Privacy Policy
This Privacy Policy explains what we collect, how we use it, and the choices you have. We aim for plain English. If anything is unclear, email support@proplockai.com.
1. What we collect
1.1 Account data
- Email address (required for sign-in).
- Password (hashed with bcrypt; we never see your plaintext password).
- Optional profile fields (display name, timezone, market preferences).
1.2 Broker / prop-firm integration data
- API keys, OAuth tokens, or username/password you provide for read-only connections to platforms like TopstepX, Tradovate, NinjaTrader, etc. Stored encrypted at rest.
- Account identifiers (broker account numbers, nicknames, stage labels).
- Fill data synced from your broker: symbol, direction, quantity, entry/exit prices, P&L, timestamps. Read-only. We never send orders.
- Balance and equity snapshots if your broker exposes them.
1.3 Trading journal & discipline data (you generate)
- Smart Gate runs (setup chosen, planned risk, decision result).
- Manual trade notes, theses, screenshots you upload, session reviews.
- Strategy Vault setups, playbooks, rules.
- Discipline-profile settings (daily loss limit, max trades, cooldowns).
1.4 Usage & device data
- IP address, browser type, operating system, device identifiers.
- Pages visited, features used, and approximate timing — used for product analytics and security.
- Crash and error reports (via Sentry).
1.5 Billing data
- Stripe customer ID and subscription status.
- Full card numbers are handled by Stripe, never by PropLock. We see the last 4 digits, brand, and expiry for display purposes only.
2. How we use your data
- Run the Service: sync trades, evaluate gate decisions, render dashboards, send alerts.
- Billing & accounts: charge subscriptions, handle support requests, prevent fraud.
- Communication: account-related emails (trial ending, payment failed, security notices). Marketing emails only if you opt in.
- Product improvement: aggregate and de-identified analytics to understand which features work. We do not train AI models on your private data without your explicit opt-in.
- Security & legal: investigate abuse, comply with subpoenas, enforce our Terms.
3. Third parties we share with
We share only what each service needs to do its job. We do not sell your data and never will.
- Stripe (billing) — your email, customer/subscription IDs, payment method info Stripe collects directly.
- Neon (database hosting) — encrypted data at rest.
- Vercel (or our chosen hosting provider) — runtime infrastructure and logs.
- Sentry (error monitoring) — error context, scrubbed of credentials.
- Anthropic / OpenAI (AI analysis features) — only when you explicitly trigger an AI review of a trade; payload includes the trade metadata and your notes, not credentials.
- Finnhub (market data) — symbol queries; no personal data.
- Push notification providers — your subscription endpoint and the notification payload.
- Your broker APIs (TopstepX, Tradovate, etc.) — the credentials you provide are used solely to read your data.
We may also share data when legally required (subpoena, court order, regulatory request) or to protect our rights, your safety, or the safety of others.
4. How long we keep your data
- Active account: for as long as you have an account.
- After deletion: we delete your trading data within 30 days. Billing records are retained for 7 years to comply with tax and accounting laws.
- Backups: encrypted backups may persist for up to 90 days after deletion before rotating out.
5. Your choices
- Access & export: request a copy of your data by emailing support@proplockai.com.
- Correction: update profile and trade data in the Settings UI.
- Deletion: delete your account from Settings, or request deletion by email.
- Marketing opt-out: one-click unsubscribe in any marketing email. Transactional emails (billing, security) are required.
- Disconnect integrations: remove broker connections any time — credentials are deleted within 24 hours.
5.1 If you're in the EU/UK (GDPR)
You have rights to access, rectify, erase, restrict processing, port, and object. Our legal basis is performance of contract (running the Service) and legitimate interest (security, fraud prevention). Contact support@proplockai.com to exercise rights. You may also lodge a complaint with your supervisory authority.
5.2 If you're in California (CCPA/CPRA)
You have rights to know, delete, correct, and opt out of "sale" or "sharing" of personal information. PropLock does not sell or share personal information for cross-context behavioral advertising.
6. Security
We protect your data with:
- HTTPS/TLS everywhere.
- Passwords hashed with bcrypt.
- Broker credentials encrypted at rest.
- Database hosted on managed infrastructure with point-in-time recovery.
- Least-privilege access for engineers; audit logging.
- Sentry crash reporting scrubs credentials and PII before transmission.
No system is 100% secure. Report suspected vulnerabilities to support@proplockai.com — we appreciate responsible disclosure.
7. Cookies & tracking
- Required cookies: session/auth cookies — necessary to keep you signed in.
- Analytics: first-party only; no third-party advertising trackers.
- No cross-site tracking pixels. No Facebook Pixel, no Google Ads remarketing, no shadow profiles.
8. Children
The Service is not directed to anyone under 18. We do not knowingly collect data from minors. If you believe a minor has used the Service, contact us and we will delete their data.
9. International transfers
PropLock is operated from the United States. By using the Service from outside the US, you consent to your data being processed in the US under standard contractual clauses where required.
10. Changes to this Policy
We will post material changes with at least 14 days' notice and update the "Last updated" date at the top. Continued use after the effective date means you accept the updated Policy.
11. Contact
Email support@proplockai.com for any privacy question, data request, or complaint.