Back to home

Privacy Policy

Effective Date: May 14, 2026 Last Reviewed: May 14, 2026

Operator: TXTech Product: TradeMate Contact: support@yourtrademate.io


1. Introduction

TXTech ("we," "us," or "our") operates TradeMate, an AI-powered trading analytics and signal-generation platform accessible at yourtrademate.io and through related mobile and desktop applications (collectively, the "Service"). This Privacy Policy describes how we collect, use, disclose, retain, and protect personal information when you access or use the Service.

By creating an account or otherwise using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree to the practices described herein, you must discontinue use of the Service and may request deletion of your account in accordance with Section 8 of this Policy.

This Policy applies to all users of TradeMate worldwide. Additional rights and disclosures apply to:

  • Residents of the European Union and European Economic Area under Regulation (EU) 2016/679 (the General Data Protection Regulation, "GDPR").
  • Residents of California under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA/CPRA").

Where jurisdiction-specific provisions apply, they are clearly identified throughout this document.

TXTech acts as the data controller for personal data processed through the Service. Our Data Protection contact is reachable at support@yourtrademate.io.


2. Data We Collect

We collect personal information that you provide directly, information generated through your use of the Service, and limited information received from third-party services you connect to TradeMate. We collect only what is necessary to operate and improve the Service.

2.1 Account Data

When you register for an account, we collect:

  • Full name — used to personalize your experience and identify your account.
  • Email address — used for authentication, account communications, and support.
  • Password (hashed) — we store a one-way cryptographic hash of your password using industry-standard algorithms (bcrypt or Argon2id). We never store your password in plaintext.
  • Account creation date and last login timestamp.
  • Subscription tier (Free, Pro, or Elite) and billing status.

2.2 Profile Data

After account creation, you may provide or the Service may generate:

  • Trading preferences — risk tolerance, asset classes of interest, preferred timeframes.
  • Notification settings — your choices regarding email alerts, push notifications, and signal delivery channels.
  • Interface preferences — theme selections, dashboard layout configurations, and display settings.
  • Time zone and locale settings.

This information is used solely to personalize the Service for you. It is not used for advertising profiling or sold to third parties.

2.3 Trading and Financial Data

TradeMate is an analytics and signal platform. We store metadata about your trading activity and strategy configurations, but we do not hold custody of, or direct access to, your brokerage account funds or positions. Specifically, we collect:

  • Strategy configurations — the parameters, rules, and settings you define for AI-assisted signal generation (e.g., indicator thresholds, entry/exit criteria, position sizing rules).
  • Portfolio snapshots — periodic summaries of portfolio value, allocation, and performance metrics transmitted from connected broker APIs. These are read-only data points for analytics purposes.
  • Trade signals — AI-generated buy, sell, and hold recommendations produced by TradeMate's analysis engine, including the inputs and reasoning metadata associated with each signal.
  • Backtesting results — historical simulation outputs produced when you test strategies against historical market data.
  • Paper trading records — simulated trade records generated within TradeMate's paper trading environment (Free tier). These are entirely simulated and do not reflect real monetary transactions.

We do not store brokerage account credentials (usernames or passwords) for any external broker. Broker connectivity is managed exclusively through OAuth tokens or read-only API keys as described in Section 2.5.

2.4 Broker Connection Tokens

To enable integration with supported brokerages (currently including supported third-party brokerage providers), you may authorize TradeMate to access your brokerage account via OAuth 2.0 or an API key mechanism provided by the broker. We store:

  • OAuth refresh tokens and access tokens, or API key/secret pairs, depending on the broker's supported authentication method.
  • These credentials are encrypted at rest using AES-256 encryption. Encryption keys are stored separately from the encrypted data and are managed through a secrets management system.
  • Tokens are used exclusively to retrieve market data, account metadata, and portfolio position summaries required to deliver the Service. We do not use these tokens to execute trades without your explicit instruction.
  • You may revoke broker connections at any time from your account settings, which triggers deletion of the associated tokens from our systems.

