TRADELYST //

Privacy Policy

This Privacy Policy informs you about the processing of personal data when you visit the marketing website at https://tradelyst.ai or use the SaaS application "Tradelyst" at https://app.tradelyst.ai. It applies to website visitors, registered users, and contact-form enquiries. Processing is governed by the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG); German law remains the governing law irrespective of the language in which this policy is read.

1. Controller

The controller within the meaning of Art. 4(7) GDPR is:
Core Structure Trading - Thomas Seifert
Silberweidenweg 10
10365 Berlin
Germany
Email: privacy@tradelyst.ai

Due to company size we are not required to appoint a data protection officer. Please direct any privacy-related enquiries to the address above.

2. Overview of processing

The following overview summarises the categories of data we process and why:

  • Server log files on website access (technical, anonymised)
  • Inventory data (name, email, language, timezone)
  • Authentication data (password hash; session tokens in JWT cookies)
  • Usage data (entered trades, setup definitions, rule breaches, journal notes, screenshots)
  • Billing data (via Stripe; we only store customer ID and subscription status)
  • AI processing data (aggregated statistics with no personal content)
  • Communication data (contact form, transactional emails)

3. Server log files

When you visit our website, our hosting provider captures the following in server log files: anonymised IP address (last octet removed), date and time of the request, requested URL, transferred byte count, referrer URL, user-agent string, HTTP status code.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in operational security, abuse prevention, statistics).
Retention: 30 days, then automatic deletion.
Recipients: hosting provider (see Section 12).

4. Cookies and similar technologies

We use the following cookies and equivalent storage mechanisms:

NamePurposeDurationLegal basis
authjs.session-token Auth.js session (JWT). Only set in the application after login. 30 days Art. 6(1)(b) GDPR
authjs.callback-url / authjs.csrf-token CSRF protection and post-login routing. Session Art. 6(1)(f) GDPR

The marketing website (https://tradelyst.ai) stores no cookies and no data on your device. Language selection (de/en) is carried in the URL prefix (e.g. /de/pricing), not in a cookie. Pricing-display and similar UI preferences are held only in browser memory for the duration of your visit and discarded when you leave.

We use no tracking cookies, no advertising networks, and no social-media plugins.

4a. Reach measurement (Umami, cookieless)

On the marketing website we operate a self-hosted instance of the open-source software Umami (umami.tradelyst.ai) for statistical reach measurement. Umami operates fully cookielessly and writes no data to your device — no cookies, no localStorage, no sessionStorage, no IndexedDB. As a result, no consent under § 25(2)(2) TTDSG is required.

We collect only aggregated data: page visited, referrer, coarse country/region (derived from IP, not stored), browser class, screen-size bracket, timestamp. To distinguish returning visitors within a single day, Umami computes a server-side hash of IP address, user-agent, and a daily-rotating secret salt; that hash is deleted after 24 hours and cannot be reversed. There is no cross-day recognition.

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in statistical reach measurement to improve the service).
Retention: aggregated statistics indefinitely. The daily-rotating hash id is deleted after 24 hours.
Recipients: none. Umami runs on the same server as the Tradelyst application in Germany; no data is transmitted to third parties or abroad.
Objection: you can object to reach measurement at any time by email to privacy@tradelyst.ai, or by blocking the domain umami.tradelyst.ai in your browser or via an extension such as uBlock Origin. The application (the authenticated area, app.tradelyst.ai) is not instrumented for reach measurement.

5. Registration and account

Using the SaaS application requires an account. During the beta phase, registration is invite-only. On registration we collect:

  • Email address (required, used as login)
  • Password (stored as a bcrypt hash, cost factor 12)
  • Optional display name
  • Language preference, timezone (default: detected from browser)
  • Redeemed invite code, redemption timestamp

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
Retention: for the duration of the contractual relationship. After account deletion all personal data is irrevocably erased within 30 days (see Section 13).

6. Authentication and session management

Authentication sessions are stored as JSON Web Tokens (JWT) in an HTTP-only, Secure, SameSite-Lax cookie. The token contains the user id and an issued-at timestamp but no personal data in plain text. If you suspect a session is compromised you can use "Sign out everywhere" to invalidate every existing session server-side.

Brute-force protection: after repeated failed logins, further attempts are throttled for 15 minutes (5 attempts per email, 25 per IP). Legal basis: Art. 6(1)(f) GDPR.

7. Trading data and AI processing

Within the application we process trade records you enter or import, setup definitions, rule breaches, journal notes, uploaded screenshots, and statistics derived from them. This data is visible only to you and is processed solely to provide the service.

If you enable the AI Coach feature, aggregated and statistically summarised data (R-multiples, setup expectancy, time-of-day performance, streaks) is transmitted to OpenAI Ireland Ltd. to generate the Morning Brief and Post-Trade Review prose. In Privacy Mode (default-on for the Pro tier and above) all dollar amounts and account sizes are stripped before transmission; only ratios, percentages, and R-multiples flow through.

