Trady360 — Privacy Policy

Definitions and interpretation

In this privacy policy, the following definitions are used:
1. Data: Collectively all information that you submit to Trady360 via the Website or the Application, including trading data synchronised from connected exchanges. This definition incorporates, where applicable, the definitions provided in the European Union's 2018 General Data Protection Regulation (GDPR) and Vietnam's Decree 13/2023/ND-CP on Personal Data Protection.
2. Application or App: the software application accessed at app.trady360.com providing trading behavior audit services to Users.
3. Credit & Debit Card Data: Trady360 does not store credit card details on this Website nor does Trady360 share customer details relating to financial data with any third parties. All payment processing is handled by Stripe (see clause 6).
4. Cookies: A small text file that may be placed on your computer or device by this Website when you visit certain parts of the Website and/or when you use certain features of the Website. Details of the cookies used by this Website are set out in clause 8 (Cookies).
5. Exchange API: the read-only application programming interface keys provided by you to Trady360 in order to allow the Application to retrieve your historical trade data from supported cryptocurrency exchanges, including but not limited to Binance and Bybit.
6. Trady360, we, us, or our: Trady360 Co., Ltd., a company registered in the Socialist Republic of Vietnam, with registered office in Ho Chi Minh City, Vietnam.
7. User or you: any third party that accesses the Website or the Application and is not either (i) employed by Trady360 Co., Ltd. and acting in the course of their employment or (ii) engaged as a consultant or otherwise providing services to Trady360 and accessing the Website or the Application in connection with the provision of such services.
8. Website: www.trady360.com and any sub-domains of this site unless expressly excluded by their own terms and conditions.
In this privacy policy, unless the context requires a different interpretation:
1. the singular includes the plural and vice versa;
2. references to sub-clauses, clauses, schedules or appendices are to sub-clauses, clauses, schedules or appendices of this privacy policy;
3. a reference to a person includes firms, companies, government entities, trusts and partnerships;
4. "including" is understood to mean "including without limitation";
5. reference to any statutory provision includes any modification or amendment of it;
6. the headings and subheadings do not form part of this privacy policy.

Scope of this privacy policy

This privacy policy applies only to the actions of Trady360 and Users with respect to this Website and the Application. It does not extend to any websites that can be accessed from this Website or the Application, including, but not limited to, any links we may provide to social media websites, externally-facing URLs provided in connection with use of Trady360, or the websites of cryptocurrency exchanges to which you connect API keys.
Although Trady360 reads trade data from the cryptocurrency exchanges you connect, Trady360 does not control, operate, or have any responsibility for the privacy practices of those exchanges. Each exchange operates under its own privacy policy and you should review those policies separately.

Data collected

When you initially create an account or use our services, we may collect information that is relevant to providing the audit service, including:
1. Account information: your email address, encrypted password hash, account creation date, last login timestamp, and current subscription tier.
2. Trading data: your filled trade history (symbol, side, entry price, exit price, position size, timestamps, fees), current open positions, and account balance, all retrieved automatically from connected cryptocurrency exchanges through read-only API keys provided by you.
3. Behavior data: rules you author, daily check-ins, reflections, trade reviews, emotion tags, and any other content you create within the Application.
4. Payment information: billing name, billing country, last four digits of payment card, and subscription history. Full card numbers and CVV codes are processed and stored exclusively by Stripe (see clause 6) and are never transmitted to or stored by Trady360.
5. Usage information: anonymous page views, click events, error logs, IP address (retained 30 days), device type, browser, and screen size.
Trady360 does not knowingly collect or request the following sensitive categories of personal information: government-issued identification numbers, biometric data, precise geolocation, racial or ethnic origin, religious beliefs, health information, or sexual orientation. If such data is inadvertently provided to us, we will delete it upon discovery.

Exchange API access

Because exchange API access is the most security-sensitive aspect of using Trady360, this clause describes our practice in detail.