2.5 Usage Data

We automatically collect technical and behavioral data when you interact with the Service:

  • Log data — IP address, browser or client type and version, operating system, device identifiers, pages or screens visited, timestamps of requests, HTTP status codes, and referrer URLs.
  • Feature usage metrics — which features of the Service you interact with, frequency of use, duration of sessions, and actions taken within the platform (e.g., signals viewed, strategies created, backtests run).
  • Performance metrics — API response times, error rates, and other technical telemetry used to diagnose problems and improve reliability.
  • Session identifiers — pseudonymous tokens used to associate a sequence of requests with a single authenticated session.

Usage data is collected in aggregate and pseudonymous forms where possible. Log data containing IP addresses is subject to the retention limits described in Section 7.

2.6 Communications Data

When you contact us for support, report a bug, or communicate with us through any channel, we collect:

  • The content of your messages, emails, or support tickets.
  • Your email address or other contact information provided in the communication.
  • Metadata about the communication (date, time, channel).

We use this information to respond to your inquiry, improve support quality, and fulfill legal obligations. We do not use support communications for marketing purposes without your consent.


3. How We Use Your Data

We use the personal information we collect for the following purposes:

3.1 Service Delivery

We use account data, profile data, trading/financial data, and broker connection tokens to:

  • Authenticate your identity and maintain your session.
  • Provide AI-generated trading signals and analytics tailored to your strategy configurations.
  • Display portfolio performance metrics and historical analytics.
  • Execute paper trades in our simulated environment (Free tier).
  • Facilitate connectivity with supported brokerages.
  • Process subscription payments and manage your billing relationship.

This processing is necessary for the performance of the contract between you and TXTech (GDPR Article 6(1)(b)).

3.2 Personalization of AI Analysis

We use your trading history, strategy configurations, portfolio snapshots, and stated preferences to personalize the AI models' outputs, including refining signal relevance and improving recommendations over time. This processing is based on our legitimate interest in providing a higher-quality, contextually aware service (GDPR Article 6(1)(f)), balanced against your privacy rights.

We do not use your personal data to train shared foundational AI models that are made available to other users. Your data is used only to contextualize analysis within your own account.

3.3 Security, Fraud Prevention, and Platform Integrity

We use log data, session identifiers, IP addresses, and account data to:

  • Detect and prevent unauthorized access, account takeovers, and fraudulent activity.
  • Identify and mitigate abusive behavior, including attempts to circumvent usage limits or exploit the platform.
  • Conduct security monitoring and incident response.
  • Enforce our Terms of Service.

This processing is based on our legitimate interests in maintaining a secure and trustworthy platform (GDPR Article 6(1)(f)).

3.4 Legal Compliance

We may process personal data where required by applicable law, including:

  • Complying with tax, accounting, and financial recordkeeping obligations.
  • Responding to lawful requests from courts, regulators, or government authorities.
  • Fulfilling anti-money laundering (AML) and know-your-customer (KYC) obligations where applicable.
  • Establishing, exercising, or defending legal claims.

This processing is based on compliance with a legal obligation (GDPR Article 6(1)(c)) or, where appropriate, the protection of vital interests or the exercise of official authority.

3.5 Service Communications

We use your email address to send you:

  • Transactional messages — account confirmations, password reset emails, billing receipts, and security alerts. These are necessary for the operation of the Service and cannot be opted out of while your account is active.
  • Service announcements — material changes to the Service, including updates to these legal documents, scheduled downtime, and new feature releases. These are sent based on our legitimate interest in keeping users informed.

3.6 Marketing Communications (Consent-Based Only)

With your explicit consent, we may send you:

  • Newsletters, product updates, and promotional content about TradeMate features.
  • Information about new tiers, pricing changes, or third-party educational resources.

You may withdraw consent for marketing communications at any time by clicking "unsubscribe" in any marketing email or by contacting us at support@yourtrademate.io. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.


4. Legal Basis for Processing (GDPR)

This section applies to users in the European Union and European Economic Area. We identify the lawful basis under GDPR Article 6 for each category of processing below:

Processing ActivityLawful BasisGDPR Provision
Account creation and authenticationPerformance of a contractArticle 6(1)(b)
Delivering trading analytics and signalsPerformance of a contractArticle 6(1)(b)
Broker token storage and integrationPerformance of a contractArticle 6(1)(b)
Payment processing and billingPerformance of a contract + legal obligationArticle 6(1)(b) + 6(1)(c)
AI personalization of analysisLegitimate interestsArticle 6(1)(f)
Security monitoring and fraud preventionLegitimate interestsArticle 6(1)(f)
Usage analytics and performance telemetryLegitimate interestsArticle 6(1)(f)
Tax and financial recordkeepingLegal obligationArticle 6(1)(c)
Responding to legal/regulatory requestsLegal obligationArticle 6(1)(c)
Marketing and promotional communicationsConsentArticle 6(1)(a)
Transactional service emailsLegitimate interests / contractArticle 6(1)(b) + 6(1)(f)

