Privacy Policy - Tradavity

1. Introduction

Tradavity ("we", "our", "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our trading journal application at app.tradavity.com and related services.

By using Tradavity, you agree to the collection and use of information in accordance with this policy. We comply with the EU General Data Protection Regulation (GDPR) and German data protection laws.

2. Data Controller

Tradavity
Philip Koch
c/o flexdienst – #20630
Kurt-Schumacher-Straße 76
67663 Kaiserslautern, Germany
Email: support@tradavity.com

3. Data We Collect

3.1 Account Information

Email address
Username
Password (stored encrypted using bcrypt)
Google account ID (if using Google Sign-In)

3.2 Profile Information

Trading strategy description
Years of trading experience
Biography
Profile picture
Social media links (optional)

3.3 Trading Data

Trade entries (date, symbol, direction, quantity, P&L)
Journal entries and notes
Screenshots and images you upload
Trading account information (names, balances)
Strategy and setup configurations

3.4 Broker API Connections (Auto-Sync)

When you connect a broker account for automatic trade synchronization, we store the following depending on the broker:

Tradovate / NinjaTrader: An OAuth access token obtained through the broker's secure authentication page. We never receive or store your broker username or password. The OAuth token grants read-only access to your trade history and account information.
TopstepX: Your ProjectX API key and TopstepX username, stored encrypted using AES-256-CBC. These credentials are required to maintain a persistent connection, as TopstepX authentication tokens expire every 24 hours and must be refreshed using the original API key.

All stored credentials are encrypted at rest. You may disconnect your broker at any time through your account settings, which immediately and permanently deletes all stored tokens and credentials.

3.5 Usage Data

On each page load while you are logged in, we collect:

IP address
Browser type and version (user agent)
Pages visited and features used
Last login time and online status
Device information (device type, browser, operating system)
Approximate location (country and city) derived from your IP address at login

This includes a short-term, ordered history of the pages you visit within the app (with the timestamp, IP address, and browser of each visit), which we use for security, troubleshooting, and improving the platform. This page history is automatically deleted after 7 days and is purged immediately if you delete your account.

3.6 Search Queries

When you use the in-app search feature, we log your search query, the type and number of results returned, and a timestamp. If AI-powered search is used, the query and AI response are also logged for service improvement and caching.

3.7 Support Requests

When you submit a support request via our contact form, we collect your name, email address, and message content. Your IP address is also recorded for anti-abuse purposes.

3.8 Waitlist

If you sign up for our waitlist before creating an account, we collect your email address along with your IP address, browser information, and referrer URL for anti-abuse and analytics purposes.

3.9 Browser Extension API Keys

If you generate an API key for the Tradavity browser extension, the key is stored in your account. Only one key can be active at a time.

3.10 Payment Information

Payment processing is handled by Stripe. We store only:

Stripe customer ID
Subscription status and plan type
Invoice history (amounts, dates)

We do not store credit card numbers or full payment details.

3.11 Social Profiles & Friend Connections

Tradavity includes optional social features. Your profile (username, avatar, bio, headline, years trading, and — only if you choose to enable them — trading statistics, achievements, and trade history) can be shown to others according to your privacy settings.

Profile visibility can be set to Public (visible to anyone, including logged-out visitors, and potentially indexed by search engines), Friends (visible only to accepted friends), or Private (visible only to you). New accounts default to Friends, and trading statistics, achievements, and trade history are off by default — your performance figures are never shown unless you turn them on.
Any trading performance shown on a profile is redacted: presented as percentages, counts, and unitless ratios only. Absolute monetary amounts and account names are never displayed.
Friend connections: when you send, accept, or decline a friend request, we store the relationship (the two user IDs, type, status, and timestamps) so the connection works. Sending or accepting a request notifies the other user.
Search: your profile may appear in the in-app trader search unless you enable “Hide from search.” Private profiles never appear in search.

You control all of this at any time in Settings → Privacy: change visibility, hide from search, remove friends, or block other users. Removing a friend or blocking a user deletes the corresponding connection record.

3.12 Direct Messages

Friends can exchange private one-to-one messages. When you use Direct Messages we store the message text, any images you attach, the two participants, reactions you add, and read and timestamp information so the conversation works. Image metadata (EXIF, including any GPS location) is stripped from pictures on upload.

Access: conversations are private to the two participants. We do not read them in the ordinary course of business, but our operators may access a conversation where necessary to investigate a report, prevent abuse or fraud, maintain security, or comply with a legal obligation.
Reports: if you report a message, we store the report — the reason, your optional note, and a copy of the reported message — and share it with our moderation team so it can be reviewed and actioned.
Retention: messages are kept while your account is active. Deleting your account permanently removes your conversations, their images, and any related reports. You can block a user at any time to stop further messages.

