Privacy Policy

AI Trading Bot LLC ("we," "us," "our," or the "Company"), a Virginia limited liability company, is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, disclose, retain, and safeguard your information when you access or use our AI Trading Bot platform, including our website at autotraderbot.ai, desktop client application, web dashboard, and all related services (collectively, the "Services").

This Privacy Policy applies to all users of the Services, including registered account holders, trial users, subscribers, and website visitors. By accessing or using our Services, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy and our Terms of Service. If you do not agree with our data practices as described herein, you must discontinue use of the Services immediately.

🔒

Your Privacy Matters

We are committed to transparency about our data practices and providing you meaningful control over your personal information. We do not sell your personal data to third parties under any circumstances.

SECTION 1

Information We Collect

We collect information through several methods, including information you provide directly, information generated automatically by our systems, and information collected through your use of the Services. The categories below describe each type in detail.

Registration Information (Required)

When you create an account, we collect the following information, which is necessary to provide the Services:

Email address: Used as your primary identifier for authentication, account recovery, and service communications
Password: Cryptographically hashed using bcrypt with 12 rounds of salting before storage; your plaintext password is never stored or accessible to our personnel

Upon registration, the following identifiers are automatically generated and assigned to your account:

Username: Derived from your email prefix for display purposes
Member number: A unique identifier in MEM-XXXXXX format assigned to your account

Profile Information (Optional)

You may voluntarily provide additional personal information to enhance your profile. All of the following fields are optional and can be updated or removed at any time through your dashboard settings. We follow the principle of data minimization: we collect only what is necessary for the stated purpose, and you should provide only what you are comfortable sharing.

Identity: First name, last name (used for personalized display and support correspondence)
Contact: Phone number (used for optional out-of-band account-recovery and security alerts only; never used for marketing)
Demographics: Birth year (used for age verification and minimum-age compliance; full date of birth is not required)
Address: Address line 1, address line 2, city, state/province, postal code, country (used for billing reconciliation, OFAC sanctions screening, and tax-jurisdiction determination; omit fields you do not wish to provide — country alone is sufficient for the sanctions screen)
Professional: Occupation, company name, years of work experience
Trading profile: Trading experience level (Beginner, Intermediate, Advanced, or Expert), risk tolerance (Conservative, Moderate, or Aggressive), investment goals (free text), bio (free text)
Preferences: Timezone

Compliance and Legal Data

To meet our regulatory obligations and maintain records of consent, we automatically capture the following at the time of registration and initial platform interaction:

Terms acceptance timestamp: The date and time you accepted our Terms of Service
Risk acknowledgment timestamp: The date and time you acknowledged trading risk disclosures
Terms version accepted: The specific version of the Terms of Service you agreed to (e.g., "1.0")
IP address at registration: The IP address from which you created your account
Geographic origin of registration: The country, region/state, and approximate city derived from your registration IP address (via the offline DB-IP Lite city-level database — no third-party HTTP call is made at lookup time), and the registration channel (web browser, iOS mobile app, Android mobile app, or desktop client). This data is used for fraud detection, regulatory compliance (including OFAC sanctions screening), anonymized growth analytics, and the admin Registration Globe view. We do not derive a precise location; city-level resolution is approximate (typical accuracy ~75 %). You can object to this processing at any time — see "Your Rights" below. This site uses IP geolocation data by DB-IP (https://db-ip.com) under the CC-BY 4.0 license.
Risk modal acknowledgment: The timestamp of your acknowledgment of the risk disclosure presented upon your first dashboard visit

MetaTrader 5 (MT5) Account Data

If you connect one or more MetaTrader 5 brokerage accounts to the Services, we collect and store:

MT5 login number: Your MT5 account number for trade execution
MT5 password: Encrypted using AES-256 encryption before storage; used exclusively to authenticate trading sessions on your behalf
MT5 server name: The broker server your account connects to
MT5 path: (Optional) The file path to your MT5 terminal installation
Broker name: The name of your brokerage firm
Account type: Whether your account is DEMO or LIVE
Account name: A user-defined friendly label for the account

⚠

MT5 Credential Protection

Your MT5 passwords are encrypted with AES-256 encryption before being stored in our database. They are used solely to authenticate trade execution sessions on your behalf. We do not have the ability to withdraw funds from your trading accounts, and we never share MT5 credentials with any third party.

Payment Information

Subscription payments are processed exclusively through Stripe. We do not collect, store, or have access to your full credit card number, debit card number, or bank account details. Payment card information is entered directly into Stripe's PCI-DSS-compliant payment forms. We receive from Stripe only:

Transaction confirmation and status
Subscription plan selection and billing cycle
Payment history (amounts, dates, and invoice identifiers)

Automatically Collected Information

When you access and use our Services, we automatically collect certain technical and usage information:

Category	Data Collected	Purpose
Device & Browser	IP address, User-Agent string, browser type	Security monitoring, rate limiting, authentication event logging
Geographic Origin (registration)	Country code, region/state, approximate city, latitude/longitude (city-centroid, not precise device location), client channel (web/iOS/Android/desktop) — derived once from your registration IP using the offline DB-IP Lite city-level database (CC-BY 4.0)	OFAC sanctions compliance, fraud detection, anonymized growth analytics, admin Registration Globe visualization. Not used for advertising or shared with third parties.
Trading Activity	Trade history (symbol, ticket, type, volume, entry/exit prices, profit/loss, pips, commission, swap, entry/exit times, close reason), account balances (balance, equity, margin, free margin, profit, leverage, currency), open positions with real-time P&L	Performance tracking, dashboard display, daily summary reports
Trading Signals	Generated signals with execution status, outcome (WIN/LOSS/BREAKEVEN)	Strategy performance analysis, signal history
Bot Operations	Bot configurations per symbol, start/stop events, strategy parameters, dynamic position management actions (breakeven moves, trailing stop adjustments)	Bot execution, configuration management, operational logging
Desktop Client	Client version number, heartbeat data every 30 seconds (account balance, equity, bot status)	Connection monitoring, real-time dashboard updates, version management
Account Snapshots	Periodic snapshots of account balance, equity, and performance metrics	Historical performance tracking and reporting