Where we rely on legitimate interests as our lawful basis, we have conducted a balancing test and determined that our interests do not override your fundamental rights and freedoms. You have the right to object to such processing at any time (see Section 8.1).

Where we rely on consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing based on consent before withdrawal.


5. Data Sharing and Disclosure

We do not sell, rent, or trade your personal information to third parties for their own marketing or commercial purposes. We share personal data only in the limited circumstances described below.

5.1 Sub-Processors

We engage carefully selected third-party service providers ("sub-processors") to help deliver the Service. These providers process personal data only on our instructions and are bound by contractual obligations (including Data Processing Agreements where required by GDPR) that prohibit them from using your data for any other purpose. Our current sub-processors are:

Sub-processorJurisdictionPurpose
Hetzner Online GmbHGermany (EU)Cloud infrastructure hosting the application, database, and primary data storage
Supported third-party brokerage providersUnited StatesBrokerage connectivity for trading integrations
Dodo PaymentsUnited StatesPayment processing and subscription management
Anthropic PBCUnited StatesLarge language model AI processing (Elite tier users only)
Amazon Web ServicesUnited StatesTransactional email delivery (Amazon SES)
Cloudflare Inc.United StatesDNS resolution, content delivery network, and DDoS protection

A detailed sub-processor list, including data categories transferred to each, is maintained at Sub-processor Policy. We will provide notice at least 30 days before adding a new sub-processor that processes personal data.

5.2 Legal Disclosures

We may disclose personal data when we believe in good faith that disclosure is required or permitted by applicable law, including:

  • In response to a valid subpoena, court order, or other lawful legal process.
  • To comply with requests from law enforcement or regulatory bodies.
  • To protect the rights, property, or safety of TXTech, our users, or the public.
  • To investigate suspected violations of our Terms of Service.

Where legally permissible, we will notify you before disclosing your personal data in response to a legal request.

5.3 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a substantial portion of our assets, personal data held by us may be transferred to a successor entity as part of that transaction. We will provide notice of any such transfer via email and/or prominent notice on our website, and the successor will be required to honor the commitments made in this Privacy Policy or provide a materially equivalent level of protection.

5.4 Aggregated and De-identified Data

We may share aggregated, anonymized, or de-identified data — data that cannot reasonably be used to identify you — with third parties for research, analytics, or marketing purposes. This data is not personal data and is not subject to this Privacy Policy.


6. International Data Transfers

TradeMate's primary infrastructure is hosted by Hetzner Online GmbH in Germany, within the European Union. For EU/EEA users, this means your primary data storage remains within the EEA.

However, certain sub-processors are located in the United States, a country that the European Commission has not fully recognized as providing an adequate level of data protection equivalent to the EEA for all data transfers. Where personal data is transferred from the EEA to the United States or other third countries, we rely on the following safeguards:

  • Standard Contractual Clauses (SCCs): We use the European Commission's approved Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) as a transfer mechanism for transfers to sub-processors in the United States and other third countries. Copies of applicable SCCs are available upon request.
  • EU-U.S. Data Privacy Framework: Where sub-processors participate in the EU-U.S. Data Privacy Framework (or its successor mechanisms), we rely on that framework as an additional or alternative transfer basis.

You may request information about the specific transfer mechanisms applied to transfers involving your personal data by contacting us at support@yourtrademate.io.


