Privacy Policy
Last updated: April 21, 2026
1. Data Controller
Graf Consulting GmbH, Keplerstrasse 105/4, 8020 Graz, Austria ("we", "us") is the data controller for personal data processed through TradeStats. We process your data in compliance with the EU General Data Protection Regulation (GDPR) and the Austrian Data Protection Act (DSG).
2. Data We Collect
Account Data
When you create an account, we collect:
- Email address
- Name (if provided)
- Authentication credentials (managed by our identity provider, WorkOS)
Trading Data
Data you import or enter into the Service:
- Trade history (symbols, prices, quantities, timestamps)
- Journal entries and notes
- Screenshots and images you upload
- Strategy configurations
This data is yours and is only used to provide the Service to you.
Usage Data
We automatically collect limited technical data:
- Browser type and version
- Pages visited and features used
- Error reports (via Sentry) for debugging purposes
3. How We Use Your Data
We use your data to:
- Provide and maintain the Service (Art. 6(1)(b) GDPR — contract performance)
- Process payments through our payment provider (Art. 6(1)(b) GDPR)
- Send essential service communications (Art. 6(1)(b) GDPR)
- Monitor and fix errors (Art. 6(1)(f) GDPR — legitimate interest)
- Improve the Service based on aggregated, anonymized usage patterns (Art. 6(1)(f) GDPR)
4. Third-Party Services
We share data with the following third-party processors, all of which are GDPR-compliant:
| Service | Purpose | Data Shared |
|---|---|---|
| Convex | Database and backend | All service data |
| WorkOS | Authentication | Email, name |
| Paddle | Payment processing | Email, billing info |
| Vercel | Hosting | IP address, request data |
| Sentry | Error tracking | Browser info, error context |
| Resend | Transactional email | Email address |
We do not sell your personal data to any third party.
5. Cookies
We use strictly necessary cookies for authentication and session management. We do not use advertising or third-party tracking cookies.
6. Data Retention
We retain your data for as long as your account is active. When you delete your account, we delete your personal data and trading data within 30 days. We may retain anonymized, aggregated data indefinitely for analytics purposes.
7. Your Rights
Under the GDPR, you have the right to:
- Access your personal data (Art. 15 GDPR)
- Rectify inaccurate data (Art. 16 GDPR)
- Erase your data ("right to be forgotten") (Art. 17 GDPR)
- Restrict processing (Art. 18 GDPR)
- Data portability — receive your data in a structured format (Art. 20 GDPR)
- Object to processing based on legitimate interest (Art. 21 GDPR)
- Lodge a complaint with the Austrian Data Protection Authority (Datenschutzbehörde, www.dsb.gv.at)
To exercise your rights, contact us at support@tradestats.io.
8. Data Security
We implement appropriate technical and organizational measures to protect your data, including encryption in transit (TLS), encryption of sensitive credentials (such as exchange API keys) at rest, access controls, and regular security reviews.
9. International Transfers
Some of our service providers process data outside the EU/EEA. In such cases, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) or adequacy decisions by the European Commission.
10. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service.
11. Contact
Graf Consulting GmbH
Keplerstrasse 105/4
8020 Graz, Austria
Email: support@tradestats.io