Marketing Attribution Data

At the time of registration, we capture the following marketing attribution information to understand how users discover our Services:

UTM parameters: Source, medium, campaign, content, and term
Landing page URL: The first page you visited on our platform
Referrer URL: The website or link that directed you to our Services
Promo code: Any promotional code used during registration
Referral code (if applicable): The referral code under which you registered, used to attribute the registration to the referring user under our referral program. Referral codes are linked to the referring user's account but contain no personal information about you.

UTM and referrer data are captured once at registration and are not updated thereafter. Separately, when third-party advertising pixels (Meta, Google, TikTok) are enabled by the platform administrator, those pixels may engage in continuous behavioral tracking for as long as they are active on the page — see Section 6 for the full disclosure and Section 9 for your opt-out rights.

Desktop Client Local Storage

The AI Trading Bot desktop application stores certain credentials locally on your computer using the Windows Credential Manager (keyring). This includes your authentication token and risk disclosure acceptance status. This data is stored locally on your device and is not transmitted to our servers beyond the initial authentication.

Mobile Application Data

We offer a mobile application currently available for iOS on the Apple App Store (Bundle ID ai.autotraderbot.mobile). An Android companion application (applicationId com.aitradingbotmobile) is in development for future release on the Google Play Store. The mobile app is a read-mostly companion app that mirrors your web dashboard — it does not run the trading bot directly. The bot runs on your desktop client as described above.

When you use the mobile app, we and the operating-system providers (Apple, Google) collect or process the following information:

Data	Collected by	Purpose
Authentication token	AI Trading Bot LLC (stored on-device only)	Stored in the iOS Keychain or Android Keystore (hardware-backed where available). Allows you to remain logged in across sessions. Never transmitted to our servers in plaintext.
Biometric template (Face ID, Touch ID, Android fingerprint/face)	Not collected by us. The biometric template stays on your device, protected by the device's secure enclave. We only receive a yes/no signal from the OS that your biometric matched.	Optional biometric unlock for the app, via the `react-native-keychain` library backed by iOS Keychain / Android Keystore. You can disable biometric unlock from Settings at any time.
Firebase Cloud Messaging (FCM) token	Google (Firebase) and AI Trading Bot LLC	Push-notification delivery for trade alerts, bot status, and announcements. The token is generated on your device by Firebase, sent to our servers, and used to push notifications via Google's FCM service (which on iOS forwards via Apple Push Notification service / APNs). The token is tied to the app install on your device, not to a personal identifier. You can disable push notifications at the OS level or in app settings.
Crash and error reports	Google (Firebase Crashlytics) and AI Trading Bot LLC	Diagnostic information about app crashes including device model, OS version, stack trace, breadcrumbs of recent actions, and an anonymous installation UUID. We use this to identify and fix bugs. Crashlytics is configured not to collect personal data beyond what is necessary for diagnostics.
Device model, OS version, app version, language, timezone	AI Trading Bot LLC	Compatibility, support, analytics on app-version distribution. Standard mobile telemetry.
Photo Library access (iOS) / Photos & Media (Android)	Not collected by us in routine use. You explicitly select images each time.	Used only when you attach screenshots to a bug report (up to 5 images per report). On iOS we use the system PHPicker, which provides selected-images-only access without full library access. The screenshots are uploaded to our bug-report endpoint and retained according to our bug-report retention schedule (see Section 7).
Location (iOS)	Not currently collected. The `NSLocationWhenInUseUsageDescription` key is declared in the iOS Info.plist for future use but the app does not currently request location access. If we add a location-dependent feature in the future, we will update this Policy and request your permission at the time of use.	Reserved for future use only.
Trading data (positions, balance, history)	AI Trading Bot LLC	Same trading data described elsewhere in this Policy, displayed on mobile via the same APIs and WebSocket connections used by the web dashboard.

Apple App Tracking Transparency (ATT) and Apple Privacy Manifest

Our iOS app declares NSPrivacyTracking = false in its Apple-required Privacy Manifest (PrivacyInfo.xcprivacy). We do not track you across apps or websites owned by other companies for advertising or measurement purposes, and we do not require an App Tracking Transparency (ATT) prompt. We do not link any data collected on iOS to data collected by other apps or third-party websites for the purpose of targeted advertising or measurement. The Required Reason API declarations in our Privacy Manifest are limited to: UserDefaults (categories CA92.1, 1C8F.1, C56D.1 — app-functionality and preference storage), FileTimestamp (C617.1, 3B52.1 — cache file management), and SystemBootTime (35F9.1 — measuring application time intervals).

Google Play Data Safety Disclosure

When our Android app is released, our Data Safety section in Google Play Console will mirror the disclosures above. As of the date of this Privacy Policy, the Android app is in pre-release development and has not yet been published. The Android manifest currently requests only the INTERNET permission. Additional permissions (notifications, biometric authentication, photo access for bug reports) will be requested at runtime when the Android app launches, and disclosed here at that time.

