Privacy Policy
TradeGrub LLC ("TradeGrub," "we," "us," or "our") operates the TradeGrub.io API platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our API services, website, and developer dashboard.
1. Pass-Through Architecture
TradeGrub operates as a pass-through for financial data. We facilitate API calls between your application and the broker or exchange. We do not store trading data, portfolio positions, transaction history, or account balances on our servers. All brokerage and exchange data flows through our normalization layer in real-time and is not persisted. Your financial data belongs to you and your broker -- we simply relay it.
2. Information We Collect
We practice minimal data collection, gathering only what is strictly necessary to operate and improve the Services:
- Account Information: Name, email address, company name, and billing details when you register for an API key.
- API Keys & Credentials: Authentication tokens and API keys generated for your account.
- Usage Metrics: API call volumes, endpoints accessed, error rates, and latency metrics for service monitoring and billing.
- Error Logs: Diagnostic logs for debugging purposes. These logs are stripped of personally identifiable information (PII) before storage.
- Account Metadata: Subscription tier, billing cycle, and feature usage for billing and account management.
- Device & Log Data: IP addresses, browser type, operating system, and access timestamps for security and fraud prevention.
We do not collect, store, or have access to your personal trading data, portfolio holdings, order history, or financial account balances.
3. Credential Handling
We take the security of authentication credentials extremely seriously:
- Broker Credentials: Broker and exchange login credentials are never stored by TradeGrub. During OAuth flows, credentials are passed directly to the broker's authentication endpoint and are not retained on our systems.
- OAuth Tokens: Access and refresh tokens obtained from brokers are encrypted in transit using TLS 1.3 and at rest using AES-256 encryption.
- API Keys: Your TradeGrub API keys are stored using one-way cryptographic hashing. We cannot retrieve your full API key after initial generation.
- Key Management: Encryption keys are managed through a dedicated key management service with automatic rotation on a regular schedule.
4. How We Use Information
- Authenticate and authorize API requests
- Monitor service performance and enforce rate limits
- Detect and prevent fraud, abuse, and unauthorized access
- Provide customer support and respond to inquiries
- Send service-related communications (outage alerts, security notices, billing)
- Improve and develop new API features
- Generate aggregated, anonymized usage analytics
5. No Selling of Data
We never sell, rent, trade, or share your personal information or usage data with third parties for marketing, advertising, or any other commercial purpose. Period. Your data is used solely to provide and improve the Services.
6. Sub-Processors and Third-Party Services
We use a limited number of third-party service providers (sub-processors) to operate the Services:
- Cloud Infrastructure: Hosting and compute services (AWS/GCP) for running our API infrastructure
- Payment Processing: Stripe for billing and subscription management
- Analytics: Aggregated usage monitoring for service reliability
- Communication: Email services for transactional notifications
Importantly, no trading data, portfolio information, or financial account details are shared with any of these sub-processors. They receive only the minimum information necessary to perform their specific function (e.g., Stripe receives billing information only).
7. Data Location
All data collected by TradeGrub is processed and stored in the United States. If you are accessing the Services from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, where data protection laws may differ from those of your jurisdiction.
8. Data Retention
- API Usage Logs: Retained for 90 days, then automatically purged.
- Account Data: Retained for the duration of your active account. Upon account deletion, all associated data is permanently removed within 30 days.
- Billing Records: Retained as required by applicable tax and financial regulations.
- Aggregated Analytics: Anonymized, non-identifiable analytics data may be retained indefinitely for service improvement.
9. Security Measures
- Encryption at Rest: All stored data is encrypted using AES-256
- Encryption in Transit: All API traffic is encrypted via TLS 1.3
- Authentication: OAuth 2.0 with scoped permissions and automatic key rotation
- Infrastructure: Isolated environments, network segmentation, and regular security audits
- Compliance: ISO 27001 certified ISMS; SOC 2 Type II certification on our roadmap
10. Breach Notification
In the event of a data breach that affects your personal information, we will notify affected users within 72 hours of confirmed discovery. Notification will be sent via email to the address associated with your account and will include: a description of the nature of the breach, the categories of data affected, the likely consequences, and the measures we have taken or propose to take to address the breach. We will also notify applicable regulatory authorities as required by law.
11. Your Rights (CCPA/GDPR)
Regardless of your location, we extend the following data rights to all users:
- Right to Know: Request a copy of the personal data we hold about you, including the categories of data collected, the purposes of collection, and any third parties with whom it has been shared.
- Right to Delete: Request deletion of your account and all associated personal data.
- Right to Opt-Out: Opt out of any non-essential data processing. Note: we do not sell personal information, so there is no "sale" to opt out of.
- Right to Data Portability: Download your account data and usage history in a machine-readable format (JSON or CSV).
- Right to Correct: Update inaccurate information in your account.
- Right to Restrict: Limit how we process your data in certain circumstances.
- Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.
To exercise any of these rights, contact us at privacy@tradegrub.com. We will respond within 30 days (or sooner if required by applicable law). We may ask you to verify your identity before processing your request.
12. Children's Privacy
The TradeGrub API and Services are not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal data from a person under 18, we will take immediate steps to delete that information. If you believe a minor has provided us with personal data, please contact us at privacy@tradegrub.com.
13. Cookies
Our website and developer dashboard use essential cookies for authentication and session management. We do not use third-party advertising cookies. Analytics cookies, if used, collect only anonymized data and can be disabled in your browser settings.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes via email at least 30 days before they take effect. The "Last Updated" date at the top of this page reflects the most recent revision.
15. Contact Us
If you have questions about this Privacy Policy or our data practices, contact us at:
Email: privacy@tradegrub.com
TradeGrub LLC