Last updated: April 1, 2025
TradeAI ("we", "us", or "our") establishes this Privacy Policy (the "Policy") to describe how we handle the personal information of users ("you" or "User") of the TradeAI Series of services (the "Service"). We comply with the Act on the Protection of Personal Information (the "APPI") and all other applicable laws and regulations, and we respect your privacy.
Article 1 (Information We Collect)
We may collect the following information in connection with providing the Service.
1. Information you provide directly
- Account registration: Email address
- Authentication: Password (stored as an irreversible bcrypt hash; your plain-text password is never stored)
- Enquiries: Your name, email address, and the content of your enquiry
- BYOK data: AI API keys you optionally register (stored in encrypted form)
2. Information collected automatically through your use of the Service
- Access data: IP address, browser type and version, OS information, and access timestamps
- Usage data: Login frequency, features used, Signal viewing history, and notification settings
- Session data: Session ID (managed via cookies)
- Security data: Login attempt records and CSRF tokens
3. Payment-related information
- Payments are processed by Stripe or PayPal. Credit card numbers, CVV codes, and other payment credentials are never stored on our servers.
- We store the customer ID (customer_id) and subscription ID (subscription_id) provided by Stripe or PayPal.
- We store payment logs including transaction status, amount, and timestamp.
Article 2 (Purposes of Use)
We use the information we collect for the following purposes.
- Providing and operating the Service: Account authentication, Signal delivery, dashboard display, and notification sending
- Payment processing: Subscription management, billing, and receipt issuance
- Customer support: Responding to your enquiries
- Service improvement: Analysing usage patterns to improve the Service and develop new features
- Important notices: Maintenance announcements, service changes, and security notifications
- Security: Detecting and preventing unauthorised access, and responding to Terms of Service violations
- Legal compliance: Fulfilling obligations required by law
If we wish to use personal information for any purpose beyond those listed above, we will obtain your prior consent.
Article 3 (Handling of BYOK Information)
- AI API keys you register via the BYOK feature are encrypted before being stored in our database.
- Registered API keys are used solely for Signal generation within the Service and for no other purpose.
- You may request deletion of your API keys at any time.
- The content of requests sent to AI APIs using your keys (prompts, etc.) is processed in accordance with each AI provider's privacy policy. We are not responsible for how each AI provider handles such data.
Article 4 (Third-Party Disclosure)
We will not provide your personal information to third parties except in the following circumstances:
- With your consent.
- As required by law (e.g., court warrants or lawful requests from law enforcement).
- Where necessary to protect someone's life, body, or property and it is difficult to obtain your consent.
- Where particularly necessary to promote public health or the sound development of children and it is difficult to obtain your consent.
- When providing minimum necessary information to Stripe or PayPal for payment processing.
- When providing email addresses to SendGrid for the purpose of sending emails.
Article 5 (Third-Party Services)
The Service uses the following third-party services. Please review each service's privacy policy for details on how your personal information is handled.
| Service |
Purpose |
Information shared |
| Stripe |
Payment processing |
Email address, payment details |
| PayPal |
Payment processing |
Email address, payment details |
| SendGrid (Twilio) |
Email delivery |
Email address |
| OpenAI / Anthropic / Google / xAI / DeepSeek |
AI analysis processing |
Market data (no personal information) |
Article 6 (Security Measures)
We implement the following measures to prevent the leakage, loss, or damage of personal information and to otherwise manage it securely.
Technical security measures
- Password protection: Irreversible hashing using bcrypt (cost factor 12)
- Encrypted communications: All traffic encrypted via SSL/TLS (HTTPS)
- Access control: Database files stored outside the web-accessible directory
- Unauthorised access prevention: Login attempt throttling (5 attempts per 15 minutes), CSRF protection, and rate limiting
- Session management: Session fixation attack prevention, 30-minute session timeout, Secure/HttpOnly cookies
- Input validation: SQL injection prevention (prepared statements), XSS prevention (output escaping)
- Webhook verification: Stripe and PayPal webhook signature verification to prevent tampering
Organisational security measures
- Restricted access to administrator accounts
- Logging of administrative operations (audit trail)
- Regular security reviews
Article 7 (Cookies)
- The Service uses cookies for session management.
- The cookies we use are as follows:
- Session cookie: Required to maintain your authenticated state (essential)
- CSRF token cookie: Required to prevent cross-site request forgery attacks (essential)
- We do not use advertising-tracking cookies or third-party cookies.
- Disabling cookies in your browser settings will prevent you from using login and other features of the Service.
Article 8 (Access, Correction, and Deletion of Personal Information)
- You may request that we disclose, correct, add to, delete, or suspend use of your personal information.
- Please submit requests by email at support@tradeai.jp or via our contact form.
- After verifying your identity, we will respond within a reasonable period.
- If you wish to delete your account, please contact us. We will delete the personal information linked to your account (except where retention is required by law).
Article 9 (Data Retention Periods)
We retain collected information for the following periods. After the retention period, information is promptly deleted or anonymised.
| Type of information |
Retention period |
| Account information (email address, etc.) |
Until account deletion |
| Payment logs |
7 years (as required by law) |
| Access logs (IP addresses, etc.) |
90 days |
| Login attempt records |
30 days |
| Enquiry contents |
1 year after resolution |
| BYOK API keys |
Until deleted by you or upon account deletion |
Article 10 (Children's Privacy)
The Service is not directed at persons under 18 years of age. We do not knowingly collect personal information from anyone under 18. If we become aware that a person under 18 has provided personal information, we will promptly delete it.
Article 11 (International Data Transfers)
The servers of AI API providers used by the Service (OpenAI, Anthropic, Google, etc.) may be located outside Japan. However, data sent to AI APIs consists only of market data (exchange rates, technical indicators, etc.) and does not include any personal information.
Article 12 (Changes to This Policy)
- We may update this Policy as necessary.
- Any updated Privacy Policy takes effect from the time it is posted on our website.
- For material changes, we will endeavour to provide notice via an announcement on our website or by email.
Article 13 (Contact Us)
For enquiries about this Policy or to request access, correction, or deletion of personal information, please contact us at:
End of Policy