Push Notifications — Your Choices

You can disable push notifications at any time through (i) your device's notification settings (iOS Settings → Notifications → AI Trading Bot; Android Settings → Apps → AI Trading Bot → Notifications) or (ii) the in-app notification settings. Disabling push notifications does not affect your ability to use the rest of the app, but you will not receive real-time trade alerts or bot-status notifications.

📱

Mobile App is Read-Mostly

The mobile app is designed as a monitoring and lightweight-control companion. The trading bot itself runs on the Windows desktop client connected to your MT5 terminal. You can view positions, history, signals, and bot status from mobile; you can start and stop bots; but the trade execution itself occurs through the desktop client and your broker, not through the mobile app.

SECTION 2

How We Use Your Information

We use the information we collect for the following specific purposes:

Purpose	Description
Account Management	Create, maintain, and authenticate your account; manage login sessions and access controls; verify your identity through two-factor authentication
Trade Execution	Connect to your MT5 brokerage accounts; execute trades based on bot configurations; manage open positions; apply dynamic position management (breakeven, trailing stops)
Bot Operations	Configure and operate trading bots; synchronize settings between the desktop client and web dashboard; monitor bot health via heartbeat signals
Subscription & Billing	Process payments through Stripe; manage subscription plans, upgrades, downgrades, and cancellations; administer free trial periods; enforce entitlement limits
Communications	Send transactional emails including registration confirmations, email verification codes, password reset links, two-factor authentication codes, subscription confirmations, daily trading performance summaries, trial expiry reminders, and security alerts
Security & Fraud Prevention	Enforce rate limiting per IP and per endpoint; detect and prevent unauthorized access; implement account lockout after repeated failed authentication attempts; log security events for audit purposes
Platform Improvement	Analyze aggregated usage patterns to identify and fix bugs; improve platform performance, reliability, and user experience; develop new features based on usage data
Marketing Attribution	Analyze registration-time UTM tracking data to understand user acquisition channels and measure marketing effectiveness
Community Features	Deliver announcements and updates to community channels; facilitate community engagement through Telegram
Legal Compliance	Meet regulatory requirements; maintain records of consent; respond to legal requests; resolve disputes; enforce our Terms of Service

SECTION 3

Legal Basis for Processing

We process your personal information under the following legal bases, as applicable under the General Data Protection Regulation (GDPR) and similar data protection laws:

Legal Basis	Applicable Processing Activities
Contractual Necessity	Account creation and management, trade execution, bot operations, subscription and billing, desktop client synchronization. These activities are necessary to perform our contract with you under the Terms of Service.
Consent	Optional profile information, email notification preferences, marketing attribution data collection. You may withdraw consent at any time through your dashboard settings or by contacting us.
Legitimate Interest	Security monitoring and fraud prevention, platform improvement and bug fixes, aggregated usage analytics. We balance our legitimate interests against your rights and freedoms.
Legal Obligation	Compliance data (consent records, terms acceptance), payment record retention for tax and audit requirements, responding to lawful government and regulatory requests.

SECTION 4

Information Sharing and Disclosure

We do not sell, rent, or trade your personal information to third parties for their marketing purposes. We share your information only in the limited circumstances described below, and only to the extent necessary to fulfill the stated purpose.

Third-Party Service Providers

We share information with the following categories of trusted service providers who process data on our behalf under strict contractual obligations:

Service Provider	Data Shared	Purpose
Stripe	Email address, name, billing address (collected by Stripe), last four digits of payment card and card brand (for display only), IP address and device fingerprint (collected by Stripe's Radar fraud-prevention system), subscription plan selection. Full card numbers, CVCs, and bank account details are entered directly into Stripe's PCI-DSS-compliant payment forms and never touch our servers.	Payment processing, fraud prevention (PCI-DSS Level 1 compliant)
SendGrid (Twilio Inc.)	Recipient email address, email content, sender metadata	Transactional email delivery (DKIM/DMARC authenticated). Subject to Twilio's Privacy Policy.
Telegram	We do not transmit your AI Trading Bot account data to Telegram. However, when you message our Telegram bot, Telegram itself receives your Telegram username/ID, message content, and IP address under Telegram's Privacy Policy — independent of us.	Support, FAQ, and community announcement delivery
Google reCAPTCHA	Form response token, IP address	Bot prevention on login and registration forms (when enabled)
MetaTrader 5	MT5 login credentials (AES-256 encrypted), trade commands	Trading execution on your connected brokerage accounts
ForexFactory	None (we only retrieve publicly available economic calendar data)	Economic event calendar for news-based trade filtering
Amazon Web Services (AWS)	All application data resides within encrypted AWS infrastructure	Cloud hosting (ECS, RDS, ElastiCache, S3, CloudFront)
AWS CloudFront	HTTP traffic metadata (IP addresses, request headers, request paths)	Content delivery network, edge caching for static assets. DDoS mitigation provided by AWS Shield Standard. Covered by the AWS Privacy Notice (linked below).

Legal Requirements

We may disclose your personal information if we believe in good faith that such disclosure is necessary to:

Comply with applicable law, regulation, legal process, or enforceable governmental request
Enforce our Terms of Service, including investigation of potential violations
Detect, prevent, or otherwise address fraud, security, or technical issues
Protect against harm to the rights, property, or safety of AI Trading Bot LLC, our users, or the public, as required or permitted by law

Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal information may be transferred to the acquiring entity. We will notify you via email and/or a prominent notice on our platform of any change in ownership or uses of your personal information, as well as any choices you may have regarding your information.

Aggregated and De-identified Data

We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you. This data may be used for industry analysis, benchmarking, or platform improvement purposes.

