Este documento es autoritativo en inglés y aplica a todos los usuarios de BookinTrade. Si necesitás un resumen en español o tenés consultas, escribinos a soporte@bookintrade.com.

Privacy Policy

Effective Date: April 9, 2026 · Last Updated: June 9, 2026

1. Introduction

BookinTrade ("we," "us," or "our") operates the BookinTrade mobile application and web platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information.

We comply with applicable data protection laws including Argentina's Ley 25.326, the EU's General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA/CPRA).

2. Information We Collect

2.1 Information You Provide

Account Information: Email address and password (stored as a bcrypt hash, never in plain text).

Trading Data: Trade records you enter or import, including asset pairs, prices, dates, sizes, and notes.

Psychological Journal: Emotional state ratings, discipline scores, checklists, and reflections you voluntarily record.

Exchange API Keys: Stored encrypted with Fernet (AES-128-CBC + HMAC-SHA256, derived from a master key via HKDF-SHA256). We only request read-only permissions and never execute trades on your behalf.

Payment Information: Processed entirely by Dodo Payments. We never store credit card numbers.

Telegram Bot Token (optional): If you opt in to Telegram alerts, your bot token is stored encrypted with the same Fernet scheme as exchange keys. We only use it to send notifications to your own chat — never to read messages.

AI Assistant API Key (optional, "Bring Your Own Key"): If you enable the optional Telegram AI Assistant, you provide your own API key for a third-party AI provider of your choice (for example Google Gemini, Anthropic Claude, OpenAI, or any OpenAI-compatible provider). The key is stored encrypted with the same Fernet scheme as exchange keys and is used only to process your own requests. When you chat with the Assistant, a summary of your own trading data is sent to the provider you selected, using your key, solely to generate your reply. We do not use our own AI keys for this and we do not control or pay for that provider's processing. You can disconnect the Assistant at any time from the app. See Section 4.

Community Profile: An anonymous alias you choose for the optional leaderboard. Your real identity is never exposed.

2.2 Automatic Collection

Device Info: Type, OS, browser, screen resolution. Push Tokens: Web Push subscription endpoints. Usage Data: Pages visited, features used, session duration. IP Address: For security and approximate geolocation.

2.3 Cookies and Tracking Technologies

We use the following categories of cookies and similar storage:

Essential (always active): session tokens, authentication state, payment flow. The app cannot function without these.

Analytics (opt-in): we use PostHog (described below) to understand aggregated usage patterns. All analytics signals default to denied until you explicitly opt in. We do NOT use advertising cookies, ad personalization, or cross-site tracking. (Google Analytics 4 was retired on 11 July 2026; analytics are now consolidated in PostHog.)

Product analytics (opt-in): we also use PostHog (PostHog Inc., with data hosted in the European Union) to understand aggregated event funnels (for example sign-up, login, and which features are used). PostHog is configured without session recording/replay and without automatic capture of clicks or form inputs; events are routed through our own domain (reverse proxy) and gated by your analytics consent. We send only an internal user identifier and aggregated event names — never your email address or financial figures. See posthog.com/privacy.

Marketing (opt-in, currently unused): reserved for future campaigns. No marketing cookies are set today.

You can review, change, or revoke your choice at any time using the floating "🍪 Privacidad" button at the bottom-left of every page. Revoking analytics consent triggers a page reload to ensure no further data is sent.

For Google's privacy practices, see policies.google.com/privacy.

3. How We Use Your Information

We use your data to provide the Service (trade tracking, analytics, backtesting, psychological analysis), manage your account, generate personalized analytics using statistical methods (Pandas/NumPy — the built-in analytics do not use external AI), send opted-in notifications, detect fraud, and comply with legal requirements. Separately, the optional Telegram AI Assistant — which you must explicitly enable with your own third-party AI provider key — sends a summary of your trading data to the AI provider you choose in order to generate your responses (see Sections 2.1 and 4).

We do NOT use your data for advertising targeting, behavioral profiling, or sale to data brokers.

4. Data Sharing

We do not sell, rent, or trade your personal information. We share data only with: Supabase (database, SOC 2 Type 2 compliant), Dodo Payments (PCI-DSS Level 1), Railway (backend hosting), Vercel (frontend hosting), Resend (transactional email), Telegram Bot API (only when you opt in to alerts or to the AI Assistant — message content is sent through the Telegram bot), your chosen AI provider (only if you enable the optional Telegram AI Assistant — a summary of your trading data is sent to the provider you configure, for example Google, Anthropic, or OpenAI, using your own API key; their handling of that data is governed by their own privacy policy), Sentry (error monitoring), PostHog Inc. (product analytics — only when you opt in to analytics cookies; data hosted in the European Union), and as required by law.

5. Data Retention

We retain data while your account is active. Upon deletion, we remove or anonymize your data within 30 days, except where legally required (e.g., billing records for tax compliance, up to 10 years under Argentine tax law).

6. Your Rights

You have the right to: access your data, rectify inaccuracies, erase your data ("right to be forgotten"), port your data in machine-readable format, object to processing, and withdraw consent at any time.

Contact us at soporte@bookintrade.com or use the in-app account deletion at /delete-account. Response time: 10 business days (Argentine law) or 30 days (GDPR).

7. Data Security

We use TLS 1.2+ in transit, Fernet symmetric encryption (AES-128-CBC + HMAC-SHA256) for sensitive secrets at rest (exchange API keys, Telegram bot tokens), bcrypt password hashing, Supabase Row Level Security policies enforced server-side, rate limiting on all public endpoints, and HMAC-SHA256 webhook signature verification. No method is 100% secure.

8. International Transfers

Your data may be processed in the United States. Argentina is recognized by the EU as providing adequate data protection.

9. Children's Privacy

The Service is not for individuals under 18. We do not knowingly collect data from minors.

10. Changes

We will notify you of material changes by updating this page and the "Last Updated" date. Continued use constitutes acceptance.

11. Contact

Email: soporte@bookintrade.com
Data Controller: BookinTrade
Supervisory Authority (Argentina): AAIP — argentina.gob.ar/aaip