Privacy Policy
Last updated: 2026-06-14
This Privacy Policy explains what personal information TradeByBar ("we", "us", "the Service") collects, why, who we share it with, and the rights you have over it. It includes specific disclosures for residents of the European Economic Area (EEA), the United Kingdom, and Switzerland under the General Data Protection Regulation (GDPR and UK GDPR), and for residents of California under the California Consumer Privacy Act as amended by the CPRA (collectively, "CCPA"). If you have any privacy question, email support@tradebybar.com.
Who is responsible for your data
The data controller (and "business" under the CCPA) is TradeByBar, an online-only business with no physical storefront. The best way to reach us about your data is by email:
- Contact: support@tradebybar.com
EU / UK representative (GDPR Article 27)
Where Article 27 of the EU GDPR or UK GDPR requires a controller outside the EEA/UK that offers goods or services to, or monitors, individuals in those regions to appoint a representative there, that representative acts as a local point of contact for data subjects and supervisory authorities. Our representative details are:
- EU representative: contact us at support@tradebybar.com for our current EU Article 27 representative details.
- UK representative: contact us at support@tradebybar.com for our current UK Article 27 representative details.
EEA and UK users may also reach us directly at support@tradebybar.com for any data-protection matter.
What we collect
- Account info: username, email, hashed password, optional display name. If you sign in with Google, we receive your Google account email and basic profile identifier.
- Broker credentials and connections: API keys, tokens, or OAuth grants for the broker accounts you connect (e.g. Tradovate, Webull). Secrets are encrypted at rest with AES-256-GCM. They are designed not to be logged in plaintext, and we do not display them back to anyone other than you.
- Trading data: strategies, assignments, orders, fills, backtests, paper-trading results, trading sessions, and account balances reported by your broker.
- Billing: Stripe customer id and subscription status. We do not see or store your full card number; Stripe handles payment details.
- Integrations you enable: Discord account/server identifiers if you link Discord for alerts and commands; TradingView webhook payloads you configure to be sent to us.
- Support communications: the contents of emails or messages you send us.
- Operational and usage data: IP address, user-agent, request paths, timestamps, and page-view analytics (see our Cookie Policy), used for security, debugging, and understanding how the Service is used.
We do not intentionally collect special-category data (such as health, race, religion, or biometric data) and ask that you not submit it. We do not knowingly collect data from anyone under 18; the Service is not directed to minors.
Why we collect it, and our legal bases
For users protected by the GDPR, we rely on the following legal bases (GDPR Art. 6):
- To provide the Service: connect to your broker, run your strategies, show your dashboard, manage your account. Legal basis: performance of our contract with you.
- To bill you and prevent fraud. Legal basis: contract, and our legitimate interest in preventing abuse.
- To secure and improve the Service: logging, debugging, and aggregate analytics. Legal basis: our legitimate interest in a secure, working product; for non-essential cookies, your consent (see Cookie Policy).
- To respond to support requests. Legal basis: contract and legitimate interest.
- To send transactional email and, where you opt in, alerts. Legal basis: contract and consent.
- To comply with the law (e.g. tax, accounting, lawful requests). Legal basis: legal obligation.
Where we rely on legitimate interests, you have the right to object (see "Your rights"). Where we rely on consent, you may withdraw it at any time without affecting prior processing.
Who we share it with
We share data with the following categories of service providers ("processors"), each only with the data they need to perform their function for us:
- Hosting and database provider, where your data is stored and encrypted at rest.
- Stripe, for billing and payment processing.
- Your broker (e.g. Tradovate, Webull), which receives the orders you authorize.
- Email provider (Resend), for transactional and account email.
- Anthropic, our AI inference provider, which processes the prompts and trading-context data used by the optional AI / Intelligence features when you use them. Your data is sent only to generate the response you requested and is not used by us to train models.
- Google, if you choose Google sign-in.
- Discord, if you link it for alerts and commands.
- First-party usage analytics, hosted on our own servers, for page-view and usage measurement; no third-party analytics provider receives this data (see Cookie Policy).
