Tradex logoTradex
Legal DocumentLast updated: March 11, 2026

Privacy Policy

This Privacy Policy describes how Tradex (tradexapp.tech) collects, processes, and protects personal data. This document complies with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR) and applicable data protection laws.

§ 1.Data Controller

The controller of personal data of Tradex users is:

Michał Chełmża

Operator of Tradex

Email: michalchelmza@gmail.com

Website: tradexapp.tech

No Data Protection Officer (DPO) has been appointed. All questions and requests regarding personal data protection should be directed to the email address above.

§ 2.Data We Collect

2.1 Account Data

  • Email address — required for registration and login
  • Name or display name — optional, provided by the user
  • Password — stored exclusively in hashed form (bcrypt) by Supabase Auth
  • Registration date and time
  • Profile picture — optional (from Google OAuth or uploaded by the user)

2.2 Profile and Trading Data

This data is generated exclusively by the user and constitutes the content of the service:

  • Names and settings of trading profiles (currency, starting balance)
  • Transaction data: date, instrument, direction (Long/Short), result (Win/Loss), P&L, notes
  • Chart screenshots attached to transactions

2.3 Technical Data

  • IP address
  • Browser headers (User-Agent) and operating system information
  • Access logs — resource URLs, request timestamps

2.4 Payment Data

Payment card data and full billing information are processed exclusively by Stripe, Inc. Tradex does not store card numbers. The Controller has access only to: subscription status, Stripe customer ID, and Stripe subscription ID.

2.5 Data Sent to TradexAI (TradexPro plan)

Using the TradexAI feature causes the content of your query and your transaction context to be sent to OpenAI, LLC for generating a response. Data is processed by OpenAI in accordance with their privacy policy. The Controller minimizes data sent to OpenAI to what is strictly necessary.

§ 3.Legal Bases and Purposes of Processing

PurposeLegal Basis (GDPR)
Service provision (registration, login)Art. 6(1)(b) — performance of a contract
Storage of user trading dataArt. 6(1)(b) — performance of a contract
Payment processing and subscription managementArt. 6(1)(b) — performance of a contract
TradexAI service (sending queries to OpenAI)Art. 6(1)(b) — performance of a contract
Service security, fraud preventionArt. 6(1)(f) — legitimate interests
Financial record keeping (tax obligations)Art. 6(1)(c) — legal obligation

§ 4.Data Processors

The Controller has entrusted the processing of personal data to the following processors under data processing agreements:

Supabase, Inc.

  • Role: Database hosting (PostgreSQL), user authentication
  • Location: Servers: eu-central-1 (Frankfurt, Germany) — data stored within the EEA
  • Data transfer: Not applicable — servers in the EEA (DE)
  • Privacy policy: supabase.com/privacy

OpenAI, LLC (TradexPro — TradexAI only)

  • Role: Processing queries and generating AI responses
  • Location: United States
  • Data transfer: Transfer outside the EEA based on Standard Contractual Clauses (SCC) — Art. 46 GDPR
  • Privacy policy: openai.com/policies/privacy-policy

Stripe Payments Europe, Limited / Stripe, Inc.

  • Role: Payment processing and subscription management
  • Location: Ireland / United States
  • Data transfer: Transfer outside the EEA possible based on SCC — Art. 46 GDPR
  • Privacy policy: stripe.com/privacy

Vercel, Inc.

  • Role: Application hosting, CDN, server infrastructure
  • Location: United States (global edge servers, including within the EEA)
  • Data transfer: Transfer outside the EEA based on SCC — Art. 46 GDPR
  • Privacy policy: vercel.com/legal/privacy-policy

§ 5.Data Retention

Data CategoryRetention Period
Account data and trading dataDuration of account + up to 12 months after deletion (civil claims limitation period)
Data backups after account deletionUp to 30 days from account deletion
Payment data and financial transaction history5 years from transaction date (tax and accounting obligations)
Technical logs (IP addresses, access logs)Up to 12 months

§ 6.Your Rights Under GDPR

Under GDPR, every person whose data is processed by the Controller has the following rights:

  1. Right of access (Art. 15 GDPR). The right to obtain information about your processed data and receive a copy of it.
  2. Right to rectification (Art. 16 GDPR). The right to correct inaccurate or incomplete personal data.
  3. Right to erasure — "right to be forgotten" (Art. 17 GDPR). The right to request deletion of your data when it is no longer necessary for the purposes it was collected.
  4. Right to restriction of processing (Art. 18 GDPR). The right to restrict processing of your data in certain circumstances.
  5. Right to data portability (Art. 20 GDPR). The right to receive your data in a structured, commonly used, machine-readable format.
  6. Right to object (Art. 21 GDPR). The right to object to processing based on the Controller's legitimate interests.
  7. Right to withdraw consent (Art. 7(3) GDPR). The right to withdraw consent at any time, without affecting the lawfulness of processing before withdrawal.
  8. Right to lodge a complaint with a supervisory authority (Art. 77 GDPR). The right to lodge a complaint with the competent data protection authority.

How to exercise your rights: Submit requests to michalchelmza@gmail.com. We will respond within 30 days of receiving your request (Art. 12(3) GDPR).

Supervisory authority (Poland): Urząd Ochrony Danych Osobowych (UODO), ul. Stawki 2, 00-193 Warsaw, Poland. uodo.gov.pl. If you are based in another EU/EEA country, you may also contact your local supervisory authority.

§ 7.Cookies

Tradex uses only technically necessary cookies that are required for the service to function properly. These cookies do not require user consent under GDPR.

NamePurposeDuration
sb-access-tokenUser authentication session (Supabase Auth)Browser session
sb-refresh-tokenAuthentication session renewal7 days
tradex-app-storeUI preferences (theme, language) — localStoragePersistent / until cleared

Tradex does not use analytics, tracking, or advertising cookies. No third-party cookies are set for marketing purposes. All session cookies are set as httpOnly and Secure.

§ 8.Data Security

The Controller applies the following technical and organisational security measures:

  • Data encryption in transit (TLS 1.2/1.3, HTTPS)
  • Row-Level Security (RLS) in the Supabase database — each user can only access their own data
  • Password hashing with bcrypt (managed by Supabase Auth)
  • Secure session cookies (httpOnly, Secure, and SameSite attributes)
  • Database access restricted exclusively to the application server
  • Regular automated data backups within Supabase infrastructure

§ 9.International Data Transfers

Data may be transferred outside the EEA when using the following services:

  • OpenAI (TradexAI) — USA; transfer basis: Standard Contractual Clauses (SCC) approved by the European Commission under Art. 46(2)(c) GDPR
  • Vercel (hosting) — USA; transfer basis: Standard Contractual Clauses (SCC)
  • Stripe (payments) — USA/Ireland; transfer basis: Standard Contractual Clauses (SCC)

In each case the Controller has put in place appropriate safeguards required by GDPR. You may request information about the safeguards used for transfers outside the EEA by contacting the Controller at the email address above.

§ 10.Changes to This Privacy Policy

The Controller reserves the right to update this Privacy Policy. For material changes that affect your rights, the Controller will provide at least 14 days' notice via the email address you registered with or via an in-app notification.

Continued use of the Service after changes are published constitutes acceptance of the updated policy. Effective date of the current version: March 11, 2026.

Terms of Service →HomeContact