4. How We Use Your Data

Purpose	Legal Basis
Provide and maintain our service	Contract performance
Process payments and subscriptions	Contract performance
Send transactional emails (verification, password reset)	Contract performance
Send marketing communications	Consent (opt-out available)
Improve our services and user experience	Legitimate interest
Prevent fraud and ensure security	Legitimate interest
Comply with legal obligations	Legal obligation

5. AI Features

Tradavity offers optional AI-powered features including text correction, smart formatting, note generation, in-app search, AI Chat (Tradavity AI), and Talk to Add (voice trade entry). When enabled:

Your journal text, trade data, or search query is sent to third-party AI providers for processing
For text correction: only the journal text you submit is sent — no personal identifiers
For note generation: trade context is included (symbol, direction, P&L, entry/exit prices)
For AI Chat: trade data, strategies, goals, and other selected context is sent based on your privacy controls
For Talk to Add: your speech is transcribed by your browser and only the resulting text is sent to the AI to structure into a trade — no audio is transmitted or stored by Tradavity. You review and approve every trade before it is saved.
For in-app search: your search query and relevant help doc snippets are sent
For AI Chat memory: a small, capped set of durable notes about your trading (such as goals, recurring mistakes, and preferences) is stored on Tradavity and included in future AI Chat sessions to personalize coaching. Memory is on by default once AI consent is granted. The AI proposes notes, but each is saved only after you approve it; you can view, edit, delete, or turn memory off at any time in Settings › AI. These notes are stored by Tradavity and are not used by the AI providers for training; they are deleted when you delete your account.
AI features require your explicit consent in Settings
You can revoke AI consent at any time in Settings

5.1 AI Providers

We use two AI providers:

OpenAI — powers text correction, note generation, search, and AI Chat (Fast & Smart models). Under our complimentary usage arrangement, data sent to OpenAI may be used to improve their models. See: openai.com/privacy
Anthropic — powers AI Chat (Balanced & Deep models). Anthropic does not use API data for model training. See: anthropic.com/privacy

Your username, email, password, account settings, and personal identifiers are never sent to any AI provider.

5.2 Bring Your Own Key (BYOK)

You may optionally provide your own API keys for OpenAI and/or Anthropic in Settings. When using your own key:

API calls are made using your key and billed directly to your provider account
Keys are encrypted at rest using AES-256-GCM before storage
We never display your full key — only the last 4 characters are shown
You can delete your stored keys at any time
We still track usage for your visibility but do not deduct from any Tradavity budget
Your key is used solely for making AI API calls on your behalf — never for any other purpose

6. Third-Party Services

6.1 Stripe (Payment Processing)

We use Stripe to process payments. When you subscribe, your payment information is sent directly to Stripe. See Stripe's privacy policy: stripe.com/privacy

6.2 Google OAuth

If you sign in with Google, we receive your email address, name, and profile picture from Google. See Google's privacy policy: policies.google.com/privacy

6.3 Google Fonts

We use Google Fonts to display web fonts. When you load a page, your browser connects to Google's servers (fonts.googleapis.com, fonts.gstatic.com) to retrieve font files. This transmits your IP address and browser information to Google. See Google's privacy policy: policies.google.com/privacy

6.4 IP Geolocation (ipwho.is)

When you log in, we use ipwho.is to determine the approximate location (country and city) associated with your IP address over an encrypted HTTPS connection. This information is displayed in your active sessions overview so you can detect unauthorized access. Only your IP address is sent to this service; no other personal data is transmitted.

6.5 Broker Auto-Sync Integrations

Tradavity connects to third-party trading platforms (Tradovate, NinjaTrader, TopstepX) to automatically import your trade history. These connections use each platform's official API and are limited to read-only access to your trade and account data. Tradavity does not place orders, execute trades, transfer funds, or modify your broker account in any way.

For Tradovate and NinjaTrader, authentication is handled via OAuth on the broker's secure website. For TopstepX, your API key and username are stored encrypted using AES-256-CBC encryption. All credentials are deleted immediately when you disconnect a broker. See Section 3.4 for details on stored data.

Tradavity is not affiliated with, endorsed by, or sponsored by any of these platforms. Use of broker integrations is subject to each platform's own Terms of Service. NinjaTrader® is a registered trademark of NinjaTrader Group, LLC.