⚠

We Never Sell Your Data

We do not sell, rent, or trade your personal information to any third party for marketing, advertising, or any other commercial purpose. Your MT5 credentials are never shared with anyone and are used exclusively to execute trades on your behalf. We do not have the ability to withdraw funds from your trading accounts.

SECTION 5

Data Security

We implement comprehensive, industry-standard technical and organizational security measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction.

Encryption

Passwords: Hashed using bcrypt with 12 rounds of salting; plaintext passwords are never stored or logged
MT5 passwords: Encrypted with AES-256-GCM before database storage. The encryption key is held in AWS Secrets Manager and is rotated periodically. The key is not stored in the database, on application servers' local disks, or in source control; it is loaded into application memory only at process start and only by services that have an explicit IAM permission to read it.
Two-factor authentication secrets: Encrypted with AES-256-GCM using the same key-management approach as MT5 passwords; held only long enough to verify a TOTP code.
Data in transit: All communications between your browser/desktop client/mobile app and our servers are encrypted using TLS 1.2 or higher. HTTP-to-HTTPS redirect is enforced.
Data at rest: Database storage is encrypted using AWS RDS encryption at rest (AES-256). Backups, snapshots, and replicas are also encrypted.
Cache encryption: Redis data in production is encrypted in transit (TLS) and at rest using AWS ElastiCache encryption.
Object storage: Files uploaded to S3 (static assets, build artifacts) are encrypted with SSE-S3 (AES-256). User-uploaded content, if any, is encrypted with the same standard.

Access Controls and Authentication

Session management: HttpOnly, Secure (in production), and SameSite=Lax cookie attributes to prevent session hijacking and cross-site request forgery
Session regeneration: Session identifiers are regenerated upon login to prevent session fixation attacks
Two-factor authentication (2FA): TOTP-based 2FA available for all accounts with backup recovery codes
Account lockout: Automatic lockout after 10 failed login attempts within a 15-minute window
Rate limiting: Redis-backed rate limiting applied per IP address and per endpoint to prevent abuse
Bot prevention: Optional Google reCAPTCHA v2 on login and registration forms

Security Headers

Content Security Policy (CSP): Restricts sources of executable scripts and resources
HTTP Strict Transport Security (HSTS): Enforces HTTPS connections in production
X-Frame-Options: Prevents clickjacking attacks
X-Content-Type-Options: Prevents MIME type sniffing
Referrer-Policy: Controls referrer information sent with requests
Permissions-Policy: Restricts browser feature access

Infrastructure Security

Private networking: Databases and application servers reside in private VPC subnets with no direct public internet access
Connection pooling: RDS Proxy manages database connections with TLS enforcement
Automated backups: 30-day automated database backup retention with point-in-time recovery
DDoS protection: AWS Shield Standard provides infrastructure-layer DDoS mitigation at the edge (AWS CloudFront) and load-balancer (AWS Application Load Balancer) tiers
Monitoring: Continuous security monitoring with automated alerting for anomalous activity

⚠

No Absolute Guarantee

While we implement commercially reasonable and industry-standard security measures, no method of electronic transmission or storage is completely secure. We cannot guarantee the absolute security of your information. You are responsible for maintaining the confidentiality of your account credentials and for enabling two-factor authentication to further protect your account.

SECTION 6

Cookies and Tracking Technologies

We use a minimal set of cookies that are necessary for the operation and security of the Services. We do not use cookies for behavioral advertising or cross-site tracking.

Cookies We Set

Cookie	Type	Duration	Purpose
Session cookie	Strictly Necessary	Browser session	Maintains your authenticated login session. Set with HttpOnly, Secure (production), and SameSite=Lax attributes. Cannot be disabled.
Remember-me cookie	Functional	24 hours	Keeps you logged in across browser sessions when you select the "Remember Me" option at login. Optional.

Third-Party Cookies

Cookie	Type	Provider	Purpose
reCAPTCHA cookie	Strictly Necessary	Google	Set by Google reCAPTCHA when enabled on login and registration forms to distinguish human users from automated bots. Subject to Google's Privacy Policy.

Ad Platform Pixels (Admin-Configurable)

Our platform supports optional, administrator-configurable advertising pixels from the providers listed below. When enabled, these scripts execute in your browser and transmit information directly from your browser to the provider (independent of our servers).

Meta (Facebook/Instagram) Pixel: Conversion tracking, subject to Meta's Privacy Policy
Google Analytics / Google Ads Tag: Traffic analysis and conversion tracking, subject to Google's Privacy Policy
TikTok Pixel: Conversion tracking, subject to TikTok's Privacy Policy

⚠

If Pixels Are Enabled: Sale and Sharing Under U.S. State Privacy Law

When any of the advertising pixels above are enabled by the platform administrator, the data those pixels transmit (which may include your IP address, browser fingerprint, page URL, and event metadata) is considered a "sale" and/or "share" of personal information under the California Privacy Rights Act (CPRA), the Virginia Consumer Data Protection Act (VCDPA), and other comparable U.S. state laws — even though we do not receive money in exchange.

You have the right to opt out of this sale/sharing. To do so, follow the instructions in Section 9c — Do Not Sell or Share My Personal Information, or send a Global Privacy Control (GPC) signal from your browser, which we will honor for the active session.

Cookie consent for European Economic Area (EEA) and UK users: Where applicable law requires prior opt-in consent for non-essential cookies (ePrivacy Directive, UK PECR), advertising pixels will not load until you affirmatively consent through our cookie consent banner. Until our cookie consent banner is deployed on all entry points, the platform administrator's default for EEA/UK traffic is to keep advertising pixels disabled.