When you connect an exchange account to Trady360, you generate an API key on the exchange itself with the "Read" permission only. Trady360 instructs you to not enable trading, futures trading, or withdrawal permissions on the API key.
The Application code does not call, and is not configured to call, any order placement, order cancellation, withdrawal, internal transfer, or sub-account management endpoints of any supported exchange. The architecture of the Application enforces this restriction at the code level, not merely as a policy.
Your API key and secret are encrypted using AES-256-GCM at rest. The encryption key is stored in a separate Hardware Security Module (HSM) and is not co-located with the encrypted data.
You may revoke a connected API key at any time by deleting the key on the exchange directly. No action on Trady360's part is required for this revocation to take effect; the exchange will reject any further read attempts immediately.
Trady360 supports IP whitelisting on connected API keys. You may restrict the API key to only respond to requests from Trady360's server IP addresses, which are published in our security documentation. This is recommended but not required.

Why this matters

Even in the event of a server compromise, an attacker cannot place trades, transfer funds, or withdraw assets using a read-only key. The exchange itself rejects any non-read action. This protection is enforced by your exchange, not by Trady360 — and that is the design intent.

Our use of Data

For the purposes of GDPR and Vietnam's Decree 13/2023/ND-CP, Trady360 acts as a "data controller".
We will retain any Data you submit for as long as your account remains active, unless you explicitly request that your Data be deleted (see clause 9).
All personal Data is stored securely in accordance with applicable data protection laws.
Data may be used by us for the following purposes:
1. internal record keeping;
2. provision of the audit, behavior detection, and rule-tracking services to you;
3. improvement of our products and services, including bug fixing and product development;
4. billing and subscription management;
5. communication with you regarding your account, including weekly reports and account notifications;
6. fraud prevention, abuse detection, and security monitoring;
7. compliance with legal, tax, and regulatory obligations.
Trady360 does not engage in automated decision-making that produces legal effects on you. Behavior pattern detection and rule compliance checks are presented to you as observations; the decisions of how to act on those observations remain entirely yours.
Trady360 does not sell, rent, or trade your personal Data to third parties for monetary or other valuable consideration. Trady360 does not share your individual trade data with hedge funds, trading firms, signal providers, coaching services, or academic researchers.
Trady360 may publish aggregated, anonymized statistics derived from the user base (for example, "X% of audited losses are associated with FOMO entries"), but only when such statistics cannot be tied back to any individual account. You may opt out of such aggregation in your account settings.

Third party services

Trady360 may, from time to time, employ the services of other parties for dealing with certain processes necessary for the operation of the Website and the Application. The providers of such services have access to limited personal Data only to the extent required to perform the services we request.
Any Data processed by third parties is processed within the terms of this privacy policy and in accordance with applicable data protection laws. We enter into data processing agreements with all such providers.
Trady360 uses the services of the following third parties:

Provider

Purpose

Privacy policy

Cloudflare

Hosting, CDN, database (D1)

Application hosting, edge network delivery, primary database. Data regions: EU and Singapore.

cloudflare.com

Stripe

Payment processing

All credit/debit card processing, subscription billing, refunds. Trady360 never sees full card numbers.

stripe.com

Resend

Transactional email

Sending account-related emails (verification, password reset, weekly reports). No marketing email service is in use.

resend.com

Plausible Analytics

Privacy-friendly analytics

Aggregate, cookieless website analytics. No personal data, no IP tracking, no cross-site profiles.

plausible.io

Sentry

Error monitoring

Server and client-side error logging for debugging. Personal data is scrubbed from error reports before transmission.

sentry.io

Binance, Bybit

Read-only trade data API

Source of trade history, positions, and balance data, accessed via read-only API keys provided by you. See clause 4.

binance.com

Trady360 explicitly does not use Google Analytics, Facebook Pixel, Hotjar, MixPanel, Segment, Customer.io, or other behavioral advertising or session-replay tools.
If you object to the use of any of the third parties listed above, you may not be able to use parts of the service that depend on them. The list of third parties is reviewed periodically and changes will be communicated as part of clause 12 (Changes to this policy).

