Terms Risk Disclosure Privacy License ← Back to app

Privacy Policy

Version 1.0.0
# Privacy Policy

**Version:** 1.0.0
**Effective date:** 2026-05-07

This Privacy Policy describes how the TradeCommander software (the "**Software**") and its author ("**Author**", "**we**") collect, use, store, and share information when you ("**User**", "**you**") run, host, or access the Software. It is incorporated into the [Terms of Use](DISCLAIMER.md) by reference.

The Software is **personal-use, open-source software** that you typically run on your own infrastructure (your laptop or your own cloud instance). In most deployments **the Author does not see, receive, or process your data** — your data lives on the host you control. This policy covers both self-hosted use and any hosted instance the Author may operate.

---

## 1. What Data the Software Handles

The Software handles four broad categories of data, all of which stay on the host the User controls unless the User explicitly transmits them to a third party.

### 1a. Account and authentication data

- Email address, display name, and (for Firebase auth) a Google account identifier.
- Hashed admin password (bcrypt) and JWT secret used to issue session cookies.
- Session cookies (HttpOnly), set by the backend at login.
- IP addresses, captured for rate-limiting failed login attempts.

### 1b. Broker and exchange credentials

- Alpaca API key and secret (or any other broker the User configures), encrypted at rest with the Software's credential vault before being written to the local database. The plaintext key and secret never touch disk and are never logged.
- A `paper` flag indicating whether the credentials point at the broker's paper or live environment.
- A timestamp showing when credentials were last updated and a four-character "last4" fingerprint of the API key, used solely so the user can confirm which key is loaded.

### 1c. Trading and account data

- Account balance, buying power, equity, positions, and orders, fetched from the broker on demand or on a schedule.
- Trade history, fills, partial fills, cancellations, and replacements.
- Configured strategies, bots, fleets, watchlists, journal entries, exit plans, alerts, risk caps, and other configuration.
- Computed P&L, cost basis, lot tracking, dividend ledger, tax-harvest reports, and other derived figures.
- Backtest inputs, parameters, and results.

### 1d. Market data and research

- Quotes, bars, options chains, news, sentiment, social-media trends, congressional disclosures, EDGAR filings, earnings, and other research data fetched from third-party providers.
- AI prompts and responses generated when the User invokes AI features (morning brief, overnight intel, scout, ai\_assistant, etc.).

## 2. Where Data is Stored

- **On the host the User runs the Software on.** SQLite databases under the application's data directory hold user, trade, journal, config, and reconciliation data.
- **In the User's browser.** Auth cookies (HttpOnly) and minor preference data set by the frontend.
- **At third-party providers** (only when the User explicitly invokes a feature that calls them). See Section 4.

The Author does **not** operate a centralized backend that aggregates data across users. Each User's deployment is self-contained.

## 3. How Data is Used

The Software uses data only for the purposes the User invokes:

- Authenticating the User (email, password hash, session cookie).
- Connecting to the User's broker to fetch account state and place orders the User initiates.
- Computing analytics, signals, P&L, tax estimates, and other derived output the User has asked for.
- Sending alerts and notifications via channels the User has configured (email/SMTP, Discord webhook, etc.).
- Logging operational events to the local filesystem for debugging and auditing.

The Author does **not** sell data, does **not** rent data, does **not** broker data, and does **not** train any model on User data.

## 4. Third-Party Services and Sub-Processors

The Software integrates with third-party services. **When the User invokes a feature that depends on a third party, the Software transmits the data necessary to make that call.** Each third party has its own privacy policy that the User must read and accept independently.

Typical third parties include:

- **Alpaca Markets** — broker API, market data, order routing. Receives orders, account-data requests, and market-data subscriptions.
- **Google Firebase** — optional Google Sign-In and (in some configurations) hosting. Receives auth tokens and identity data.
- **Google Gemini and other AI providers** — receive AI prompts (which may include ticker symbols, position summaries, and any text the User types into AI prompts) and return generated responses.
- **Alpha Vantage, news vendors, sentiment vendors, ApeWisdom** — receive symbol-lookup and metadata queries.
- **SEC EDGAR, U.S. House Clerk congressional-disclosure feeds** — receive search queries.
- **DuckDNS, Caddy, Vultr** (hosting components for self-hosted deployments) — see infrastructure data flows.
- **GitHub** — hosts the open-source repository. Receives any data the User chooses to post in issues, pull requests, or discussions.
- **SMTP provider, Discord webhook** — receive operational alerts the User configures.