7. Data Retention

We retain personal data for the minimum period necessary to fulfill the purposes for which it was collected, to comply with our legal obligations, and to resolve disputes. Our specific retention periods are:

Data CategoryRetention PeriodBasis
Account data (name, email, preferences)Duration of active account + 30 days after account deletionContract performance; deletion upon request
Broker connection tokensUntil you revoke the connection, or within 24 hours of account deletionContract performance; minimum necessary
Trading/financial data (strategy configs, signals, portfolio snapshots, trade records)7 years from date of creation or last modificationLegal and regulatory recordkeeping obligations (IRS, financial compliance)
Backtesting and paper trading recordsDuration of active account + 30 daysContract performance
Usage and application logs (including IP addresses)90 days from collectionLegitimate interests in security and debugging
Communications (support emails, tickets)3 years from the date of the last communicationLegitimate interests in service improvement; legal claims
Billing and payment records7 yearsTax and accounting legal obligations

Following the expiration of any applicable retention period, data is securely deleted or irreversibly anonymized.

If you request deletion of your account, we will delete or anonymize your account data, profile data, and broker tokens within 30 days of confirming the request. Financial data subject to mandatory 7-year retention will be retained in a restricted state solely for legal compliance purposes, with access strictly limited, and will be deleted at the end of that retention period.


8. Your Rights and How to Exercise Them

8.1 Rights of EU/EEA Residents Under GDPR

If you are located in the European Union or European Economic Area, you have the following rights under the GDPR:

Right of Access (Article 15) You have the right to obtain confirmation of whether we process personal data about you and, if so, to receive a copy of that data along with information about how it is processed.

Right to Rectification (Article 16) You have the right to request correction of inaccurate personal data and completion of incomplete personal data held about you.

Right to Erasure / "Right to Be Forgotten" (Article 17) You have the right to request deletion of your personal data where: (a) the data is no longer necessary for the purposes for which it was collected; (b) you withdraw consent and there is no other lawful basis; (c) you object to processing and there are no overriding legitimate grounds; (d) the data was unlawfully processed; or (e) deletion is required by EU or Member State law. This right is subject to exceptions, including where processing is necessary for legal compliance or the establishment, exercise, or defense of legal claims.

Right to Restriction of Processing (Article 18) You have the right to request that we restrict processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or have objected to processing.

Right to Data Portability (Article 20) Where processing is based on your consent or on a contract, and is carried out by automated means, you have the right to receive the personal data you have provided to us in a structured, commonly used, machine-readable format (JSON or CSV), and to have that data transmitted directly to another controller where technically feasible.

Right to Object (Article 21) You have the right to object, on grounds relating to your particular situation, to processing of your personal data that is based on our legitimate interests. If you object, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or processing is necessary for legal claims. You have an unconditional right to object to processing of your personal data for direct marketing purposes.

Right to Withdraw Consent (Article 7(3)) Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

Right to Lodge a Complaint You have the right to lodge a complaint with the supervisory authority in your EU Member State of habitual residence, place of work, or the place of the alleged infringement. In Germany (where our primary infrastructure is hosted), the relevant authority is the Bayerisches Landesamt fur Datenschutzaufsicht (BayLDA) or the relevant Landesbehorde for your region. You may also contact the Irish Data Protection Commission or your local supervisory authority.

8.2 Rights of California Residents Under CCPA/CPRA

If you are a California resident, you have the following rights under the CCPA/CPRA:

Right to Know You have the right to request that we disclose: (a) the categories of personal information we have collected about you; (b) the categories of sources from which the personal information was collected; (c) the business or commercial purpose for collecting personal information; (d) the categories of third parties with whom we share personal information; and (e) the specific pieces of personal information we have collected about you.

Right to Delete You have the right to request that we delete personal information we have collected from you, subject to certain exceptions (including where retention is necessary to complete the transaction, detect security incidents, comply with a legal obligation, or enable internal uses reasonably aligned with your expectations).

Right to Correct You have the right to request correction of inaccurate personal information maintained about you.

Right to Opt-Out of Sale or Sharing TXTech does not sell personal information within the meaning of the CCPA, nor do we share personal information for cross-context behavioral advertising. You are not required to opt out of any sale because no sale occurs.

Right to Limit Use of Sensitive Personal Information To the extent we process sensitive personal information (as defined under CPRA), you have the right to limit such use to purposes necessary to perform the Service.

Right to Non-Discrimination We will not discriminate against you for exercising any of your CCPA/CPRA rights. This means we will not: deny you goods or services; charge you different prices; provide a different level of quality of goods or services; or suggest that you may receive a different price or quality of goods because you exercised your rights.

Authorized Agent You may designate an authorized agent to make a CCPA request on your behalf. We may require verification of the agent's authorization and your identity before processing such requests.