🔒

No Advertising Cookies by Default

Third-party advertising pixels are inactive by default. They are activated only when the platform administrator explicitly enables them through the admin tracking-pixel configuration. We do not store advertising-pixel data on our servers; data flows directly from your browser to the provider.

Managing Cookies

Most web browsers allow you to control cookies through their settings. You can configure your browser to refuse cookies, delete existing cookies, or alert you when a cookie is being set. Please note that disabling the session cookie will prevent you from logging in to the Services. For instructions on managing cookies in your browser, consult your browser's help documentation.

SECTION 6b

AI and Automated Processing

Our Services include features powered by artificial intelligence and algorithmic processing. This section describes what those features do, what data they use, and what choices you have about them. We disclose this in alignment with the U.S. Federal Trade Commission's guidance on AI claims and the European Union Artificial Intelligence Act framework for AI systems offered to consumers.

AI Features We Operate

AI Assistant (account insights chatbot): A conversational interface that lets you ask questions about your own trading account — trades, signals, balances, win rate, bot status. It generates natural-language responses to questions you type. The underlying large-language model is operated within our infrastructure and does not transmit your prompts or your account data to any third-party LLM provider for the purposes of generating responses. The Assistant has read-only access to your trading data and cannot initiate trades, change settings, or take actions on your behalf.
Trading signal generation: Our trading strategies (RSI+SMA, MACD+Bollinger Band, Institutional Edge, and similar) generate trade signals using deterministic algorithmic rules based on market data and technical indicators — not machine-learning models. Although marketed as "AI-driven," these strategies do not learn or adapt from your individual trading history; they are configurable rule sets.
Risk and news filters: The ADX trend filter, News Event Filter, and London Killzone filter described in our Terms of Service are deterministic rule-based filters that consume market data and event schedules. They are not machine-learning systems.

What Data the AI Features Process

The AI Assistant processes the chat messages you send it, your trading data needed to answer the question (e.g., last 90 days of trades, current open positions, signal history), and your account context (subscription tier, bot configurations).
Signal generation processes price data from your connected MT5 broker (open, high, low, close, volume per candle) and the parameters you have configured for each bot.
We do not use your prompts, account data, or trading data to train, fine-tune, or improve any AI model — ours or any third party's. Your data is used only to answer your question and is then discarded from the model's working context.

Limitations and Human Oversight

AI Assistant responses are draft information, not financial advice. The Assistant can be wrong, can misread your data, and can confidently state things that are inaccurate ("hallucinate"). Verify any important answer against your dashboard, trade history, or your broker's records before relying on it.
Trade signals are not predictions of future market movement. They are algorithmic outputs based on past prices. Past performance of any strategy does not guarantee future results. See Risk Disclosure.
No automated decisions with legal or similarly significant effects. We do not use AI to deny services, set prices, restrict accounts, or make any automated decision that produces a legal effect on you. Trading actions taken by our bots are based on parameters you configure, not autonomous AI decisions. Account suspension, KYC review, and pricing decisions are made by human review.

Your Choices Regarding AI Features

You can choose not to use the AI Assistant. The platform is fully usable without it. Trading bots, signals, dashboard, and reports work regardless of whether you ever open the Assistant.
Conversation history with the AI Assistant is retained on our servers for 90 days for support and quality purposes, then deleted. You can request earlier deletion of your chat history at any time by emailing support@autotraderbot.ai.
Profiling opt-out: Where state law (e.g., VCDPA, CPRA, Colorado CPA) gives you a right to opt out of profiling that produces legal or similarly significant effects, that right applies, but our AI features are not designed to produce such effects in the first place.

🧠

What "AI-Driven" Means in Our Marketing

When our marketing describes the platform as "AI-driven" or "AI-powered," we are referring to (a) the AI Assistant chatbot and (b) the rule-based algorithmic strategies that drive bot signals. We are not claiming the bots autonomously learn, adapt to your trading style, or improve over time without human configuration. This disclosure exists to align marketing language with the actual technical implementation.

SECTION 7

Data Retention

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected, comply with our legal obligations, resolve disputes, and enforce our agreements. The following table sets forth our specific retention periods:

Data Type	Retention Period	Auto-Cleanup
User account data	Until account deletion request + 30-day grace period	Manual (upon verified request)
Trade records	7 years from the date of the trade, then automatically purged. Retained earlier on deletion request only to the extent required by tax, audit, or anti-fraud obligations.	Yes (annual purge of trades older than 7 years)
Trading signals (signal records and outcomes)	3 years from signal generation, then automatically purged	Yes (annual purge)
Payment history	7 years from the date of the transaction (IRS / state-tax / audit retention floor), then purged	Yes (annual purge of transactions older than 7 years)
Account snapshots	2 years from snapshot date, then automatically purged	Yes (monthly purge)
System logs	7 years (security and audit retention)	Yes (automated daily cleanup at 3:00 AM EST)
Client bot logs	180 days	Yes (automated daily cleanup at 3:00 AM EST)
Bot operation logs	180 days	Yes (automated daily cleanup at 3:00 AM EST)
Signal evaluation logs	3 years from signal generation	Yes (annual purge)
Session cookies	Browser session (or 24 hours with Remember Me)	Automatic (browser-managed)
Password reset tokens	1 hour	Automatic (token-based expiry)
Email verification tokens	Until verified	Automatic (upon successful verification)
Two-factor authentication codes	5 minutes	Automatic (TOTP-based expiry)
UTM tracking data	2 years from registration, then automatically purged	Yes (annual purge)

When your account is deleted, we perform a cascade deletion of all associated data, including trade records, bot configurations, logs, MT5 account data, subscription records, and profile information. Payment history may be retained beyond account deletion as required for tax and regulatory compliance.

