Privacy Policy — Tradoki

1. Introduction

Tradoki ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our educational trading platform. This policy complies with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and applicable data protection laws.

2. Data Controller

The data controller for your personal data is Bunny Honey Club AI SRL, operating the Tradoki platform. For data protection inquiries, contact us at privacy@tradoki.com.

3. Data We Collect

3.1 Account Data

Email address, hashed password (managed by Supabase Auth), account creation date, subscription tier.

3.2 User-Generated Content

Chart images you upload for analysis, journal entries (trade data, notes, emotion tags), trading rules and pre-trade checklists, AI conversation history, learning progress and quiz results.

3.3 Usage Data

AI usage logs (feature used, model, token counts, estimated cost), API request timestamps for rate limiting, feature usage counts for tier enforcement.

3.4 Waitlist Data

If you join our waitlist: email address and selected pricing tier. This data is collected without requiring an account.

4. How We Use Your Data

•Service delivery: To provide chart analyses, AI conversations, journal functionality, and learning content.
•AI processing: Chart images and conversation text are sent to Anthropic (Claude) for analysis. See Section 6 for details.
•Behavioral insights: Your journal data is analyzed by AI to generate personalized trading pattern insights. This processing happens only at your request.
•Usage enforcement: To track usage against your subscription tier limits.
•Service improvement: Anonymized, aggregated data may be used to improve the platform.
•Communication: To send essential service notifications. We do not send marketing emails without explicit consent.

5. Legal Basis for Processing (GDPR Article 6)

•Contract performance (Art. 6(1)(b)): Processing necessary to provide the Service you signed up for.
•Legitimate interest (Art. 6(1)(f)): Usage analytics, security, fraud prevention.
•Consent (Art. 6(1)(a)): Waitlist signup, marketing communications (if any).

6. Third-Party Data Processors

Supabase (Database & Auth)

Stores your account data, journal entries, and all user content. Data is encrypted at rest and in transit. Row Level Security ensures only you can access your data. Supabase complies with GDPR and hosts data in EU regions when configured.

Anthropic (AI Processing)

Chart images and conversation messages are processed by Anthropic's Claude models to generate educational analyses. Anthropic's data retention and processing policies apply. We use the API tier which does not use your data for model training.

Vercel (Hosting)

The application is hosted on Vercel. Standard server logs (IP addresses, request metadata) are retained according to Vercel's privacy policy.

7. Data Retention

•Account data: Retained until you delete your account.
•Journal entries: Retained until you delete them or your account.
•Chart images: Stored in Supabase Storage until you delete them or your account.
•AI interaction logs: Retained for up to 90 days for audit purposes, then deleted.
•Usage tracking data: Daily/monthly counters are retained for 12 months.
•Waitlist emails: Retained until the waitlist program concludes or you request deletion.

8. Your Rights (GDPR Chapter III)

Under the GDPR, you have the following rights regarding your personal data:

Access (Art. 15)

Request a copy of all personal data we hold about you.

Rectification (Art. 16)

Correct inaccurate or incomplete personal data.

Erasure (Art. 17)

Request deletion of your personal data ('right to be forgotten').

Portability (Art. 20)

Receive your data in a structured, machine-readable format.

Restriction (Art. 18)

Restrict processing of your data in certain circumstances.

Objection (Art. 21)

Object to processing based on legitimate interests.

To exercise any of these rights, contact us at privacy@tradoki.com. We will respond within 30 days.

9. Data Security

We implement appropriate technical and organizational measures to protect your data, including: encryption at rest and in transit (TLS 1.3), Row Level Security on all database tables ensuring data isolation between users, secure authentication via Supabase Auth with bcrypt password hashing, and regular security reviews. However, no method of electronic storage or transmission is 100% secure.

10. International Data Transfers

Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States (where Anthropic and Vercel operate). Such transfers are protected by Standard Contractual Clauses (SCCs) or other appropriate safeguards as required by GDPR Chapter V.

11. Cookies and Tracking

We use essential cookies for authentication (session tokens managed by Supabase Auth) and a cookie consent preference cookie. We do not use third-party advertising trackers or social media pixels. A cookie consent banner is displayed on first visit. If you decline cookies, no optional analytics scripts will be loaded.

12. Children's Privacy

The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from minors. If we become aware that we have collected data from a person under 18, we will delete that data promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The "last updated" date at the top of this page indicates when the policy was last revised.

14. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

15. Contact

For any privacy-related questions or to exercise your data rights, contact us at privacy@tradoki.com.