We may also disclose data where required by law, to enforce our Terms, or in connection with a merger, acquisition, or sale of assets (you will be notified of any such change). We do not sell your personal information, and we do not share it for cross-context behavioral advertising.
International data transfers
We are based in the United States, and your data is stored and processed there. If you are in the EEA, UK, or Switzerland, your personal data is transferred to a country that may not provide the same level of protection as your own. Where we transfer such data, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses (and the UK Addendum) with our processors. You may request a copy of the relevant safeguard by emailing support@tradebybar.com.
Retention
We keep your data for as long as your account is active. When you delete your account, we remove personal data within 30 days, except where retention is required by law (e.g. tax and accounting records, typically up to 7 years) or is necessary for fraud prevention, security, or the establishment or defense of legal claims. Aggregated or anonymized data that can no longer identify you may be retained indefinitely.
Security
Broker secrets are encrypted at rest with AES-256-GCM. Sessions are stored server-side in Postgres. Passwords are hashed with bcrypt. The Service runs over HTTPS. We recommend you enable two-factor authentication on the Account Settings page. No system is perfectly secure. If we determine a personal-data breach is likely to result in a risk to your rights, we will notify affected users and the relevant supervisory authority as required by law, and within 72 hours of becoming aware where GDPR Article 33 applies and feasible.
Automated decision-making
The Service executes trades automatically based on rules you define. This is automation you configure and control; we do not make automated decisions that produce legal or similarly significant effects about you within the meaning of GDPR Article 22, and we do not use your data for profiling or to evaluate you as a person.
Your rights
Depending on where you live, you may have some or all of the following rights:
- Access / know: get a copy of the personal data we hold and the categories, sources, purposes, and recipients of it.
- Rectification / correction: fix inaccurate or incomplete data.
- Erasure / deletion: have your data deleted, subject to legal retention limits.
- Restriction and objection: limit or object to certain processing, including processing based on our legitimate interests.
- Portability: receive your data in a portable, machine-readable format.
- Withdraw consent: where processing is based on consent, withdraw it at any time.
- Non-discrimination: we will not deny service, charge a different price, or provide a different quality of service because you exercised your rights.
To exercise any right, email support@tradebybar.com. We will respond within 30 days (CCPA: within 45 days, extendable once). We may need to verify your identity before acting. You may use an authorized agent to submit a request on your behalf with proof of authorization. There is no fee unless your request is excessive or repetitive.
If you are in the EEA or UK and believe we have mishandled your data, you may lodge a complaint with your local data protection authority, though we ask that you contact us first so we can try to resolve it.
California disclosures (CCPA / CPRA)
In the past 12 months we have collected the following statutory categories of personal information: identifiers (e.g. name, username, email, IP address, Google/Discord identifiers); commercial information (subscription and billing records); financial information (broker connection data and account balances reported by your broker; we treat broker credentials and financial-account access as sensitive personal information); and internet/network activity (usage and log data). We collect this from you directly, from your connected broker and integrations, and automatically as you use the Service. We use it for the purposes described above.
- We do not sell personal information and have not done so in the past 12 months.
- We do not share personal information for cross-context behavioral advertising.
- Sensitive personal information is used only to provide and secure the Service you requested; we do not use or disclose it to infer characteristics about you, so the CPRA "limit the use of my sensitive personal information" right does not change our practices, but you may still contact us.
- You have the right to know, delete, and correct your information, and to not be discriminated against for exercising these rights, as described under "Your rights".
- Financial incentives: we do not offer financial incentives, loyalty programs, or price or service differences in exchange for the retention or sale of personal information.
Shine the Light (Cal. Civ. Code § 1798.83): we do not disclose personal information to third parties for their own direct-marketing purposes.
Cookies and tracking
Details of the cookies and analytics we use, and how to control them, are in our Cookie Policy.
Changes
Material changes will be announced via email and on this page. The "Last updated" date at the top tracks the current version.
Contact
Privacy questions and rights requests: support@tradebybar.com.