimum data needed to run your trading journal, AI coach, and broker connections. We do not sell your data. We do not train anyone’s AI model on your trades, journal entries, or personal information. You can export or delete everything you’ve ever given us, on demand.

2. Who we are

TradeDNA is operated by TradeDNA Labs, Inc. (“TradeDNA,” “we,” “us”), a Delaware C-Corp. Our product is a trading journal, AI coaching tool, and market intelligence platform for self-directed retail and prop-firm traders.

3. What we collect

Account data (you give us)

  • Email address
  • Password (hashed via Supabase Auth — never stored in clear text)
  • Username (your public handle)
  • Display name (optional)
  • Trading experience + attribution (onboarding)

Trading data (you give us or your broker gives us via your connection)

  • Trades, fills, orders, and account balances
  • Broker account credentials — encrypted at rest using AES-256 with a TradeDNA-managed key
  • Journal entries (sleep, stress, focus, pre/post-session notes, mood tags)
  • Trading plan rules and risk limits

Product usage data (we measure)

  • Pageviews, feature clicks, session duration (via PostHog)
  • Device, browser, and coarse geographic location (country + region only)
  • Error reports when the app crashes (via Sentry)

What we do NOT collect

  • Your broker password in plain text — we use OAuth tokens or encrypted investor-password flows wherever the broker supports it
  • Credit card numbers — all payments run through Stripe, which handles PCI compliance
  • Full-session replays or screen recordings by default
  • Microphone, camera, or location beyond country/region

4. How we use your data

  • To run the product. Display your trades, compute P&L, score your rule compliance, overlay your data on market replays.
  • To power the AI coach. Your trades and journal are sent to Anthropic (Claude) at inference time so the coach can give grounded feedback. Anthropic’s policy does not allow them to train models on API traffic. Your data is not used to improve any foundation model.
  • To improve the product. Aggregate, de-identified usage data tells us what features work. Individual data is never shared externally in this process.
  • To communicate with you. Transactional emails (confirmations, password resets), product announcements (you can opt out), and coaching summaries you’ve opted into.
  • To comply with law. If we get a valid subpoena, we’ll comply and notify you unless legally prohibited.

5. Who we share data with

We share data only with the third-party processors we need to run the service:

  • Supabase — database, auth, storage (US region, hosted on AWS)
  • Railway — app + worker hosting (US region)
  • Stripe — payments
  • Anthropic — AI inference for the coach and journal summaries
  • Resend — transactional email
  • PostHog — product analytics (self-hostable; we use their cloud)
  • Sentry — error tracking
  • Polygon.io, Benzinga, ForexFactory, CFTC — market data (read-only)

We do not sell your data. We do not share it with advertisers, data brokers, or ad-networks. Each processor above has its own privacy commitments; we’ve chosen them because they meet our bar.

6. Data retention

  • Active account data: retained while your account is active.
  • After deletion: we wipe your trades, journal, plan, and account within 30 days of your deletion request. Backups roll off within 60 days.
  • Aggregate analytics: retained indefinitely in de-identified form.
  • Legal holds: if we’re under subpoena, retention may extend as required.

7. Your rights

Regardless of where you live, you can:

  • Access everything we have on you — request an export anytime from Settings → Data & Privacy.
  • Delete your account — one-click from Settings. Takes effect within 30 days.
  • Correct inaccurate data — edit in-app or email us.
  • Port your data — CSV + JSON export of every trade, journal entry, and plan rule.
  • Opt out of non-essential emails — every marketing email has an unsubscribe link.

If you’re in the EEA, UK, or California, you additionally have the rights granted by GDPR, UK-GDPR, and CCPA. Our US entity acts as the controller of your data.

8. Security

Broker credentials are encrypted at rest with a key held in our secrets store, separate from the database. Passwords are hashed by Supabase. Data in transit is TLS 1.3. Our production environment enforces least-privilege IAM and short-lived credentials. We run Sentry-based error monitoring so we can see and respond to incidents fast.

We’ll tell you about a breach affecting your account data within 72 hours of confirming it, as required by GDPR, and sooner where we can.

9. Cookies & tracking

We use first-party cookies (Supabase session, CSRF tokens) to run the product. PostHog sets a first-party cookie to identify your anonymous device across pageviews. We do not use third-party advertising trackers.

10. Kids

TradeDNA is not intended for users under 18. If we learn we’ve collected data from a minor, we’ll delete it.

11. Changes to this policy

If we make material changes, we’ll email all active users at least 14 days before the changes take effect. Minor wording fixes will be rolled out silently, but the “last updated” date at the top will always be current.

Questions? Email [email protected]. This document is written in plain English; where a strict legal term applies, we’ll say so.