OpenAI contractually commits not to use API inputs for training its own models (see OpenAI API Data Usage Policies). Requests are retained on OpenAI servers in the US for up to 30 days for abuse monitoring.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
International transfer: EU Standard Contractual Clauses (SCCs) + EU–US Data Privacy Framework. OpenAI Ireland Ltd. is the primary contracting entity.
Opt-out: you can disable the AI feature at any time under "AI Coach → Settings"; it is then served by a deterministic local heuristic.

8. Payment processing (Stripe)

Paid subscriptions are processed by Stripe Payments Europe Ltd., 1 Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland. You are redirected to Stripe for checkout. Payment-card data is handled exclusively by Stripe — we receive only status information (Stripe customer id, subscription status, period end, payment method) via webhook.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
International transfer: Stripe processes some data in the US; Stripe Payments Europe Ltd. (Ireland) is the contracting entity; EU SCCs + DPF.
Retention with us: while your account exists. Stripe applies its own retention periods to satisfy financial-services obligations.

9. Market data (Databento)

Historical market data (NQ, ES, MNQ, MES, GC, MGC) is pulled from Databento, Inc. No personal data is transmitted to Databento; requests are made anonymously from our server using an API key.

10. Transactional email (Resend)

Transactional emails (welcome, morning brief, email-change confirmation, payment failures, account-deletion farewell) are sent via Resend, Inc., USA. Transmitted: the recipient address, the subject, and the body of the respective email.

Legal basis: Art. 6(1)(b) GDPR (performance of a contract).
International transfer: EU SCCs + EU–US Data Privacy Framework.

11. Contact form

When you use the contact form we process name, email, subject, and message, plus technical fields: IP address, submission timestamp, and a bot-detection timing field. Spam protection uses a honeypot field and a plausibility timing check; we use no external services such as reCAPTCHA.

Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) or Art. 6(1)(f) GDPR.
Retention: 12 months, then deleted — unless a longer period is required for tax or commercial-law reasons.

12. Processors and recipients

We engage the following carefully selected processors within the meaning of Art. 28 GDPR:

  • Hosting: [Provider name + seat], DPA in place.
  • Stripe Payments Europe Ltd., Ireland — payments. SCCs + DPF.
  • OpenAI Ireland Ltd., Ireland — AI models. SCCs + DPF.
  • Resend, Inc., USA — email delivery. SCCs + DPF.
  • Databento, Inc., USA — market data (no personal data).

Beyond the processors listed, we do not share your data with third parties — except where legally required (e.g. tax authorities, law enforcement). We never sell or share personal data for advertising or marketing purposes.

13. Retention and erasure

We retain personal data only as long as necessary for the stated purpose or as required by statute.

  • Account data and trade history: for the duration of the contractual relationship.
  • Account deletion: when you trigger deletion, the account enters a 30-day pre-delete state (you can reverse it at any point in that window). After expiry, every trade, setup, rule, AI review, morning brief, and trading account is irrevocably removed from the database; any active Stripe subscription is cancelled at the same time.
  • Invoicing and tax data: 10 years per § 147 AO, §§ 238, 257 HGB. This data is held by Stripe; we retain only customer IDs.
  • Server logs: 30 days.
  • Contact-form enquiries: 12 months.

14. Your rights

Subject to the statutory conditions, you have the following rights:

  • Access to your data (Art. 15 GDPR)
  • Rectification of inaccurate data (Art. 16 GDPR)
  • Erasure of your data (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Portability (Art. 20 GDPR) — you can export all your data at any time under Settings → Data export as a ZIP archive
  • Objection to processing based on legitimate interests (Art. 21 GDPR)
  • Withdrawal of given consents, effective going forward
  • Complaint to a supervisory authority (Art. 77 GDPR)

To exercise these rights, email privacy@tradelyst.ai.

The competent supervisory authority is the data protection authority of the German federal state in which we are seated; a complete list is available at bfdi.bund.de.

15. Security of processing

We apply technical and organisational measures within the meaning of Art. 32 GDPR: TLS 1.2+ HTTPS encryption across the entire application, bcrypt password hashing, at-rest encryption of sensitive secrets (AES-256-GCM), database backups with restricted access, rate-limiting on authentication and mutation endpoints, regular updates of upstream libraries.

16. Automated decision-making

No automated decision-making within the meaning of Art. 22 GDPR takes place. AI-generated text (Morning Brief, Post-Trade Review) is purely informational and does not produce legally binding decisions.

17. Changes to this Privacy Policy

We adapt this Privacy Policy when legal or operational circumstances change. The current version is always available at https://tradelyst.ai/legal/privacy. We notify registered users by email of material changes.

Last updated: 2026-05-12 (added section 4a — reach measurement)