Effective Date: April 9, 2026 · Last Updated: May 1, 2026
BookinTrade ("we," "us," or "our") operates the BookinTrade mobile application and web platform (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information.
We comply with applicable data protection laws including Argentina's Ley 25.326, the EU's General Data Protection Regulation (GDPR), and the California Consumer Privacy Act (CCPA/CPRA).
Account Information: Email address and password (stored as a bcrypt hash, never in plain text).
Trading Data: Trade records you enter or import, including asset pairs, prices, dates, sizes, and notes.
Psychological Journal: Emotional state ratings, discipline scores, checklists, and reflections you voluntarily record.
Exchange API Keys: Stored encrypted with Fernet (AES-128-CBC + HMAC-SHA256, derived from a master key via HKDF-SHA256). We only request read-only permissions and never execute trades on your behalf.
Payment Information: Processed entirely by Dodo Payments. We never store credit card numbers.
Telegram Bot Token (optional): If you opt in to Telegram alerts, your bot token is stored encrypted with the same Fernet scheme as exchange keys. We only use it to send notifications to your own chat — never to read messages.
Community Profile: An anonymous alias you choose for the optional leaderboard. Your real identity is never exposed.
Device Info: Type, OS, browser, screen resolution. Push Tokens: Web Push subscription endpoints. Usage Data: Pages visited, features used, session duration. IP Address: For security and approximate geolocation.
We use the following categories of cookies and similar storage:
Essential (always active): session tokens, authentication state, payment flow. The app cannot function without these.
Analytics (opt-in): we use Google Analytics 4 (provided by Google LLC, USA, measurement ID G-2PXVKKTL7W) to understand aggregated usage patterns. GA4 collects anonymized IP, device info, browser language, page paths, and session duration. We do NOT enable advertising features, ad personalization, or Google Signals. Default retention: 14 months. We rely on Google Consent Mode v2 with all signals defaulting to denied until you explicitly opt in.
Marketing (opt-in, currently unused): reserved for future campaigns. No marketing cookies are set today.
You can review, change, or revoke your choice at any time using the floating "🍪 Privacidad" button at the bottom-left of every page. Revoking analytics consent triggers a page reload to ensure no further data is sent.
For Google's privacy practices, see policies.google.com/privacy.
We use your data to provide the Service (trade tracking, analytics, backtesting, psychological analysis), manage your account, generate personalized analytics using statistical methods (Pandas/NumPy — no external AI APIs), send opted-in notifications, detect fraud, and comply with legal requirements.
We do NOT use your data for advertising targeting, behavioral profiling, or sale to data brokers.
We do not sell, rent, or trade your personal information. We share data only with: Supabase (database, SOC 2 Type 2 compliant), Dodo Payments (PCI-DSS Level 1), Railway (backend hosting), Vercel (frontend hosting), Resend (transactional email), Telegram Bot API (only when you opt in to alerts — message content is sent to your own bot/chat), Sentry (error monitoring), Google LLC (Google Analytics 4 — only when you opt in to analytics cookies; data flows to Google data centers in the USA), and as required by law.
We retain data while your account is active. Upon deletion, we remove or anonymize your data within 30 days, except where legally required (e.g., billing records for tax compliance, up to 10 years under Argentine tax law).
You have the right to: access your data, rectify inaccuracies, erase your data ("right to be forgotten"), port your data in machine-readable format, object to processing, and withdraw consent at any time.
Contact us at soporte@bookintrade.com or use the in-app account deletion at /delete-account. Response time: 10 business days (Argentine law) or 30 days (GDPR).
We use TLS 1.2+ in transit, Fernet symmetric encryption (AES-128-CBC + HMAC-SHA256) for sensitive secrets at rest (exchange API keys, Telegram bot tokens), bcrypt password hashing, Supabase Row Level Security policies enforced server-side, rate limiting on all public endpoints, and HMAC-SHA256 webhook signature verification. No method is 100% secure.
Your data may be processed in the United States. Argentina is recognized by the EU as providing adequate data protection.
The Service is not for individuals under 18. We do not knowingly collect data from minors.
We will notify you of material changes by updating this page and the "Last Updated" date. Continued use constitutes acceptance.
Email: soporte@bookintrade.com
Data Controller: BookinTrade
Supervisory Authority (Argentina): AAIP — argentina.gob.ar/aaip