The data controller is Tradvex Ltd, a company registered in the United Kingdom. You can reach our data protection contact at privacy@tradvex.co.uk.

We collect the following categories of personal data:

• Identity & contact: email address, username, optional display name.
• Authentication: hashed passwords, third-party authentication identifiers (e.g. Apple sign-in subject).
• Device & technical: IP address, device identifier, push-notification token, operating-system version, app version, locale.
• Broker linkage: broker name and account number you submit to claim partner-broker VIP access (the account number is stored encrypted at rest).
• Payment data (when payments are enabled in the future): processed by our payment provider; we do not store full card details on our servers.
• Service interactions: signal votes, follows, support tickets, page-view and login activity logs, in-app feedback.

• To provide the Service (legal basis: performance of a contract) — authenticate you, deliver signals, manage subscriptions and support.
• To secure the Service (legal basis: legitimate interest) — fraud and abuse prevention, login monitoring, ban enforcement.
• To improve the Service (legal basis: legitimate interest) — aggregated analytics, crash reporting, A/B tests.
• To communicate with you (legal basis: contract / legitimate interest) — transactional emails, push notifications for signals you follow.
• To comply with the law (legal basis: legal obligation) — tax, accounting, regulatory requests, account-deletion mandates.

We share personal data with the following categories of recipients, each acting as a processor or controller as indicated:

• Supabase (database, authentication, edge functions) — hosted in the EU region; processor.
• Sentry (crash and error reporting) — may process limited diagnostic data in the United States under Standard Contractual Clauses; processor.
• Expo Application Services (push-notification delivery) — processor.
• Axi and PuPrime (partner brokers) — when you choose to link an account, we share the minimum data needed to verify your application; independent controllers under their own privacy policies.
• Payment processor (when payments are enabled in the future) — independent controller for card data.
• Law enforcement / regulators — only where legally required.

We never sell your personal data.

You have the following rights regarding your personal data:

• Access — obtain a copy of the personal data we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure — request deletion of your account and associated data ("right to be forgotten").
• Portability — receive your data in a machine-readable format.
• Objection — object to processing based on legitimate interest, including marketing.
• Restriction — ask us to limit how we use your data while a request is investigated.
• Withdraw consent — for any processing based on consent, at any time.
• Complain — lodge a complaint with the UK Information Commissioner's Office (ICO) or your local supervisory authority.

To exercise any of these rights, email privacy@tradvex.co.uk. You can also delete your account directly from the in-app account settings.

• Account data: retained while your account is active, then deleted within 30 days of account closure (a brief grace period to allow recovery).
• Activity logs (page views, login attempts): 90 days.
• Support tickets and related correspondence: 2 years for quality and dispute purposes.
• Payment and accounting records: 7 years, as required by UK tax law.
• Backups: rolled off within 35 days.

Our marketing website uses only strictly necessary cookies (session, theme preference). We do not deploy advertising or cross-site tracking cookies. The mobile applications use platform-provided local storage equivalents for authentication and preferences.

Your data is primarily stored in the European Economic Area (Supabase, EU region). Some processors (e.g. Sentry for crash reports) may process data in the United States. For any transfer outside the UK/EEA we rely on Standard Contractual Clauses or an adequacy decision recognised by the UK or EU authorities.

The Service is for adults only. We do not knowingly collect personal data from anyone under 18. If we become aware that we have collected such data, we will delete it promptly. Parents or guardians who believe their child has provided us personal data can contact privacy@tradvex.co.uk.

We apply industry-standard technical and organisational measures to protect your data: encryption in transit (TLS) and at rest, role-based access controls, row-level security in the database, secret rotation, regular dependency updates, and monitoring. No system is perfectly secure; please use a strong, unique password and contact us immediately if you suspect a compromise.

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent revision. We will notify you of material changes via the Service or by email at least 14 days before they take effect.

For privacy questions, requests or complaints, contact our data protection contact at privacy@tradvex.co.uk.