📅

Automated Log Cleanup

Our systems automatically purge expired system logs, client bot logs, and bot operation logs on a daily schedule to minimize data retention beyond what is necessary for platform operations and security monitoring.

SECTION 8

Your Rights

Depending on your jurisdiction, you have the following rights with respect to your personal information. We are committed to facilitating the exercise of these rights in a timely manner.

Right of Access: You have the right to request a copy of the personal information we hold about you. Submit your request via email to support@autotraderbot.ai with the subject line "Data Access Request."
Right to Rectification: You have the right to request correction of inaccurate or incomplete personal information. You can update most profile data directly through your dashboard settings at any time. For data that cannot be modified through the dashboard, contact us.
Right to Erasure (Right to be Forgotten): You have the right to request deletion of your personal information, subject to legal retention requirements. Upon a verified deletion request, we perform a cascade deletion of all associated data, including trades, configurations, logs, MT5 accounts, and subscription records.
Right to Restriction of Processing: You have the right to request that we limit the processing of your personal information in certain circumstances. Contact us to discuss specific restrictions.
Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV) so you can transmit it to another service. Submit a portability request to support@autotraderbot.ai with the subject line "Data Portability Request." We will respond within 30 days (45 days for jurisdictions allowing the longer window).
Right to Object: You have the right to object to the processing of your personal information based on our legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.
Right to Withdraw Consent: Where processing is based on your consent, you may withdraw consent at any time without affecting the lawfulness of processing that occurred prior to withdrawal.
Right to Opt Out of Communications: You can disable all non-essential email notifications through your dashboard notification settings. Transactional emails related to account security (password resets, 2FA codes) cannot be disabled while your account is active.

To exercise any of these rights, contact us at support@autotraderbot.ai with "Privacy" in the subject line. We will verify your identity and respond to your request within 30 days. If additional time is required, we will notify you of the extension and the reasons for the delay.

✅

Self-Service Options

You can update your profile information, change notification preferences, and manage MT5 account connections directly through your dashboard settings without contacting support.

SECTION 9

U.S. State Privacy Rights

If you are a resident of a U.S. state that has enacted a comprehensive consumer privacy law, you have additional rights regarding your personal information. The states covered below are those whose laws apply to our processing as of the effective date of this Privacy Policy. The specific rights, response timelines, and exemptions vary by state; the most generous applicable framework will govern your request.

Virginia (VCDPA) — Our Home State

AI Trading Bot LLC is a Virginia limited liability company. If you are a Virginia resident, the Virginia Consumer Data Protection Act ("VCDPA") provides you the following rights:

Right to Know / Access: Confirm whether we process your personal data and obtain a copy in a portable, machine-readable format.
Right to Correct: Correct inaccuracies in your personal data, taking into account the nature of the personal data and the purposes of processing.
Right to Delete: Request deletion of personal data we have collected from you or about you (subject to legal-retention exemptions, including tax, payment, and security audit records).
Right to Data Portability: Receive a copy of your personal data in a structured, commonly used, and machine-readable format.
Right to Opt Out of Targeted Advertising, Sale, or Profiling: Opt out of the processing of your personal data for (a) targeted advertising, (b) sale of personal data, or (c) profiling in furtherance of decisions that produce legal or similarly significant effects. We do not use your personal data for profiling that produces legal effects (e.g., we do not deny services, set prices, or limit access based on automated profiling). Targeted-advertising and sale processing occur only if your administrator has enabled third-party advertising pixels — see Section 6.
Right to Appeal: If we deny your request, you may appeal within a reasonable time. We will respond to your appeal in writing within 60 days. If your appeal is denied, you may contact the Virginia Attorney General at oag.state.va.us.

California (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act, provides the rights described below.

Right to Know: Disclosure of the categories and specific pieces of personal information collected, the categories of sources, the business/commercial purposes for collection, and the categories of third parties with whom we share the information.
Right to Delete: Deletion of personal information we have collected from you, subject to statutory exceptions.
Right to Correct: Correction of inaccurate personal information.
Right to Opt Out of Sale or Sharing: If you are a California resident, you may direct us not to "sell" or "share" your personal information (as those terms are defined under the CPRA). See Section 6 and the "Do Not Sell or Share My Personal Information" instructions in Section 9c below for activation status of advertising pixels.
Right to Limit Use of Sensitive Personal Information: The CPRA grants California residents the right to limit our use and disclosure of "sensitive personal information" ("SPI") to those purposes necessary to provide the Services. SPI we process includes: account login credentials in combination with a password, precise-ish geolocation (city-level), financial-account information (MT5 login number), and contents of financial transactions (trade history). We do not currently use SPI for purposes that would trigger the limit-use right beyond providing the Services and security, but you may submit a request as described below.
Right to Non-Discrimination: We will not deny services, charge different prices, or provide a different level or quality of service because you exercised any of these rights.
Authorized Agents: California residents may use an authorized agent to submit requests. We will require written authorization signed by you, plus verification of your identity.

Other U.S. States with Comprehensive Privacy Laws

If you are a resident of Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Iowa (ICDPA), Montana (MCDPA), Oregon (OCPA), New Hampshire (NHCDPA), New Jersey (NJDPA), Delaware (DPDPA), Minnesota (MCDPA), Maryland (MODPA), Rhode Island (RIDTPPA), Indiana (ICDPA), or Tennessee (TIPA), you have substantively similar rights to those described under the VCDPA above: access, correction, deletion, portability, and opt-out of targeted advertising, sale, and significant-effect profiling. Specific response windows and exemptions vary by statute. We will respond to your request within the timeframe required by your state's law (typically 45-60 days). To exercise these rights, submit a request as described in Section 9c below and indicate your state of residence.

