Privacy Policy

1. Controller Identity and Contact Information

TradePros AI LLC ("Company," "we," "us," or "our") is an Arizona limited liability company and the data controller responsible for personal information collected through the TradePros AI platform, including the website tradeprosai.com and any associated applications (collectively, the "Service").

Data Controller:
TradePros AI LLC
State of Incorporation: Arizona, United States
Privacy inquiries: privacy@tradeprosai.com
General contact: hello@tradeprosai.com

2. Scope and Applicability

This Privacy Policy applies to all personal information we process in connection with the Service, regardless of the medium through which that information is provided. It does not apply to third-party websites, services, or applications that may be linked from the Service, even if accessed through our platform. We encourage you to review the privacy policies of any third-party services you access.

This Policy is intended to meet or exceed the standards established by the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), the Children's Online Privacy Protection Act (COPPA), applicable Arizona state privacy law, and the Google API Services User Data Policy, including its Limited Use requirements.

3. Information We Collect

3.1 Information You Provide Directly

• ·Registration data: full name, email address, and optionally, business name
• ·Authentication credentials: passwords are hashed using bcrypt with a minimum of 12 rounds and are never stored in plaintext or retrievable by us
• ·Communications: any correspondence you send to us, including support requests

3.2 Information Collected Through Google OAuth

When you connect your Google account, we request access to the following data, limited to the minimum necessary to operate the features you enable:

• ·Google Account identity: your name and email address, used solely for account setup and personalization
• ·Google Calendar (read-only): upcoming events are retrieved to generate briefings. Calendar data is processed ephemerally — it is used to generate your briefing and is not stored beyond the current briefing window
• ·Google Business Profile (read and respond): reviews are retrieved and stored to enable monitoring, AI-drafted response generation, and reply tracking. We do not post responses on your behalf — all responses require your explicit approval
• ·Gmail (subject line and sender only): we access only message metadata — subject and sender — to surface relevant context in briefings. Email body content is never accessed, retrieved, or stored under any circumstances
• ·OAuth tokens: access and refresh tokens are encrypted using AES-256-CBC with a unique encryption key stored separately from the database before being persisted. Tokens are never stored in plaintext

3.3 Automatically Collected Information

• ·Usage data: features accessed, briefings generated, and actions taken within the Service — used solely to operate and improve the platform
• ·Security audit logs: logs of sensitive account actions (e.g., login events, Google connection/disconnection, account deletion) retained for 12 months for security purposes
• ·Technical identifiers: session tokens managed via secure, httpOnly, SameSite=Strict cookies

3.4 Information We Expressly Do Not Collect

• ·Email body content — never accessed, never retrieved, never stored
• ·Payment card details — handled exclusively by Stripe; we never receive or store card numbers, CVVs, or banking information
• ·Precise geolocation data
• ·Health or biometric data (future wearable integrations will be strictly opt-in and processed ephemerally — no health data will be stored)
• ·Social media content beyond what you explicitly authorize
• ·Data from minors under 18 years of age

4. Legal Bases for Processing

We process personal information under the following legal bases:

• ·Contract performance: processing necessary to deliver the Service you have subscribed to, including generating briefings, monitoring reviews, and managing your account
• ·Legitimate interests: security monitoring, fraud prevention, service improvement, and audit logging — balanced against your rights and not overriding your interests
• ·Consent: where you have explicitly authorized specific processing, including connecting your Google account and opting into briefing history storage
• ·Legal obligation: processing necessary to comply with applicable law

5. How We Use Your Information

• ·To provide and operate the Service, including generating AI briefings, monitoring reviews, and delivering requested outputs
• ·To process AI briefings via Anthropic's Claude API — your data is transmitted to Anthropic solely to fulfill your request and is not retained by Anthropic for training purposes per their API terms of service
• ·To send transactional communications including account security alerts, service notifications, and briefing delivery via Resend
• ·To process subscription payments and manage billing relationships via Stripe
• ·To maintain security and prevent fraud through audit logging and anomaly detection
• ·To improve and develop the Service through aggregated, de-identified usage analytics
• ·To comply with applicable legal obligations

We do not use your personal information for advertising, behavioral profiling, or any purpose not listed above without your explicit prior consent.

6. Google API Services — Limited Use Disclosure

TradePros AI's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• ·Google user data is used only to provide or improve the user-facing features of the Service that are described in this policy and our Terms of Use
• ·Google user data is not used to develop, improve, or train generalized AI or ML models
• ·Google user data is not used for serving advertisements
• ·Google user data is not sold to third parties
• ·Google user data is not shared with humans except as necessary to provide the Service, for security purposes, or as required by law
• ·Human review of Google user data may occur only where necessary to provide support you have requested, for security investigation, or where required by law — and only with appropriate confidentiality protections

7. Disclosure of Information

We do not sell, rent, or trade your personal information. We share information only in the following limited circumstances:

7.1 Service Providers (Sub-processors)

• ·Anthropic (anthropic.com) — AI briefing generation via API. Data is processed per request and not retained for training
• ·Supabase (supabase.com) — database, authentication, and row-level security. Data stored in US-based infrastructure
• ·Stripe (stripe.com) — payment processing. Subject to Stripe's privacy policy and PCI DSS compliance
• ·Resend (resend.com) — transactional email delivery
• ·Railway (railway.app) — backend application hosting
• ·Vercel (vercel.com) — frontend application hosting

All sub-processors are contractually bound to process data only as instructed by us and to maintain appropriate security measures.