6.6 Hosting (Hetzner Online GmbH)

Our servers are hosted by Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany. Hetzner processes data on our behalf as a data processor under a Data Processing Agreement (DPA). All servers are located in Germany. See Hetzner's privacy policy: hetzner.com/legal/privacy-policy

6.7 Email (Strato AG)

We use Strato AG as our email service provider for sending transactional and informational emails (e.g., account verification, password reset, subscription notifications). Strato processes email delivery on our behalf. Strato AG is based in Germany. See Strato's privacy policy: strato.de/datenschutz

7. Cookies

We use the following cookies:

Cookie	Purpose	Duration
auth_session	Maintains your login session	Session / 30 days (remember me)
browser_timezone	Detects timezone during registration	1 hour (auto-deleted)
PHPSESSID	Technical session (CSRF protection, flash messages)	Browser session

You can manage cookie preferences in your Privacy Settings.

8. Data Retention

We retain your data for as long as your account is active. Specific retention periods:

Trading data (trades, journal entries, screenshots): Retained while your account is active. Free plan users: screenshots are archived after 6 months and trade data after 24 months. Archived data is hidden but recoverable for 30 days by upgrading to Pro. After 30 days, archived data is permanently deleted. When downgrading from Pro to Free, a 14-day grace period applies before retention limits take effect. Warning emails are sent before any archiving occurs.
Login history: Default 365 days (configurable in Settings)
Active sessions: Default 90 days (configurable in Settings)
Activity logs: Default 180 days (configurable in Settings)
Page visit history: Automatically deleted after 7 days
Search query logs: Retained for service improvement; deleted on account deletion
Support tickets: Retained until resolved and account deletion
Waitlist data: Retained until you create an account or request removal
AI Chat history: Retained while your account is active; deleted on account deletion
AI Chat memory (coaching notes): Retained while your account is active; deleted individually or in bulk by you at any time in Settings › AI, and removed on account deletion
AI API keys (BYOK): Encrypted at rest; permanently deleted immediately when you remove them or on account deletion
Billing records (invoices, subscriptions): Retained for 6 years after creation as required by German tax law (HGB § 257, AO § 147)
Billing technical logs (webhook events, email logs): Auto-deleted after 6 years

After account deletion, your personal data is permanently removed within 14 days (grace period for recovery). Billing records required for tax compliance are retained in anonymized form for the legally mandated period.

9. Your Rights (GDPR)

Under the GDPR, you have the right to:

Access (Art. 15) — Request a copy of your personal data
Rectification (Art. 16) — Correct inaccurate personal data
Erasure (Art. 17) — Request deletion of your data ("right to be forgotten")
Restriction (Art. 18) — Limit how we process your data
Portability (Art. 20) — Receive your data in a structured, commonly used, machine-readable format (CSV or JSON)
Objection (Art. 21) — Object to processing based on legitimate interest. You have an absolute right to object to direct marketing at any time.
Withdraw consent (Art. 7) — Revoke consent at any time without affecting the lawfulness of prior processing

We will respond to your request within one month of receipt (extendable by two months for complex requests, with notification). To exercise these rights, contact us at support@tradavity.com or use the account deletion feature in Settings.

Automated decision-making: We do not use automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you (Art. 22).

10. Data Security

We implement security measures including:

Password encryption using bcrypt hashing
HTTPS encryption for all data transmission
Secure session tokens with HttpOnly and Secure flags
Two-factor authentication (2FA) option
Rate limiting on login attempts
AES-256-CBC encryption for stored broker API credentials
Regular security updates

11. International Transfers

Our servers and primary data processors (Hetzner, Strato) are located in Germany. However, some third-party services process data in the United States:

OpenAI (USA) — processes journal text, trade data, search queries, and Talk to Add voice transcripts (text only) when you use AI features
Anthropic (USA) — processes trade data when you use AI Chat (Balanced/Deep models)
Stripe (USA) — processes payment data when you subscribe
Google (USA) — processes authentication data if you use Google Sign-In, and receives IP/browser data via Google Fonts

These providers participate in the EU-U.S. Data Privacy Framework (DPF), which has been recognized by the European Commission as providing an adequate level of data protection (Adequacy Decision of 10 July 2023). Where the DPF does not apply, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as appropriate safeguards.

12. Children's Privacy

Tradavity is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If we become aware that we have collected data from a child, we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by email or through the application. Your continued use of Tradavity after changes constitutes acceptance of the updated policy.

14. Contact Us

For privacy-related inquiries or to exercise your rights:
Email: support@tradavity.com

You also have the right to lodge a complaint with a data protection supervisory authority. The competent authority for our business is:
Der Landesbeauftragte für den Datenschutz und die Informationsfreiheit Rheinland-Pfalz
Postfach 30 40, 55020 Mainz, Germany
Website: www.datenschutz.rlp.de