8.3 How to Exercise Your Rights

To exercise any of the rights described above, please contact us using one of the following methods:

  • Email: support@yourtrademate.io (please include "Privacy Rights Request" in the subject line)
  • Account Settings: Certain rights (data export, notification preferences, account deletion) may be exercised directly through your account settings dashboard.

We will acknowledge receipt of your request within 5 business days and respond substantively within:

  • GDPR requests: 30 calendar days of receiving a verifiable request. We may extend this by an additional 60 days in complex or numerous cases, with notification.
  • CCPA requests: 45 calendar days of receiving a verifiable request. We may extend by an additional 45 days in certain circumstances.

We may ask you to verify your identity before processing your request. Identity verification is a reasonable precaution to protect your data from unauthorized access or deletion.

We do not charge a fee for processing rights requests unless a request is manifestly unfounded or excessive. In such cases, we may charge a reasonable administrative fee or decline the request, with explanation.


9. Security

TXTech implements appropriate technical and organizational measures to protect your personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include:

  • Encryption at rest: All stored personal data, including broker connection tokens, is encrypted at rest using AES-256 encryption. Encryption keys are managed separately from stored data.
  • Encryption in transit: All data transmitted between your browser or application and our servers is protected using Transport Layer Security (TLS 1.2 or TLS 1.3). Unencrypted HTTP connections are automatically redirected to HTTPS.
  • Access controls: Access to production systems and personal data is restricted to authorized personnel on a need-to-know basis. We use multi-factor authentication for all administrative access to production infrastructure.
  • Audit logging: Access to and modifications of personal data are recorded in tamper-resistant audit logs retained for 90 days.
  • Vulnerability management: We conduct regular security reviews and apply security patches to our infrastructure in a timely manner.
  • Incident response: We maintain a documented incident response procedure. In the event of a data breach that poses a risk to your rights and freedoms, we will notify the applicable supervisory authority within 72 hours of becoming aware and, where required, notify affected users without undue delay.

No security measure is 100% effective. While we strive to protect your personal data, we cannot guarantee the security of information transmitted to or from our Service. You are responsible for maintaining the confidentiality of your account credentials and for any activities that occur under your account.


10. Children's Privacy

TradeMate is not directed at individuals under the age of 18 ("minors"). We do not knowingly collect, process, or retain personal information from minors. Our registration process requires users to confirm they are at least 18 years of age.

If we become aware that we have inadvertently collected personal data from a minor without verifiable parental consent, we will take immediate steps to delete that information from our records. If you believe that a minor has provided us with personal data, please contact us immediately at support@yourtrademate.io.


11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, regulatory requirements, or service offerings. When we make changes, we will:

  • Update the "Last Reviewed" date at the top of this document.
  • Post the revised Policy at the canonical URL for this document (yourtrademate.io/legal/privacy-policy).
  • For material changes — those that significantly affect your rights or how we use your data — we will provide additional notice via:
    • Email to the address associated with your account, at least 30 days before the changes take effect.
    • A prominent notice within the Service interface.

Your continued use of the Service after the effective date of any revised Privacy Policy constitutes your acceptance of the updated terms. If you do not agree to the revised Policy, you may close your account and request deletion of your data as described in Section 8.


12. Contact and Data Controller Information

TXTech is the data controller for personal data processed through TradeMate.

For questions, concerns, or requests relating to this Privacy Policy or our data practices, please contact:

TXTech — TradeMate Privacy Email: support@yourtrademate.io Subject line: "Privacy Policy Inquiry" or "Privacy Rights Request"

We aim to respond to all privacy-related inquiries within 5 business days.

EU Representative (GDPR Article 27) As TradeMate processes personal data of individuals in the EU and our primary infrastructure is located within the EU (Germany), we operate under GDPR as a data controller established within the EU through our Hetzner-hosted infrastructure. For formal GDPR correspondence from EU/EEA supervisory authorities, please direct communications to support@yourtrademate.io.


This Privacy Policy was drafted to comply with the General Data Protection Regulation (EU) 2016/679, the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq.) as amended by the California Privacy Rights Act, and applicable Texas state privacy law. It does not constitute legal advice. TXTech recommends that users seek independent legal counsel if they have specific questions about their rights or obligations.