The Author does not control these third parties and is not responsible for their handling of your data. **If you are concerned about a particular third party seeing your data, do not enable the feature that calls that third party.**

## 5. Cookies

The Software sets a small number of strictly-necessary HTTP cookies:

- **Session cookie (`tc_session` or equivalent)** — HttpOnly, SameSite=Strict, Secure (in production). Used to keep you signed in. Cleared on logout.
- **Browser-storage preference data** — local UI preferences (theme, last-viewed tab) stored in `localStorage`. No tracking, no analytics.

The Software does not use third-party advertising, analytics, fingerprinting, or marketing cookies.

## 6. Data Retention

- **Authentication data** is retained for the lifetime of the User's account.
- **Encrypted broker credentials** are retained until the User clears them or deletes the account.
- **Trade history, journal, configuration, audit logs, and reconciliation data** are retained indefinitely on the host the User controls. The Software does not auto-purge this data; the User is responsible for archiving and pruning if desired.
- **Operational logs** are retained on the host's filesystem until the User rotates or deletes them.
- **Failed-login IP records** are retained in memory only and expire after the rate-limit window (60 seconds). They are not written to disk.

To delete data, the User can stop the Software, revoke broker API keys, and remove the application's data directory. The Author has no role in this process for self-hosted deployments.

## 7. Security

The Software takes reasonable steps to protect data, including:

- **Encryption at rest** for broker credentials via the credential vault.
- **HttpOnly, SameSite=Strict session cookies** to mitigate XSS and CSRF.
- **Bcrypt hashing** for admin passwords (when `ADMIN_PASSWORD_HASH` is configured).
- **Rate limiting** on login endpoints.
- **Constant-time credential comparison** to mitigate timing attacks.
- **Content Security Policy (CSP)** to lock down script sources.
- **Kill switches, drawdown caps, and reconciliation** to mitigate trading-side security exposure.

However, **no system is fully secure**. The Software is open-source and may contain undiscovered vulnerabilities. The User is responsible for hardening the host the Software runs on, patching the OS, restricting network access, and rotating credentials. See the [Risk Disclosure](RISK_DISCLOSURE.md) §7 (Operational, Security, and Data Risk).

## 8. Children's Privacy

The Software is not intended for use by anyone under 18. The Author does not knowingly collect data from minors. If you believe a minor has provided data to the Software, contact the Author and the data will be deleted.

## 9. International Use

The Software is made available from the United States. If you access it from another country, you are responsible for ensuring that your use complies with local law. Data transferred to third-party services may be processed in countries other than your own under those providers' privacy policies.

## 10. California, EU, and Other Regional Rights

To the extent applicable law (including the California Consumer Privacy Act and the EU General Data Protection Regulation) grants you rights of access, correction, deletion, portability, or objection with respect to data the Author personally controls, you may exercise those rights by contacting the Author. For self-hosted deployments, you have direct technical control of your data — these rights are exercised by reading or modifying the local database.

The Author's lawful basis for processing (where GDPR applies) is performance of the contract represented by the [Terms of Use](DISCLAIMER.md) and your consent to the operational features you enable.

## 11. Changes to This Policy

The Author may revise this Privacy Policy from time to time. Material changes will be reflected by incrementing the version number and effective date at the top of this document. Continued use of the Software after a revision is published constitutes acceptance of the revised policy.

## 12. Contact

For privacy questions, exercise of regional rights, or concerns about how the Software handles data, contact the Author via the channels published in the GitHub repository at [github.com/SamDeiter/TradeCommander](https://github.com/SamDeiter/TradeCommander).