Data security

Data security is of great importance to Trady360. To protect your Data, we have put in place physical, electronic, and managerial procedures to safeguard and secure Data collected via this Website and the Application.
Specifically:
1. All Data transmitted between your browser and Trady360 servers is encrypted using TLS 1.3.
2. Sensitive fields (API keys, refresh tokens) are encrypted at rest using AES-256-GCM, with encryption keys stored in a separate Hardware Security Module.
3. Account passwords are hashed using bcrypt with 12 rounds of work factor. Original passwords are never stored and cannot be recovered, only reset.
4. Database backups are encrypted snapshots, retained for 30 days, then automatically deleted.
5. Application logs are retained for 30 days; error logs are retained for 90 days.
6. Production database access is restricted to a small number of authorised engineers, all access is logged, and access is reviewed periodically.
If password access is required for certain parts of the Website or the Application, you are responsible for keeping this password and any other access credentials confidential. Trady360 will never ask for your password by email, phone, or any other channel.
We endeavor to do our best to protect your personal Data. However, transmission of information over the internet is not always perfectly secure and is done at your own risk. We cannot guarantee the security of your Data transmitted to the Website or Application beyond the reasonable measures described above.
In the event of a personal data breach affecting your information, Trady360 will notify you and the relevant supervisory authority within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33 and Vietnam's Decree 13/2023/ND-CP.

Cookies

This Website may place and access certain Cookies on your computer or device. Trady360 uses Cookies only for strictly necessary functional purposes and not for advertising, profiling, or cross-site tracking.
This Website may place the following Cookies:
1. Session cookie — Type: Strictly necessary. Purpose: Keeps you logged in to the Application. HttpOnly, Secure, SameSite=Lax. Expires after 30 days of inactivity.
2. CSRF token cookie — Type: Strictly necessary. Purpose: Protects against cross-site request forgery attacks. Session-scoped, deleted on logout.
3. Theme preference — Type: Functional. Purpose: Remembers your light/dark theme choice. Stored in localStorage, never transmitted to the server.
This Website does not place advertising cookies, third-party tracking cookies, or session-replay cookies.
You can choose to enable or disable Cookies in your internet browser. By default, most browsers accept Cookies but this can be changed. If you disable strictly necessary cookies, certain features of the Application may not function properly, including the ability to remain logged in.

Controlling use of your Data

Wherever you are required to submit Data, you will be given options to restrict our use of that Data. Specifically:
1. Right of access: You have the right to request a copy of any of your Data held by Trady360. The Application provides an export function in Settings → Data → Export which produces a complete JSON or CSV download of your account data, trade history, rules, and reflections.
2. Right to withdraw consent: You have the right to withdraw consent to process your Data at any time. This does not apply to instances where Trady360 relies on grounds provided by law, other than consent.
3. Right to deletion: You have the right for your Data to be deleted from the servers and databases of Trady360 in accordance with applicable data protection laws. Account deletion is available in Settings → Account → Delete. The deletion process is irreversible and completes within 30 days. Backups are also purged within 30 days.
4. Right to rectification: You have the right to request correction of any Data that is inaccurate. Most account fields can be edited directly in Settings; for derived data, contact us as described in clause 17.
5. Right to data portability: The exported JSON or CSV can be imported into other journaling tools using standard formats; no proprietary encoding is used.
6. Right to object or restrict: You may disable specific data uses (anonymized aggregated statistics, transactional emails beyond essential security notifications) individually in Settings → Privacy without deleting your account.
Please note, however, we may be compelled to terminate your Trady360 account where retention of certain information is necessary for the delivery of the service. In particular, we cannot provide the audit service without access to your trade data.

Children's privacy

Trady360 is not directed at children. The Application is intended for adult traders and we do not knowingly collect, process, maintain, or solicit any data, personal information, or other information from anyone under the age of 18.
Any individual under the age of 18 must not use the Service. If we learn that we have collected personal information from a person under 18, we will delete all such information promptly upon becoming aware of the same.
If you believe that we may have any information from a person under 18, please contact us as described in clause 17.

