🔒 Privacy Policy
Last Updated: 2026-02-15
This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our trading automation platform.
1. Information We Collect
1.1 Information You Provide
| Data Type |
Purpose |
Retention |
| Email address |
Account identification, communications |
Until account deletion |
| Password (hashed) |
Authentication |
Until account deletion |
| Brokerage API keys (encrypted) |
Trade execution |
Until you revoke or delete |
| Trading preferences |
Strategy configuration |
Until account deletion |
1.2 Information Collected Automatically
- Usage Data: Pages visited, features used, actions taken
- Device Information: Browser type, operating system, IP address
- Trading Activity: Agent performance, trade history (through your brokerage)
- Log Data: Server logs for debugging and security
1.3 Information We Do NOT Collect
- Your brokerage account password
- Your bank account information
- Your Social Security Number
- Personal financial statements
2. How We Use Your Information
- Service Delivery: Execute trades, run strategies, display dashboards
- Account Management: Authentication, support, billing
- Improvements: Analyze usage to improve features
- Communications: Service updates, alerts, marketing (with consent)
- Security: Detect fraud, protect against unauthorized access
- Legal Compliance: Meet regulatory requirements
3. API Key Security
Your API keys are treated with the highest security:
- Encrypted at rest using AES-256 encryption
- Encryption keys stored separately from encrypted data
- Keys only decrypted in isolated execution environment
- Never logged or displayed in plain text
- Access restricted to essential personnel only
- Regular security audits conducted
4. Information Sharing
We do NOT sell your personal information. We may share information only:
- With Your Brokerage (Alpaca Markets): API calls to execute your trades. Alpaca receives your API key and trade instructions.
- Market Data Providers: We receive market data from third-party financial data providers. We do NOT share your personal information with them.
- Service Providers: Hosting, analytics (bound by confidentiality)
- Legal Requirements: When required by law or legal process
- Business Transfers: In case of merger or acquisition (with notice)
- With Your Consent: When you explicitly authorize sharing
4.1 Third-Party Services
| Provider |
Purpose |
Data Shared |
| Alpaca Markets |
Trade execution, account data |
Your API key, trade orders |
| Stripe, Inc. |
Payment processing, subscriptions |
Name, email, payment method (card details handled directly by Stripe — never touch our servers) |
| Market Data Providers |
Historical & real-time market data |
None (we use our own API keys) |
| Authentication Service (Self-hosted) |
Authentication |
Email, password hash |
| Mailcow (Self-hosted) |
Transactional email delivery |
Email address, notification content |
| BENED Support (Self-hosted) |
Customer support widget & live chat |
Page URL, browser info, chat messages and transcripts |
5. Data Retention
| Data Type |
Retention Period |
| Account information |
Until account deletion + 30 days |
| API keys |
Until you delete or revoke access |
| Trading history |
7 years (regulatory requirement) |
| Server logs |
90 days |
6. Your Rights
Depending on your location, you may have the following rights:
6.1 All Users
- Access: Request a complete copy of your data in a standard, machine-readable format
- Correction: Update inaccurate information
- Deletion: Delete your account and data. Deletion means actual deletion, not deactivation. Trading records required for regulatory compliance (7-year retention) may be retained as disclosed.
- Export: Download your trading history, agent configurations, and performance data
- API Key Revocation: Remove brokerage connections
- Opt Out: You may opt out of non-essential communications
All data requests will be fulfilled within 30 days. To exercise these rights, contact [email protected] or use the support widget.
6.2 California Residents (CCPA)
- Right to know what personal information is collected
- Right to delete personal information
- Right to opt-out of sale of personal information (we don't sell)
- Right to non-discrimination for exercising rights
6.3 EU/UK Residents (GDPR)
- Right to access, rectification, erasure
- Right to data portability
- Right to restrict processing
- Right to object to processing
- Right to withdraw consent
- Right to lodge complaint with supervisory authority
7. Cookies and Tracking
We use cookies and similar technologies to operate and improve the Service. For detailed information, see our Cookie Policy.
7.1 Cookie Categories
| Category | Purpose | Examples | Duration |
|---|
| Essential |
Required for authentication, session management, and security. Cannot be disabled. |
PHPSESSID, CSRF token, auth session |
Session / 24 hours |
| Functional |
Remembering preferences, sidebar state, display settings |
Theme preference, agreement acceptance |
1 year |
We do not use third-party analytics cookies, advertising cookies, or cross-site tracking technologies. You can control cookies through your browser settings, but disabling essential cookies may prevent you from using the Service.
8. Security Measures
- HTTPS encryption for all data transmission
- Regular security assessments and penetration testing
- Employee access controls and training
- Incident response procedures
- Regular backups with encryption
9. Third-Party Links
Our Service may contain links to third-party websites (e.g., Alpaca, educational resources). We are not responsible for their privacy practices. Review their policies before providing information.
10. Children's Privacy
Our Service is not intended for users under 18 years of age. We do not knowingly collect information from children. If you believe a child has provided us with personal information, please contact us.
11. International Transfers
Your information may be processed in countries other than your own. We ensure appropriate safeguards are in place for international transfers.
12. Changes to This Policy
12.1. When we update this Privacy Policy, you will be notified by email at least 30 days before changes take effect.
12.2. A summary of what changed will be provided with each update.
12.3. Previous versions will remain available for comparison.
12.4. You will be required to re-accept the updated policy before continuing to use the Service.
12.5. You may reject the new policy and close your account with full data export.
13. Contact Us
For privacy-related questions or to exercise your rights:
- Support widget available on the TradeCraft dashboard
- Email: [email protected]
- Company: BENED LLC, Glendale, AZ
For EU residents, our Data Protection Officer can be reached at: [email protected]