Privacy Policy

1. Introduction

Tradero ("we," "our," or "us") operates a cloud-based automated cryptocurrency trading platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform.

This policy complies with the EU General Data Protection Regulation (GDPR), UK GDPR, California Consumer Privacy Act (CCPA), Canada's PIPEDA, Singapore's PDPA, Australia's Privacy Act, and Japan's APPI.

2. Information We Collect

2.1 Personal Information

• Email address and account credentials
• Subscription and billing information
• Exchange API keys (encrypted at rest with AES-256-GCM)
• Trading bot configurations and strategy parameters
• IP address and device information

2.2 Trading Data

• Bot execution logs and trade history
• Performance metrics (PnL, win rate, position data)
• AI signal analysis results and agent consensus data
• Real-time market data feeds from connected exchanges

2.3 Data We Do NOT Collect

• We do NOT store API secrets in plain text — all keys are AES-256-GCM encrypted
• We do NOT access or trade with your exchange funds directly
• We do NOT sell personal data to third parties
• We do NOT use your data for advertising purposes

3. How We Use Your Information

• Operate and maintain your trading bots in isolated Docker containers
• Process trades through your connected exchange accounts
• Provide real-time analytics and performance dashboards
• Send service-related notifications (bot status, errors, security alerts)
• Improve our AI signal advisor and strategy algorithms
• Comply with legal obligations and enforce our Terms of Service

4. Data Storage & Security

Encryption: All API credentials are encrypted using AES-256-GCM before storage. Encryption keys are managed separately from encrypted data.

Isolation: Each user's bot runs in a dedicated, isolated Docker container. Your trading data is never mixed with other users' data.

Infrastructure: Data is stored in secure PostgreSQL databases with role-based access control. All data in transit is encrypted via TLS 1.3.

Retention: We retain trading data for as long as your account is active. Upon account deletion, all personal data is permanently erased within 30 days, as required by GDPR Article 17.

5. Your Rights by Jurisdiction

5.1 European Union & UK (GDPR)

• Right of Access (Article 15): Request a copy of your personal data
• Right to Rectification (Article 16): Correct inaccurate data
• Right to Erasure (Article 17): Request deletion of your data ("right to be forgotten")
• Right to Portability (Article 20): Receive your data in a machine-readable format
• Right to Object (Article 21): Object to data processing
• Right to Restrict Processing (Article 18): Limit how we use your data

5.2 United States

California (CCPA/CPRA):

• Right to know what personal information is collected
• Right to delete personal information
• Right to opt-out of the sale of personal information (we do not sell data)
• Right to non-discrimination for exercising CCPA rights
• Right to correct inaccurate personal information

Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA):

Similar rights to access, correct, delete, and port your data are available to residents of these states.

5.3 Canada (PIPEDA)

Canadian users have the right to access, correct, and challenge the accuracy of their personal information. You may also withdraw consent for data processing at any time.

5.4 Asia-Pacific

Singapore (PDPA):

Right to access and correct personal data. Right to withdraw consent for data collection and use.

Australia (Privacy Act 1988):

Right to access and correct personal information. Right to complain to the OAIC if you believe your privacy has been breached.

Japan (APPI):

Right to request disclosure, correction, and suspension of use of personal data.

6. Data Sharing & Third Parties

We do not sell, rent, or trade your personal information. We may share data only in the following circumstances:

• Service Providers: Hosting infrastructure (Dokploy, Docker), payment processing (NOWPayments), and email delivery services — all under data processing agreements
• Exchanges: Your API credentials are used only to connect to your exchange account. We do not share credentials with any third party.
• Legal Requirements: When required by law, subpoena, or to protect our legal rights
• Business Transfers: In connection with a merger, acquisition, or sale of assets — with notice to users

7. Cookies & Tracking

We use essential cookies for authentication and session management. We do NOT use advertising cookies, analytics trackers, or third-party tracking pixels.

You can disable cookies in your browser settings, but this may affect your ability to use the platform.

8. Children's Privacy

Our platform is not intended for users under the age of 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us immediately and we will take steps to delete such information.

9. International Data Transfers

Your data may be processed in jurisdictions outside your country of residence. We ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) for EU/UK data transfers
• Adequacy decisions where applicable
• Binding Corporate Rules for internal transfers

10. Data Breach Notification

In the event of a data breach, we will notify affected users and relevant supervisory authorities within 72 hours, as required by GDPR Article 33 and equivalent regulations worldwide.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by email or through a notice on our platform. Your continued use of the platform after changes constitutes acceptance of the updated policy.

12. Contact Us

For privacy-related inquiries or to exercise your rights:

• Email: privacy@tradero.io
• Support: /support

EU Representative: For EU users, you may also contact our designated EU representative at eu-rep@tradero.io