Changes of business ownership and control

Trady360 may, from time to time, expand or reduce its business, and this may involve the sale and/or transfer of control of all or part of Trady360. Data provided by Users will, where it is relevant and necessary to any part of our business so transferred, be transferred along with that part, and the new owner or newly controlling party will, under the terms of this privacy policy, be permitted to use the Data for the purposes for which it was originally supplied to us.
We may also disclose Data to a prospective purchaser of our business or any part of it under strict confidentiality and in compliance with applicable data protection laws.
In any change-of-control event, we will notify all active Users by email at least 30 days in advance, and Users will have the right to delete their account before the transfer takes effect.

Changes to this policy

Trady360 reserves the right to change this privacy policy as may be deemed necessary from time to time or as may be required by law.
Material changes — defined as any change that expands data collection, reduces User rights, or changes a key practice such as introduction of advertising or sale of data — will be communicated to all active Users by email at least 30 days before the change takes effect. Users may close their account during that period without penalty, and Data will be deleted as described in clause 9.
Minor edits, such as typo corrections, clarifications, or addition of new third-party services for which Users are notified separately, will be listed in the version history at the bottom of this page.

Additional information for EEA & UK Users (GDPR)

If you are a User located in the European Economic Area, the United Kingdom, or Switzerland, the following additional rights apply to you under the General Data Protection Regulation (GDPR) and the UK GDPR.

Legal basis for processing

Trady360 processes your personal data on the following legal bases:

Performance of a contract (Article 6(1)(b) GDPR) — to provide the audit service you signed up for, to process payments, and to communicate with you about your account.
Legitimate interest (Article 6(1)(f) GDPR) — to improve the product, monitor for fraud and abuse, and ensure security of the Application.
Compliance with legal obligations (Article 6(1)(c) GDPR) — to comply with tax, accounting, and regulatory record-keeping requirements.
Consent (Article 6(1)(a) GDPR) — for any optional data uses you have explicitly consented to, which you may withdraw at any time.

Your GDPR rights

You are entitled to the following:

The right of access — request copies of your personal data.
The right to rectification — request that we correct any inaccurate information.
The right to erasure — request that we erase your personal data, under certain conditions.
The right to restrict processing — request that we restrict processing of your personal data, under certain conditions.
The right to object to processing — object to our processing of your personal data, under certain conditions.
The right to data portability — request that we transfer the data we have collected to another organisation, or directly to you.
The right to lodge a complaint with a data protection supervisory authority in your country of residence.

If you make a request, we have one month to respond. To exercise any of these rights, please contact trady360@gmail.com with the subject line "GDPR Request".

International data transfers

Trady360 stores data in the European Economic Area (Cloudflare EU regions) and in Singapore. Where we transfer data outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, supplemented by additional technical and organisational measures including end-to-end encryption.

Additional information for US State Privacy Law residents

This section applies to residents of California, Virginia, Colorado, Connecticut, Utah, and other US states with applicable comprehensive data privacy laws (collectively, "State Data Privacy Laws"). Where one or more State Data Privacy Laws offer enhanced rights compared to the law applicable in your specific state, we will endeavor to provide those enhanced rights, even where not strictly required.

Sale of personal information

Trady360 does not sell personal information as defined under the California Privacy Rights Act (CPRA) or any other State Data Privacy Law. We do not accept money or other things of value in exchange for your personal information.

Categories of personal information collected

Within the last twelve (12) months, Trady360 has collected the following categories of personal information from consumers:

Identifiers — email address, account name, IP address (retained 30 days). Yes, collected.
Customer records — billing name, last four digits of payment card, billing country. Yes, collected (limited).
Commercial information — subscription history. Yes, collected.
Internet activity — anonymous page views, click events on the Website and Application. Yes, collected (anonymous).
Trading data — your trade history, positions, and balance from connected exchanges. This is not "personal information" in the traditional sense but is sensitive financial information; we treat it with the same protections.
Behavior data — rules you write, reflections, trade reviews. Yes, collected (created by you).
Sensitive personal information (race, religion, biometrics, geolocation, etc.) — Not collected.
Protected classification characteristics — Not collected.
Biometric information — Not collected.
Geolocation data — Not collected (IP address is used only for fraud prevention and is approximate at country level).

