Legal

Privacy Policy

Your privacy is fundamental to how we build SmartTrading. This policy explains what data we collect, why we collect it, and your rights over it.

Last Updated: May 1, 2026  ·  Effective Date: May 1, 2026

Summary (plain language)

  • We collect only the data required to run the platform for you.
  • We never sell, rent, or trade your personal or financial information.
  • Authentication tokens are stored in HTTP-only cookies — never in localStorage.
  • You may request export or deletion of your data at any time.

1. Who We Are

SmartTrading (“SmartTrading,” “we,” “our,” or “us”) operates an AI-powered portfolio risk management and analytics platform (the “Service”). This Privacy Policy governs how we collect, process, and protect information relating to your use of the Service. By creating an account or otherwise using the Service, you acknowledge that you have read and understood this policy.

2. Information We Collect

We collect information in the following categories:

2.1 Account Information

When you register, we collect your full name, email address, and a securely hashed password. If you authenticate via Google OAuth, we receive only your name and email from Google's identity service. We do not receive or store your Google password.

2.2 Financial & Portfolio Data

To provide risk analytics, we collect the portfolio data you enter into the platform: ticker symbols, share quantities, entry prices, stop-loss levels, and portfolio names. This financial data is processed exclusively to deliver the Service to you and is never shared for advertising or monetisation purposes.

2.3 Technical & Usage Data

We automatically collect your IP address, browser type and version, operating system, referring URLs, features accessed, session duration, and error logs. This data is used to secure the platform, diagnose issues, and improve performance.

2.4 Communications

When you contact support or submit feedback, we retain those communications to assist you and improve the Service.

2.5 Cookies & Session Tokens

We use HTTP-only cookies to manage secure authentication sessions (st_access_token, 15-minute expiry, and st_refresh_token, 7-day expiry). Storing tokens in HTTP-only cookies prevents them from being accessed by JavaScript, protecting against cross-site scripting (XSS) attacks. We do not store authentication credentials in localStorage or sessionStorage. We may also use analytics cookies to understand aggregate usage patterns. You can disable non-essential cookies in your browser; some features may be affected.

3. How We Use Your Information

We use the information we collect to:

  • Provide, operate, maintain, and improve the Service
  • Run portfolio risk scoring, AI-generated research, and analytics on your behalf
  • Send transactional notifications including stop-loss alerts, price alerts, and account security updates
  • Detect, prevent, and remediate fraud, abuse, and security incidents
  • Respond to your support requests and feedback
  • Comply with applicable legal and regulatory obligations
  • Send product updates and educational content where you have explicitly opted in

We do not use your financial data for advertising, profiling for third parties, or any purpose beyond delivering the Service.

4. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA) or the United Kingdom, we rely on the following lawful bases under the General Data Protection Regulation (GDPR):

  • Contract Performance — processing necessary to provide the Service you registered for
  • Legitimate Interests — security monitoring, fraud prevention, and service improvement, balanced against your privacy rights
  • Legal Obligation — compliance with applicable laws and regulations
  • Consent — non-essential cookies and opt-in marketing, which you may withdraw at any time without affecting prior processing

5. Data Sharing & Third Parties

We do not sell, rent, or trade your personal information. We share data only in the following limited circumstances:

5.1 Service Providers

We engage trusted vendors to help operate the Service, including cloud infrastructure and database hosting, market data providers (Finnhub, TwelveData, Polygon, Yahoo Finance), error tracking (Sentry), and transactional email delivery. Each provider processes data solely on our behalf under a confidentiality or data processing agreement with appropriate safeguards.

5.2 Legal Compliance

We may disclose information when required by law, court order, or governmental authority, or when we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

5.3 Business Transfers

In the event of a merger, acquisition, or sale of all or part of our business, your data may be transferred to the successor entity. We will provide advance notice of any such transfer and of any material changes to this policy that result from it.

6. International Data Transfers

Your data may be stored or processed in countries outside your home jurisdiction, including Israel, the United States, or the European Union, depending on our infrastructure and service provider locations. For transfers of personal data from the EEA or the UK, we ensure appropriate safeguards are in place — such as Standard Contractual Clauses (SCCs) approved by the European Commission or equivalent mechanisms — to protect your data to the standard required by applicable law.

7. Data Retention

We retain your account and portfolio data for as long as your account remains active and as necessary to provide the Service. When you request account deletion, we will purge your personal data within 30 days, except where retention is required to comply with legal, tax, audit, or regulatory obligations (which may require retention for up to 7 years). Aggregated, anonymised data that cannot identify you individually may be retained indefinitely for product improvement purposes.

8. Security

We implement technical and organisational measures to protect your data, including:

  • TLS 1.2+ encryption for all data in transit
  • AES-256 encryption for data at rest
  • HTTP-only, Secure-flagged cookies to prevent XSS-based token theft
  • bcrypt password hashing with no plaintext storage
  • Rate limiting and IP-based abuse detection
  • Role-based access controls for personnel
  • Regular security reviews and dependency audits

No internet transmission or electronic storage is 100% secure. If you suspect unauthorised access to your account, please change your password immediately and contact us.

9. Your Rights

9.1 Access & Rectification

You have the right to request a copy of the personal data we hold about you and to ask us to correct any inaccurate information.

9.2 Deletion (‘Right to Be Forgotten’)

You may request deletion of your account and all associated personal data. We will process verifiable requests within 30 days, subject to legal retention requirements.

9.3 Data Portability

You may request an export of your portfolio data in a structured, machine-readable format (JSON or CSV).

9.4 Objection & Restriction

You may object to processing based on our legitimate interests and request restriction of processing while we evaluate your objection.

9.5 Withdraw Consent

Where processing is based on your consent (e.g., marketing emails or non-essential cookies), you may withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.

9.6 California Residents (CCPA/CPRA)

California residents have the right to know what personal information we collect and how it is used; to request deletion; to opt out of the “sale” or “sharing” of personal information (we do not sell or share your information); and to receive equal service regardless of exercising these rights. To exercise your California privacy rights, contact us at the email address below.

To exercise any of the above rights, contact us at support@smarttrading.com. We will respond within 30 days.

10. Children's Privacy

The Service is intended for individuals 18 years of age or older. We do not knowingly collect personal information from minors. If you believe a child has provided personal data to us without parental or guardian consent, please contact us and we will promptly delete that information.

11. Third-Party Links & Integrations

The Service may contain links to third-party websites or integrate with external data services. This Privacy Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party services you interact with through our platform. We are not responsible for the privacy practices of external sites or services.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will revise the “Last Updated” date at the top of this page and, where appropriate, provide a prominent notice within the Service or via email at least 14 days before the changes take effect. Your continued use of the Service after the effective date of the updated policy constitutes acceptance of the changes.

13. Contact Us

For privacy inquiries, data access or deletion requests, or complaints about how we handle your data, please contact us:

SmartTrading — Privacy Team

Email: support@smarttrading.com

We aim to acknowledge all requests within 5 business days and respond in full within 30 days.