Privacy Policy
1. Introduction
This Privacy Policy describes how TradeCaliber, Inc. ("TradeCaliber," "we," "us," or "our") collects, uses, stores, shares, and protects personal information when you use our AI-powered binary event trading platform (the "Platform"). This Policy complies with the General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other applicable privacy laws including the Gramm-Leach-Bliley Act ("GLBA") where applicable.
2. Categories of Personal Information We Collect
2.1 Identity Data
- Email address, display name — provided by you at registration
- CCPA Category: Identifiers
2.2 Authentication Data
- Password hash (bcrypt), session tokens — generated at registration and login
- CCPA Category: Identifiers
2.3 Network Data
- IP address, session timestamps — collected automatically
- CCPA Category: Internet/electronic network activity
2.4 Financial Data
- Trading history, positions, P&L, portfolio composition — generated through Platform use and synchronized from Interactive Brokers
- CCPA Category: Financial information
2.5 Brokerage Credentials
- Interactive Brokers username, password, account ID — provided by you during brokerage linking
- CCPA Category: Sensitive personal information (account log-in with credentials)
2.6 Behavioral Data
- Feature usage, login timestamps, user preferences — collected automatically
- CCPA Category: Internet/electronic network activity
2.7 AI Processing Data
- Portfolio data, position data, trade parameters submitted to AI analysis — generated when you use AI-powered features
- CCPA Category: Inferences drawn from PI
We do not intentionally collect special categories of data under GDPR (racial origin, health data, biometrics, etc.).
3. Purposes and Lawful Bases for Processing (GDPR)
3.1 Performance of Contract (Article 6(1)(b))
- Account creation and authentication
- Brokerage connection and trade execution
- Recording trading data for portfolio tracking
- AI-powered trade analysis (the core service)
3.2 Legitimate Interests (Article 6(1)(f))
- Security monitoring, fraud prevention, abuse detection (IP addresses, session logs)
- Platform improvement and debugging (behavioral data, used in aggregate where possible)
3.3 Legal Obligation (Article 6(1)(c))
- Retention of financial records for regulatory compliance and tax obligations
- Retention of data in response to lawful requests (court orders, subpoenas)
3.4 Consent (Article 6(1)(a))
- Public leaderboard display (opt-in; you may withdraw consent at any time by opting out)
We do not currently rely on consent for any other core processing activity.
4. Brokerage Credential Security
Given the sensitive nature of brokerage credentials, we apply enhanced safeguards:
Encryption at Rest: IBKR credentials are encrypted using AES-256-GCM before storage. Encryption keys are managed separately from the application database via environment variables.
Encryption in Transit: All communications use TLS 1.2 or higher.
Access Controls: No human employee, administrator, or support agent can view decrypted IBKR credentials. Decryption occurs in-memory only at the time of trade execution.
Credential Deletion on Disconnect: When you disconnect your IBKR account or delete your account, encrypted credentials are immediately and permanently deleted. Active IBKR sessions are terminated. This is irreversible.
What We Do NOT Do:
- We never transmit your IBKR credentials to Anthropic or any AI provider
- We never use credentials for any purpose other than executing trades you authorize
- We never store credentials in plaintext, log files, or unencrypted backups
- We never share credentials with any third party
5. AI Data Processing
5.1 How It Works
The Platform uses Anthropic's Claude API to generate conviction ratings and trade analysis. When you use AI features, a subset of your data is transmitted to Anthropic.
5.2 Data Sent to Anthropic
- Portfolio positions (ticker symbols, sizes, entry prices)
- Recent trading history relevant to the analysis
- Catalyst event data (publicly available)
- Aggregate performance metrics
5.3 Data NEVER Sent to Anthropic
- Your email, password, or account credentials
- Your IBKR credentials
- Your IP address or device information
- Your display name or directly identifying information
5.4 Anthropic's Data Practices
As of this Policy's effective date, Anthropic's commercial API terms provide that API inputs are not used to train models and are retained for up to 30 days for trust and safety, then deleted. We monitor changes to Anthropic's terms and will notify you of material changes.
