[ GDPR · UK DPA 2018 ]

Privacy Policy

Last updated: February 16, 2026

TradeLens AI (“we”) is the data controller for personal information collected through tradelensai.co.uk. This policy explains what we collect, why, how we protect it, and your rights under the UK GDPR and Data Protection Act 2018.

1. What we collect

Account data

  • Email address & name (required to register)
  • Hashed password (we never see your plaintext password — bcrypt hashed)
  • Onboarding profile: trader type, experience level, risk tolerance, preferred markets, goal
  • Referral code, plan tier, billing transactions (Stripe/PayPal IDs, never card numbers)

Service data

  • Chart screenshots you upload (stored as base64 in our database, accessible only to you unless you toggle public)
  • AI analyses, trade plans, outcomes you mark or that get auto-resolved against market data
  • Watchlist entries, alerts, quiz scores

Technical & usage data

  • IP address (used for rate-limiting the public demo & basic fraud checks)
  • Browser, device, OS via standard request headers
  • Pages visited, features used (basic product analytics; no third-party tracking pixels)
  • Auth cookie (HTTP-only, samesite=none, secure) — required for login sessions

2. Why we process it (lawful basis under UK GDPR)

  • Contract — to provide the service you signed up for (analyses, account, billing).
  • Legitimate interests — product analytics, fraud prevention, securing the service.
  • Legal obligation — accounting records, responding to lawful regulatory requests.
  • Consent — marketing emails (you can opt out anytime, every email has an unsubscribe link).

3. Who we share data with (processors)

We only share what’s necessary, and only with vetted, GDPR-compliant providers:

  • OpenAI (via Emergent LLM gateway) — to run AI analysis on your chart screenshots. Inputs may be retained briefly for abuse monitoring per OpenAI’s API policy and are not used to train models.
  • Stripe — payments (PCI-DSS compliant, we never see your card data).
  • PayPal — alternative payments.
  • MongoDB Atlas — primary database (encrypted at rest, EU region).
  • Resend — transactional email (sign-up confirmations, password resets, billing receipts).
  • Yahoo Finance / CoinGecko — public market data, no personal data sent.

We do not sell or rent your data to advertisers. There are no third-party tracking pixels on the site.

4. International transfers

Some processors (OpenAI, Stripe, MongoDB Atlas) may process data outside the UK / EEA. Where they do, transfers are protected by Standard Contractual Clauses (SCCs) or equivalent adequacy decisions.

5. How long we keep it

  • Account & profile data — for the life of your account.
  • Chart analyses — until you delete them or close your account, then 30 days, then permanently removed.
  • Billing records — 7 years (UK HMRC requirement).
  • Anonymised aggregate stats (win-rate, R) — retained indefinitely; cannot be linked back to you.

6. Your rights

Under UK GDPR you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectify — fix inaccurate data.
  • Erase — “right to be forgotten” (subject to legal retention).
  • Restrict — limit how we process your data.
  • Object — opt out of legitimate-interest processing & direct marketing.
  • Portability — receive your data in a machine-readable format.
  • Withdraw consent — for anything based on consent.

To exercise any of these, email privacy@tradelensai.co.uk. We respond within 30 days.

If you’re unhappy with how we handle your data you may complain to the UK Information Commissioner’s Office: ico.org.uk.

7. Security

  • HTTPS-only, TLS 1.3 at the edge.
  • Bcrypt password hashing.
  • HTTP-only secure cookies; JWTs signed with a server-side secret.
  • Database access restricted to internal application IPs; encrypted at rest.
  • Regular dependency updates & security review.

8. Cookies

We use a minimal set of cookies:

  • access_token — required for sign-in (essential, no consent needed).
  • marketsTab — remembers your last-viewed market tab (LocalStorage, not a cookie).

No advertising cookies. No third-party analytics cookies.

9. Children

TradeLens is not directed at anyone under 18. We do not knowingly collect data from minors. If you believe a minor has registered, email privacy@tradelensai.co.uk and we’ll delete the account.

10. Changes to this policy

Material changes will be announced via email and an in-app banner at least 14 days in advance.

11. Contact

Data Protection enquiries: privacy@tradelensai.co.uk