Universal Opt-Out / Global Privacy Control (GPC)

For pages on which third-party advertising pixels may be active (see Section 6), we honor browser-level "Do Not Sell or Share" signals where required by applicable state law, including the Global Privacy Control (GPC) signal under California, Colorado, and Connecticut law. If your browser sends a GPC signal, we will treat it as a valid opt-out of sale and sharing for the active session and, where the law requires, for your account going forward (where we can reasonably link the signal to your account).

How to Submit a State Privacy Rights Request

To exercise any of the rights above, email support@autotraderbot.ai with the subject line "Privacy Rights Request — [your state]." Include:

Your full name and account email address (used to verify identity)
Your state of residence
The specific right you are exercising (e.g., "Right to Delete," "Right to Opt Out of Sale and Sharing")
Any specifics that would help us locate the information at issue

We will acknowledge your request within 10 business days and substantively respond within 45 days. If we need an additional 45 days, we will notify you of the extension and the reasons for it. We may request reasonable identity verification before fulfilling a request, particularly for deletion or disclosure of sensitive information.

Do Not Sell or Share My Personal Information

To opt out of the sale or sharing of your personal information (which would occur only if the platform administrator has enabled third-party advertising pixels — see Section 6), email support@autotraderbot.ai with the subject line "Do Not Sell or Share." We will process opt-out requests within 15 business days and, where applicable, propagate the opt-out to downstream pixel providers via their published mechanisms. Your opt-out applies to all pixels currently enabled and any added after your opt-out request.

🇺🇸

State Privacy Laws Evolve Rapidly

U.S. state privacy laws change frequently. If your state enacts a comprehensive privacy law after the effective date of this policy, your rights under that law will apply automatically as of the law's effective date, even if not yet enumerated above.

SECTION 10

Third-Party Services

Our Services integrate with and rely upon the following third-party services. Each of these services operates under its own privacy policy, and we encourage you to review them:

Service	Integration	Privacy Policy
MetaTrader 5	Trading platform integration for executing trades on your brokerage accounts	Subject to your broker's privacy policy
Stripe	Payment processing for subscriptions	Stripe Privacy Policy
Telegram	Support and FAQ bot (stateless, no user data stored)	Telegram Privacy Policy
Google reCAPTCHA	Bot prevention on authentication forms	Google Privacy Policy
Amazon Web Services	Cloud hosting infrastructure (ECS Fargate, RDS PostgreSQL, ElastiCache Redis, S3, CloudFront, Application Load Balancer, Secrets Manager, CloudWatch)	AWS Privacy Notice
SendGrid (Twilio Inc.)	Transactional email delivery	Twilio Privacy Notice

We are not responsible for the privacy practices, data collection, or data processing activities of third-party services. When you interact with third-party services through our platform, the applicable third-party privacy policy governs the handling of your information by that service.

SECTION 11

Children's Privacy

Our Services involve financial trading activities and are not intended for, directed at, or designed for use by individuals under the age of 18 years, or below the minimum legal trading age in their jurisdiction (whichever is higher). Use of our Services by anyone under 18 is strictly prohibited.

Age Verification at Registration

By creating an account, you affirmatively represent that you are at least 18 years old (or the higher minimum age applicable in your jurisdiction). Where birth year is provided, we apply a programmatic age check at registration; accounts that fail the age check are rejected. We do not employ "actual knowledge" defenses against COPPA by deliberately avoiding verification — the registration flow is designed to surface age proactively.

COPPA Compliance (Children Under 13 — United States)

The U.S. Children's Online Privacy Protection Act (COPPA) and its implementing rule (16 CFR Part 312) apply to operators of websites and online services directed to children under 13 or that have actual knowledge they are collecting information from children under 13. We do not direct our Services to children under 13. We do not knowingly collect, store, process, or disclose personal information from any individual under 13. If we discover that we have collected personal information from a child under 13 without verified parental consent (which we do not seek because the Services are not for children), we will delete that information and terminate the associated account promptly.

Reporting Concerns About a Minor's Account

If you are a parent, guardian, or other person with knowledge that an individual under 18 has provided personal information to us, please contact us immediately at support@autotraderbot.ai with the subject line "Minor Account Report." Include the email address of the account and any details that would help us identify it. We will investigate, terminate the account, and delete the associated personal information consistent with our legal-retention obligations.

Teen-Specific State Laws (16-17 Year Olds)

Several U.S. state privacy laws (e.g., the California Age-Appropriate Design Code, Connecticut CTDPA's teen provisions, Maryland Age-Appropriate Design Code Act) impose specific obligations on services likely to be accessed by minors aged 13-17, including data-minimization defaults and prohibitions on profiling. Because our Services are designed for adults and we apply an 18+ age gate at registration, these provisions are not designed to apply. If you believe they should apply to a specific use of our Services, please raise it with us at the contact information above.

Cartographic Representation

Certain pages on our Services (notably the public "Live Trader Map" at autotraderbot.ai/globe and the equivalent administrative dashboard) display a globe with country boundaries overlaid for the purpose of indicating the approximate geographic distribution of our user community. The boundary data is sourced from Natural Earth (naturalearthdata.com), a public-domain cartographic dataset maintained by the North American Cartographic Information Society and used by the U.S. Government, Wikipedia, and many international news organizations.

