Privacy Policy

Information you provide

• Account information: Email address, password, or OAuth credentials (Google, Discord). When you sign in with Google, we receive your email address and profile name from your Google account. Required for signup and login.
• Trading data: Trades, notes, setups, strategies, and tags you enter into the journal.
• Payment information: Billing details processed by Stripe. We never see or store card numbers.
• Communications: Messages you send through our contact form or support chat.

Information collected automatically

• Usage analytics: Anonymous product analytics via PostHog (page views, feature usage). No session recording. Can be disabled in Settings > Privacy.
• Device information: Browser type, operating system, and screen size for rendering the application correctly.
• Local storage: We use browser localStorage (not cookies) to cache trade data for offline access, store app preferences, and maintain authentication tokens.

• Provide the service: Store and sync your trades, generate analytics, and deliver AI insights when requested.
• Process payments: Manage subscriptions through Stripe.
• Improve the product: Understand which features are used (via anonymous analytics) to prioritize development.
• Communicate: Send account-related notifications (password resets, billing updates). No marketing emails without consent.
• Legal compliance: Respond to legal requests and enforce our Terms of Service.

TradeRitual offers optional AI-powered trading insights ("AI Insights"). This feature requires explicit opt-in consent before any data is sent.

Data sent to AI

• Performance statistics (P&L, win rate, streaks, profit factor)
• Your last 20 trades (symbol, entry/exit prices, strategy, side, asset type)
• Strategy and symbol performance breakdowns
• Truncated comments and notes (max 200 characters per trade)

Data never sent to AI

• Passwords, authentication tokens, or email address
• Attachments, screenshots, or brokerage credentials

AI provider

AI processing is performed by Groq under their standard terms of service. Groq processes data solely to generate responses to your queries.

AI/ML model training disclosure

Your data is not used to train AI or machine learning models. Data sent to AI Insights is used only to generate your requested analysis and is not retained for training purposes by TradeRitual or Groq.

Consent and control

AI Insights requires explicit consent before first use via an in-app dialog. You can revoke consent anytime in Settings > Privacy. Data is only sent when you actively use the AI chat feature.

We do not sell your personal data. We share data only with the following service providers who process it on our behalf:

• Google — OAuth sign-in; we receive your email and profile name (privacy policy)
• Supabase — Database and authentication (privacy policy)
• Stripe — Payment processing (privacy policy)
• PostHog — Anonymous analytics, opt-out available (privacy policy)
• Groq — AI processing, opt-in only (privacy policy)
• Tawk.to — Live chat support (privacy policy)

We may also disclose data when required by law, to protect our rights, or in connection with a merger or acquisition.

We process your personal data under the following legal bases (GDPR Article 6):

• Contract performance: Processing necessary to provide the service you signed up for (account, trades, sync).
• Legitimate interest: Anonymous analytics to improve the product, security monitoring, fraud prevention.
• Consent: AI data processing, marketing communications. You can withdraw consent at any time.
• Legal obligation: Compliance with applicable laws and regulations.

Security

• All data transmitted over HTTPS/TLS. Database encrypted at rest.
• Database hosted on Supabase (PostgreSQL on AWS infrastructure).
• Payment processing by Stripe with PCI DSS compliance.
• Authentication via Supabase Auth (email/password, Discord OAuth, magic link).

Retention

• Active accounts: Data retained while your account is active.
• Inactive accounts: Data retained for up to 3 years so you can return.
• Deletion: You can delete your account and all data instantly in Settings > Privacy.
• Terminated accounts: Data deleted within 30 days of termination.

Your data may be transferred to and processed in the United States through our service providers (Supabase/AWS, Stripe, Groq, PostHog). These transfers are necessary to provide the service. Where required, we rely on Standard Contractual Clauses or equivalent safeguards to protect data transferred outside the EEA.

You can exercise the following rights directly in the app (Settings > Privacy) or by contacting us:

• Access and export: Download all your data in standard formats.
• Rectification: Correct any inaccurate data.
• Deletion: Delete your account and all cloud data instantly.
• Restrict processing: Limit how we use your data.
• Data portability: Receive your data in a structured, machine-readable format.
• Object: Object to processing based on legitimate interests.
• Withdraw consent: Revoke AI data consent or analytics at any time.

California (CCPA)

California residents may request disclosure of data collected and opt out of the "sale" of personal information. We do not sell personal data.

TradeRitual is not directed at anyone under 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us data, contact us and we will delete it promptly.

TradeRitual uses Google OAuth for sign-in. We access your Google account email address and basic profile information solely to create and authenticate your TradeRitual account. We do not access any other Google data (contacts, calendar, drive, etc.).

TradeRitual's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

We do not use Google user data to develop, improve, or train generalized AI or machine learning models. Google user data is used solely for authenticating your account.

We may update this policy from time to time. Material changes will be communicated via email (if you have an account) or a prominent notice on the site. Continued use after changes constitutes acceptance. The "Effective" date at the top reflects the latest revision.