5.5 Consent for AI Processing
By using AI features, you consent to this processing. You may withdraw consent by disabling AI features, though this limits Platform functionality. Under GDPR, the legal basis is both consent (Art. 6(1)(a)) and performance of contract (Art. 6(1)(b)).
6. Public Leaderboard
6.1 Opt-In Participation
Your data will not appear on the leaderboard unless you affirmatively enable it.
6.2 Data Displayed
If opted in: display name, aggregate performance (return %, win rate, trade count, rank). Never displayed: individual trades, account balances, dollar P&L, email, IP, or brokerage status.
6.3 Opt-Out
You may opt out at any time via account settings. Your entry is removed within 48 hours.
6.4 CPRA "Sharing" Analysis
We do not believe the leaderboard constitutes "sharing" under CPRA (no data goes to advertising networks). However, we honor opt-out requests and provide a "Do Not Sell or Share" link in the Platform footer.
7. Third-Party Service Providers
| Provider | Location | Data Shared | Purpose |
|---|---|---|---|
| Railway | US | All Platform data (hosting) | Cloud infrastructure |
| Anthropic | US | Portfolio/trading data (see §5) | AI analysis |
| Interactive Brokers | US | Credentials, trade orders | Trade execution |
| Polygon.io | US | Ticker symbols only (no PI) | Market data |
| Finnhub | US | Ticker symbols only (no PI) | Financial data |
| FMP | US | Ticker symbols only (no PI) | FDA calendar |
We do NOT use analytics trackers (no Google Analytics, no Mixpanel), ad networks, or data brokers. We do NOT sell personal information.
8. International Data Transfers (GDPR)
All data is stored and processed in the United States. For EEA/UK users, we rely on Standard Contractual Clauses (SCCs) — Commission Implementing Decision (EU) 2021/914, Modules 1 and 2. We have conducted a Transfer Impact Assessment per EDPB Recommendations 01/2020. Supplementary measures include AES-256-GCM encryption, TLS 1.2+, and access controls.
9. Data Retention
| Category | Retention Period | Rationale |
|---|---|---|
| Identity Data | Duration of account + 30 days after deletion | Grace period for accidental deletion |
| Authentication Data | Duration of account; deleted on closure | Authentication necessity |
| Session Tokens | 30 days or until logout | Short-lived by design |
| Network Data (IP) | 90 days | Security and fraud detection |
| Financial Data | Account + 7 years after closure | Regulatory recordkeeping (SEC Rule 17a-4, FINRA Rule 4511) |
| Brokerage Credentials | Until unlinked or account deleted | Immediately deleted; no retention |
| Behavioral Data | Duration of account; deleted on closure | Service improvement |
| AI Processing Data | Not retained beyond the API call | Processed in real-time, discarded |
| Leaderboard Data | Duration of account or until opt-out | Public display feature |
| Backup Data | 14 days rolling | Disaster recovery |
Regulatory Retention vs. Deletion Rights
Financial records may be retained in a segregated, access-restricted archive for up to 7 years even after account deletion, to comply with SEC/FINRA requirements. During this period, the data is used only for regulatory compliance. We will inform you which data categories are subject to regulatory holds when you request deletion.
10. Your Rights Under GDPR (EEA/UK Users)
We extend these rights to all users as a matter of good practice.
10.1 Right of Access (Art. 15)
Obtain a copy of your data. We respond within 30 days.
10.2 Right to Rectification (Art. 16)
Correct inaccurate data via account settings or by contacting us.
10.3 Right to Erasure (Art. 17)
Request deletion, subject to regulatory retention obligations (see §9).
10.4 Right to Restriction of Processing (Art. 18)
Request we limit processing in certain circumstances.
10.5 Right to Data Portability (Art. 20)
Receive your data in JSON or CSV format.
10.6 Right to Object (Art. 21)
Object to processing based on legitimate interests.
10.7 Automated Decision-Making (Art. 22)
We do not make decisions based solely on automated processing that produce legal effects. AI analysis is informational; all trading decisions are yours.