The borders, lines, and country names shown on these visualizations are illustrative only. They are presented at a coarse 1:110,000,000 resolution suitable for global overview purposes. They do not represent any political position of AI Trading Bot LLC, are not intended as an authoritative depiction of any disputed territory, sovereignty claim, or international boundary, and should not be relied upon for any legal, navigational, regulatory, surveying, or geopolitical purpose.

If you believe a boundary is depicted in a way that violates the law of your jurisdiction, please contact us at support@autotraderbot.ai and we will review the visualization in good faith. We reserve the right to alter or remove the visualization at any time without notice.

SECTION 12

International Data Transfers

AI Trading Bot LLC is based in the Commonwealth of Virginia, United States. Your personal information is processed and stored primarily in the United States, in the AWS US-East-1 (Northern Virginia) region. Static assets (CSS, JavaScript, images) are cached on AWS CloudFront edge locations worldwide, but no personal information is stored on those edge nodes.

If you access our Services from outside the United States, your information will be transferred to and processed in the United States, where data protection laws may differ from those in your country of residence.

Lawful Basis for Transfers from the EEA / UK / Switzerland

For transfers of personal data from the European Economic Area, the United Kingdom, or Switzerland to the United States, we rely primarily on the following safeguards (in order of preference):

Standard Contractual Clauses (SCCs): European Commission Implementing Decision 2021/914 of 4 June 2021 (the "new" SCCs), Module 2 (Controller to Processor) for our service providers and, where applicable, Module 1 (Controller to Controller). For UK transfers, the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs applies as adopted by the UK Information Commissioner's Office. For Swiss transfers, the SCCs as adapted by the Swiss Federal Data Protection and Information Commissioner.
Transfer Impact Assessment (TIA): We have evaluated the laws of the United States that may affect our ability to provide the protections required by the SCCs (in particular FISA Section 702 and Executive Order 12333) and have implemented supplementary measures described below.
Supplementary Measures:
- End-to-end TLS 1.2+ encryption for data in transit between your device, our infrastructure, and our subprocessors
- AES-256 encryption at rest for sensitive data (MT5 credentials, 2FA secrets, payment metadata)
- Strict role-based access controls; only a small number of authorized personnel can access production data, all logged
- A commitment to challenge any government request for data that we believe is unlawful or overbroad, and to notify affected data subjects to the extent legally permitted

EU/UK Representative

If you are in the EEA or UK and wish to raise a data-protection question or complaint, you may contact us at support@autotraderbot.ai with the subject line "EU/UK Privacy Inquiry." We do not currently maintain an Article 27 representative because the volume and nature of our EEA/UK processing falls within the GDPR Article 27(2)(a) exemption. If our processing changes such that an Article 27 representative becomes required, we will appoint one and update this Policy accordingly.

Compliance Frameworks of Our Infrastructure Provider

Our cloud infrastructure provider (Amazon Web Services) maintains compliance with SOC 1, SOC 2, SOC 3, ISO 27001, ISO 27017, ISO 27018, PCI-DSS Level 1, HIPAA, and FedRAMP, among other international security and privacy frameworks. These compliance attestations cover the AWS infrastructure layer; our own application-layer security controls are described in Section 5.

SECTION 12b

Security Incident and Breach Notification

If we become aware of a confirmed security incident that has, or is reasonably likely to have, resulted in the unauthorized access, acquisition, disclosure, alteration, or destruction of your personal information, we will notify you in accordance with applicable law. The specific notification timeline depends on the jurisdiction and the severity of the incident:

GDPR (EEA / UK / Switzerland residents): We will notify our supervisory authority within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to your rights and freedoms (GDPR Article 33). We will notify you directly without undue delay if the breach is likely to result in a high risk to your rights and freedoms (GDPR Article 34).
U.S. state law: We will notify affected residents in accordance with the applicable state breach-notification statute. Notification timing varies by state (typically 30-60 days after discovery, or sooner if state law requires).
All users: Even where law does not require notice, we commit to providing prompt notice to affected users of any security incident that may have compromised their account credentials, MT5 credentials, payment information, or other sensitive data.

Our breach-notification process includes: (i) confirmation of the incident scope, (ii) containment and remediation, (iii) regulatory notification where required, (iv) direct notification to affected users via the email address on file, (v) public notice on the platform if the scope warrants, and (vi) a post-incident report describing what happened, what data was affected, what we have done, and what you should do to protect yourself.

If you believe your account has been compromised, contact us immediately at support@autotraderbot.ai with the subject line "Security Incident."

SECTION 13

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or operational procedures. When we make changes to this Privacy Policy:

We will update the "Effective" date displayed at the top of this policy
For material changes that significantly affect your rights or how we process your personal information, we will notify you via email to the address associated with your account
We will post the updated Privacy Policy on this page
For significant changes, we may require you to acknowledge or re-accept the updated policy

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Your continued use of our Services after the effective date of any updated Privacy Policy constitutes your acceptance of the changes.

📝

Stay Informed

We recommend bookmarking this page and reviewing it when you receive notification of changes. Previous versions of this Privacy Policy are available upon request by contacting support@autotraderbot.ai.

SECTION 14

Contact Us

If you have any questions, concerns, or complaints about this Privacy Policy, our data practices, or your personal information, please contact us using the information below:

📧

AI Trading Bot LLC

Virginia, United States

Email: support@autotraderbot.ai

For privacy-specific inquiries, data access requests, or CCPA/GDPR requests, please include "Privacy" in the subject line of your email.

We endeavor to respond to all privacy-related inquiries within 30 days. If you are not satisfied with our response, you may have the right to lodge a complaint with your local data protection authority.