Privacy Policy
Last updated: March 31, 2026
1. Introduction
Tradoki ("we", "us", "our"), operated by Bunny Honey Club SRL, a company registered in Romania, is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use the Tradoki platform ("Service").
This policy complies with the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), the Romanian Data Protection Law (Law No. 190/2018), and other applicable data protection legislation.
2. Data Controller
Bunny Honey Club SRL
Bucharest, Romania
Data Protection Contact: support@tradoki.com
We are the data controller for all personal data processed through the Tradoki platform.
3. Data We Collect
3.1 Account Data
- •Email address
- •Password (stored as a cryptographic hash — we never have access to your plaintext password)
- •Display name (if set)
- •Account creation date
- •Authentication provider (email or Google OAuth)
- •Google profile name (if you sign in via Google)
- •Subscription tier and billing cycle
- •Stripe customer ID (for payment processing)
3.2 User-Generated Content
- •Chart images and screenshots you upload for AI analysis
- •Trade journal entries (asset, direction, prices, P&L, notes, emotion tags, strategy tags)
- •Before/after trade screenshots
- •AI sparring conversation history
- •Pre-trade checklist rules and completion logs
- •Learning module progress, quiz answers, and scores
- •News watchlist terms
- •Creator program applications
- •Display name for the leaderboard
3.3 Usage and Activity Data
- •AI usage logs (feature used, AI model, token counts, timestamps)
- •Rate limiting counters (daily/monthly usage per feature)
- •Points, levels, badges, and streak data (gamification system)
- •Referral relationships (who referred whom — not conversation content)
- •Login timestamps and session data
- •Feature interaction patterns (pages visited, buttons clicked — no content tracking)
3.4 Technical Data
- •IP address (logged by hosting infrastructure)
- •Browser type and version
- •Device type and operating system
- •Referral URL
3.5 Telegram Data (if linked)
- •Telegram user ID
- •Telegram chat ID
- •Messages and images you send to the Tradoki Telegram bot
- •Account linking status
3.6 Payment Data
Payment processing is handled entirely by Stripe. We do NOT receive or store your credit card number, CVV, or full card details. We only receive from Stripe: a customer ID, subscription status, payment success/failure status, and billing email.
4. How We Use Your Data
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Providing the Service | Account data, user-generated content | Contract performance (Art. 6(1)(b)) |
| AI processing of chart images and conversations | Uploaded images, conversation text | Contract performance (Art. 6(1)(b)) |
| AI behavioral insights from journal data | Journal entries, emotion tags, trade outcomes | Contract performance (Art. 6(1)(b)) — at your request |
| Subscription management and billing | Account data, Stripe customer ID | Contract performance (Art. 6(1)(b)) |
| Enforcing subscription tier usage limits | Usage counters | Contract performance (Art. 6(1)(b)) |
| Gamification (points, levels, leaderboard) | Activity data, display name | Legitimate interest (Art. 6(1)(f)) |
| Referral program tracking | Referral codes, user relationships | Consent (Art. 6(1)(a)) |
| Telegram bot functionality | Telegram user ID, bot messages | Consent (Art. 6(1)(a)) |
| Transactional emails | Email address | Contract performance (Art. 6(1)(b)) |
| News watchlist notifications | Email address, watchlist terms | Consent (Art. 6(1)(a)) |
| Security, fraud prevention | IP address, usage patterns, technical data | Legitimate interest (Art. 6(1)(f)) |
| Service improvement and bug fixing | Anonymized, aggregated usage statistics | Legitimate interest (Art. 6(1)(f)) |
We do NOT use your data for:
- ✓Selling to third parties
- ✓Advertising or ad targeting
- ✓Building user profiles for marketing purposes
- ✓Training AI models (Anthropic's API tier explicitly excludes customer data from model training)
5. Third-Party Data Processors
We share your data with the following third-party processors, each of whom is contractually obligated to protect your data:
Supabase (Supabase Inc.)
Purpose: Database hosting, user authentication, file storage
Data shared: All account data, user-generated content, uploaded images
Location: EU (Frankfurt, Germany)
Safeguards: Data encrypted at rest (AES-256) and in transit (TLS 1.3). Row Level Security ensures complete data isolation between users.
Anthropic (Anthropic PBC)
Purpose: AI processing of chart analyses, sparring conversations, journal feedback, quiz explanations, news summaries
Data shared: Chart images you upload, conversation messages, journal data (when you request AI feedback)
Location: United States
Safeguards: Standard Contractual Clauses (SCCs) for EU-US data transfers. API tier does not use customer data for model training.
Stripe (Stripe Inc.)
Purpose: Payment processing, subscription management, invoicing
Data shared: Email address, subscription details, payment method (handled directly by Stripe)
Location: United States (with EU data processing infrastructure)
Safeguards: PCI DSS Level 1 certified. Standard Contractual Clauses for EU transfers.
Vercel (Vercel Inc.)
Purpose: Application hosting, serverless function execution, CDN
Data shared: Standard HTTP request data (IP address, user agent, request URL)
Location: Global CDN with edge nodes; origin servers in United States
Safeguards: Standard Contractual Clauses for EU transfers.
Resend (Resend Inc.)
Purpose: Transactional email delivery (welcome emails, verification, billing notifications, watchlist alerts)
Data shared: Email address, email content
Location: United States
Safeguards: Standard Contractual Clauses for EU transfers.