7.2 Legal Requirements

We may disclose information if required by valid legal process (such as a court order or subpoena), to protect the rights, property, or safety of TradePros AI, our users, or the public, or to comply with applicable law. Where legally permitted, we will notify you of such requests before disclosure.

7.3 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of all or substantially all of our assets, your information may be transferred to the successor entity. We will provide at least 30 days' notice before any such transfer, and the successor will be bound by privacy commitments no less protective than those in this Policy.

8. Data Retention

• ·Briefing history: 30 days for free tier users; 90 days for paid subscribers — automatically purged on a rolling basis
• ·Google Business reviews: retained while your account is active and Google is connected; deleted upon Google disconnection or account deletion
• ·Security audit logs: 12 months from creation, then automatically deleted
• ·Account data: retained for the duration of your account and deleted within 48 hours of verified account deletion request
• ·Google OAuth tokens: revoked with Google and deleted from our systems immediately upon disconnection or account deletion — not within days, immediately
• ·Billing records: retained as required by law and Stripe's data retention requirements

9. Your Rights and Choices

Subject to applicable law, you have the following rights regarding your personal information:

• ·Right to Access: request a copy of all personal information we hold about you
• ·Right to Portability: receive your data in a structured, machine-readable format
• ·Right to Correction: request correction of inaccurate or incomplete information
• ·Right to Deletion: request permanent deletion of your account and all associated data — honored within 48 hours
• ·Right to Restrict Processing: request that we limit how we use your data in certain circumstances
• ·Right to Withdraw Consent: disconnect Google at any time via Settings — tokens are immediately revoked
• ·Right to Opt Out of Sale: we do not sell data — this right is automatically satisfied
• ·Right to Non-Discrimination: exercising your privacy rights will not affect your access to or pricing of the Service

To exercise any right, contact us at privacy@tradeprosai.com. We will respond within 30 days. We may verify your identity before processing requests. There is no fee to exercise your rights.

10. California Residents (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

• ·We do not sell or share personal information for cross-context behavioral advertising
• ·We do not use sensitive personal information beyond what is necessary to provide the Service
• ·You have the right to limit our use of sensitive personal information
• ·You may designate an authorized agent to submit requests on your behalf
• ·We will not retaliate against you for exercising your CCPA rights

Categories of personal information collected in the past 12 months: identifiers (name, email), commercial information (subscription data), internet or network activity (usage data), and inferences drawn from the above. We have not sold or shared any category of personal information.

11. Security

We implement a nine-layer security architecture designed to protect your information:

• ·Encryption at rest: AES-256 via Supabase for all stored data; AES-256-CBC with a separate key for OAuth tokens
• ·Encryption in transit: TLS 1.3 enforced for all connections; HSTS headers enforced
• ·Authentication: PKCE OAuth flow; bcrypt password hashing (minimum 12 rounds); session cookies set httpOnly, Secure, SameSite=Strict
• ·Database security: row-level security (RLS) enforced on every table — users can access only their own data
• ·API security: rate limiting (100 requests/15 min general; 10 requests/15 min on auth endpoints; 20 AI calls/day per user); Helmet.js security headers
• ·Input validation: express-validator on all endpoints; DOMPurify sanitization; parameterized queries exclusively
• ·Secrets management: all credentials stored in Railway environment variables — never in code or version control
• ·Monitoring: real-time audit logging; security alerts for anomalous activity
• ·Third-party security: all sub-processors evaluated for security practices and bound by data processing agreements

No security system is impenetrable. In the event of a data breach affecting your rights, we will notify you within 72 hours of becoming aware of the breach, consistent with applicable law.

12. Children's Privacy (COPPA)

The Service is intended exclusively for users 18 years of age or older. We do not knowingly collect, maintain, or use personal information from children under 13. If we become aware that we have inadvertently collected information from a child under 13, we will delete that information immediately. If you believe a child under 13 has created an account, please contact us immediately at privacy@tradeprosai.com.

13. International Users

The Service is operated from the United States. If you access the Service from outside the United States, your information may be transferred to, stored in, and processed in the United States, where data protection laws may differ from those in your jurisdiction. By using the Service, you consent to this transfer. We will take appropriate safeguards to protect your information in accordance with this Policy.

14. Cookies and Tracking

We use only essential cookies necessary to operate the Service: session management cookies (httpOnly, Secure, SameSite=Strict) and authentication state. We do not use advertising cookies, third-party tracking cookies, or analytics cookies that identify individual users. You may disable cookies in your browser settings, but doing so will prevent you from logging in to the Service.

15. Changes to This Policy

We reserve the right to update this Privacy Policy at any time. For material changes — including changes to data practices, third-party sharing, or user rights — we will provide at least 30 days' prior notice via email to your registered address before the changes take effect. Non-material changes (such as clarifications or corrections) may be made without prior notice. The "Last Updated" date at the top of this Policy will always reflect the most recent revision. Continued use of the Service following the effective date of any update constitutes acceptance of the revised Policy.

16. Contact and Complaints

For privacy-related inquiries, data requests, or complaints:

TradePros AI LLC
Arizona, United States
Privacy: privacy@tradeprosai.com
General: hello@tradeprosai.com

We are committed to resolving privacy complaints. If you are not satisfied with our response, you may have the right to lodge a complaint with the applicable data protection authority in your jurisdiction.