10.8 Right to Lodge a Complaint
Contact your local supervisory authority. EEA: edpb.europa.eu. UK: ico.org.uk.
11. Your California Privacy Rights (CCPA/CPRA)
11.1 Right to Know
Request disclosure of categories and specific pieces of PI collected.
11.2 Right to Delete
Request deletion, subject to exceptions (completing transactions, security, legal obligations including financial recordkeeping).
11.3 Right to Correct
Request correction of inaccurate PI.
11.4 Right to Opt-Out of Sale/Sharing
We do not sell personal information. We honor opt-out requests for leaderboard display and recognize Global Privacy Control (GPC) signals.
11.5 Right to Limit Sensitive PI
We already limit use of sensitive PI (brokerage credentials, financial data) to providing the Services.
11.6 Verification Process
Registered users: submit from account email, verify via link within 72 hours. For specific pieces of PI, we may require a signed declaration under penalty of perjury.
11.7 Authorized Agents
You may designate an agent with signed written authorization.
11.8 Non-Discrimination
We will not deny service, charge different prices, or provide different quality for exercising rights.
12. GLBA Considerations
To the extent TradeCaliber is or becomes classified as a "financial institution" under the Gramm-Leach-Bliley Act:
Privacy Notice (Reg S-P): We do not share nonpublic personal information with nonaffiliated third parties except as permitted (processing transactions, maintaining accounts, legal requirements).
Safeguards Rule (16 CFR Part 314): We maintain an information security program including risk assessments, encryption, access controls, and service provider oversight.
Opt-Out Rights: We do not share NPI for marketing. Should practices change, we will provide an opt-out mechanism.
13. Data Breach Notification
13.1 General Breaches
We notify affected users within 72 hours (GDPR) or without unreasonable delay (CCPA). We notify supervisory authorities as required.
13.2 Brokerage Credential Breaches
For breaches involving IBKR credentials — even if encrypted — we will:
- Immediately invalidate all stored connections and terminate IBKR sessions
- Notify affected users within 24 hours with instructions to change IBKR passwords
- Notify Interactive Brokers
- Engage third-party forensic investigators
13.3 Notification Content
Nature of breach, categories of data affected, measures taken, and recommended user actions.
14. Data Security
- AES-256-GCM encryption for brokerage credentials at rest
- TLS 1.2+ for all data in transit
- Bcrypt password hashing (cost factor 12+)
- HTTP-only, Secure, SameSite=Strict session cookies
- Role-based access controls
- No third-party analytics or tracking tools
- Daily encrypted database backups with 14-day retention
15. Cookies
We use only strictly necessary cookies for session authentication. No analytics, advertising, or tracking cookies. Because we use only strictly necessary cookies, no consent banner is required under the ePrivacy Directive.
| Cookie | Purpose | Duration |
|---|---|---|
| Session token | Authentication | 30 days or logout |
| User preferences | Display settings | Persistent |
16. Children's Privacy
The Platform is not directed to individuals under 18. We do not knowingly collect PI from minors. If discovered, we promptly delete such data.
17. State Privacy Laws
Residents of Virginia (CDPA), Colorado (CPA), Connecticut (CTDPA), and Nevada (SB 220) have rights substantially similar to those in Section 11. Contact privacy@tradecaliber.com.
18. Do Not Sell or Share My Personal Information
We do not sell PI and have not done so in the preceding 12 months. We do not share PI for cross-context behavioral advertising. To submit an opt-out request related to leaderboard visibility: use the "Do Not Sell or Share" link in the Platform footer, or email privacy@tradecaliber.com.
19. Changes to This Policy
Material changes: 30 days' advance email notice. Non-material changes reflected in the "Last Updated" date.
20. Contact
TradeCaliber, Inc.
Email: privacy@tradecaliber.com
Security incidents: security@tradecaliber.com
For GDPR inquiries, contact our Data Protection point of contact at privacy@tradecaliber.com.
This Privacy Policy is effective as of April 5, 2026.