Telegram (Telegram FZ-LLC)
Purpose: Telegram bot functionality and channel communication
Data shared: Telegram user ID, messages and images you send to the bot
Location: Global (Telegram's infrastructure)
Safeguards: Data only shared if you voluntarily link your Telegram account.
5.7 Public APIs (No User Data Shared)
The following services provide public market data. No user data is transmitted to these services:Binance API (OHLCV data), CoinGecko API (market capitalization), Alternative.me API (Fear & Greed Index), CryptoPanic API (news aggregation).
6. International Data Transfers
Your data may be transferred to and processed in countries outside the European Economic Area (EEA), specifically the United States (where Anthropic, Stripe, Vercel, and Resend operate).
Such transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission and supplementary measures including encryption in transit and at rest. Where possible, we use EU-based infrastructure (Supabase EU Frankfurt) to minimize international data transfers.
7. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Until you delete your account |
| Journal entries and trade data | Until you delete them or your account |
| Uploaded chart images | Until you delete them or your account |
| AI conversation history (sparring) | Until you delete your account |
| AI analysis results | Until you delete your account |
| Usage tracking counters | 12 months rolling |
| Gamification data (points, levels) | Until you delete your account |
| Referral records | Until you delete your account |
| Telegram linking data | Until you unlink or delete your account |
| Payment records | 7 years (required by Romanian tax law) |
| Server logs (IP, requests) | 30 days (managed by Vercel) |
| Creator program applications | Until program concludes or you request deletion |
Upon account deletion, all personal data is permanently removed within 30 days, except anonymized aggregated statistics, payment records retained for legal compliance, and backup copies purged within 90 days.
8. Your Rights Under GDPR
Under the General Data Protection Regulation, you have the following rights:
Access (Art. 15)
Request a copy of all personal data we hold about you.
Rectification (Art. 16)
Correct inaccurate or incomplete personal data.
Erasure (Art. 17)
Request deletion of your personal data ('right to be forgotten').
Data Portability (Art. 20)
Receive your data in a structured, machine-readable format (JSON/CSV).
Restriction (Art. 18)
Restrict processing of your data in certain circumstances.
Objection (Art. 21)
Object to processing based on legitimate interests.
Withdraw Consent (Art. 7(3))
Withdraw consent for consent-based processing at any time.
To exercise any of these rights, contact us at support@tradoki.com. We will respond within 30 days. Requests are processed free of charge; we reserve the right to charge a reasonable fee for manifestly unfounded or excessive requests.
9. Data Security
We implement appropriate technical and organizational measures to protect your personal data, including:
- •Encryption: All data encrypted at rest (AES-256) and in transit (TLS 1.3)
- •Database security: Row Level Security (RLS) on all tables ensuring complete data isolation
- •Authentication: Secure authentication via Supabase Auth with bcrypt password hashing (with salt)
- •API security: All API routes require authentication; webhooks use cryptographic signature verification
- •Payment security: PCI DSS compliance handled by Stripe — we never process or store card details
- •Infrastructure: Hosted on Vercel with automatic DDoS protection and SSL/TLS
- •Rate limiting: Protection against brute force attacks on authentication endpoints
Despite these measures, no method of electronic storage or internet transmission is 100% secure. We cannot guarantee absolute security but are committed to continuous improvement of our security posture.
10. Cookies and Tracking Technologies
10.1 Essential Cookies
| Cookie | Purpose | Duration |
|---|---|---|
| Supabase auth token | Maintains your login session | Session / 1 year |
| tradoki_cookie_consent | Stores your cookie preference | 1 year |
| tradoki_ref | Stores referral code during registration | 7 days |
10.2 What We Do NOT Use
- ✓No third-party advertising cookies
- ✓No social media tracking pixels (Facebook Pixel, TikTok Pixel, etc.)
- ✓No fingerprinting or cross-site tracking technologies
A cookie consent banner is displayed on your first visit. If you decline optional cookies, only essential cookies required for the Service to function will be used.
11. Children's Privacy
The Service is intended solely for users aged 18 and older. We do not knowingly collect personal data from anyone under the age of 18. If we become aware that we have collected data from a person under 18, we will delete that data promptly and terminate the associated account. If you believe a minor has provided us with personal data, please contact us immediately at support@tradoki.com.
12. Automated Decision-Making
The Service uses AI to generate educational content, including chart observations, journal feedback, and behavioral pattern insights. These constitute automated processing under GDPR Article 22.
However, these AI outputs: do not produce legal effects or similarly significant effects on you; are educational observations only, not binding decisions; do not determine your access to financial services; and do not result in automated decision-making that affects your rights. You always maintain full control over how you use (or disregard) AI-generated content.
13. Changes to This Privacy Policy
- •Material changes: We will notify registered users via email at least 14 days before material changes take effect
- •Non-material changes: Updated policy will be posted with a revised "Last updated" date
- •Your options: If you do not agree with changes, you may delete your account before the changes take effect
14. Supervisory Authority
If you believe your data protection rights have been violated, you have the right to lodge a complaint with:
National Supervisory Authority for Personal Data Processing (ANSPDCP)
Bucharest, Romania
Website: dataprotection.ro
You may also lodge a complaint with the supervisory authority in the EU member state of your habitual residence or place of work.
15. Contact
For any privacy-related questions, data rights requests, or concerns:
Bunny Honey Club SRL
CUI: 50100324
Email: support@tradoki.com
Phone: +491637830812 (International support)
Strada Petricani 4, Demisol Boxa Nr. 10
023842 Bucharest, Romania
Tradoki is an educational tool only. Not financial advice. Your data is protected by GDPR and Row Level Security.