Your CPRA / State Data Privacy Law rights

Right to know what personal information we collected, the categories of sources, the business purpose, and the categories of third parties we share with.
Right to delete personal information collected from you, subject to certain exceptions.
Right to correct inaccurate personal information.
Right to opt out of sale or sharing — not applicable, as we do not sell or share for cross-context behavioral advertising.
Right to limit use of sensitive personal information — not applicable, as we do not collect sensitive personal information beyond what is strictly necessary to provide the service.
Right to non-discrimination for exercising any of the above rights.

To exercise these rights, contact trady360@gmail.com with the subject line "State Privacy Request". We may verify your identity before responding.

"Shine the Light" disclosure (California)

The California "Shine the Light" law (Cal. Civ. Code §1798.83) gives California residents the right to opt out of certain personal information being shared with third parties for direct marketing. Trady360 does not share personal information with third parties for their own direct marketing purposes.

Authorized agents

You may submit a request through an authorized agent acting on your behalf. Authorized agents must provide written permission to make a request on your behalf and information sufficient to verify your identity directly with us.

Additional information for Vietnam (Decree 13/2023/ND-CP)

If you are a Vietnamese resident or your data is processed in connection with services provided in Vietnam, the following additional information applies under Decree 13/2023/ND-CP on Personal Data Protection ("Decree 13") and related Vietnamese law.

Trady360 Co., Ltd. is registered in the Socialist Republic of Vietnam and serves as the personal data controller for Vietnamese Users under Decree 13.
Personal data is processed for the lawful purposes set out in clause 5 of this policy. Sensitive personal data (as defined in Article 2 of Decree 13) is not processed by Trady360.
Cross-border transfer of personal data outside Vietnam (to Cloudflare EU regions and Singapore) is conducted in accordance with Article 25 of Decree 13. Trady360 maintains records of such transfers and applies appropriate safeguards.
Vietnamese Users have all rights set out in Articles 9-13 of Decree 13, including the right to be informed, to consent, to access, to withdraw consent, to delete, to restrict, to object, to be compensated, and to file complaints with the Ministry of Public Security.
To exercise rights under Decree 13, contact trady360@gmail.com with the subject line "Yêu cầu bảo vệ dữ liệu cá nhân" or "Decree 13 Request". Vietnamese-language correspondence is fully supported.

General

You may not transfer any of your rights under this privacy policy to any other person, unless allowed by applicable Data Privacy Laws. We may transfer our rights under this privacy policy where we reasonably believe your rights will not be affected.
If any court or competent authority finds that any provision of this privacy policy (or part of any provision) is invalid, illegal, or unenforceable, that provision or part-provision will, to the extent required, be deemed to be deleted, and the validity and enforceability of the other provisions of this privacy policy will not be affected.
Unless otherwise agreed, no delay, act, or omission by a party in exercising any right or remedy will be deemed a waiver of that, or any other, right or remedy.
This privacy policy is governed by and interpreted according to the laws of the Socialist Republic of Vietnam. Any dispute, controversy, or claim arising under or in connection with this privacy policy shall be referred to and finally determined by the competent courts of Ho Chi Minh City, Vietnam, except where mandatory consumer protection law of your country of residence requires otherwise.

Contact

For any questions or concerns relating to the use of your Data, this privacy policy, or to exercise any of your rights, please contact us:

Trady360 Co., Ltd.

Email trady360@gmail.com

Subject lines "Privacy" · "GDPR Request" · "State Privacy Request" · "Decree 13 Request"

Response 5 business days for general inquiries; 30 days for formal data rights requests; 48 hours for urgent deletion requests (mark subject "URGENT — DELETE")

Address Trady360 Co., Ltd., Ho Chi Minh City, Vietnam (postal address available on request for formal correspondence)

If you are not satisfied with our response to any request, you have the right to lodge a complaint with the data protection authority in your country of residence, or with the Vietnam Ministry of Public Security for Vietnamese residents.