Privacy Policy

Last updated: April 6, 2026

Privacy at a Glance

• What we collect: Your email, display name, and the read-only exchange API keys you provide. Through those keys, we access your trading history and balances to power AI analysis features.
• Who sees your data: Our AI providers (OpenAI and Anthropic) process your data to generate analysis, and our quality monitoring service (LangSmith) logs AI interactions for debugging. None of these providers use your data to train their models. We do not sell, rent, or share your data with advertisers or data brokers.
• Where your data lives: Our database is hosted in an EU region by Supabase (a US-incorporated company; see Section 6 for transfer safeguards). AI processing happens in the US through OpenAI, Anthropic, and LangSmith, protected by EU-approved Standard Contractual Clauses.
• How long we keep it: As long as you have an active account. Within 30 days of deleting your account, your data is permanently deleted (except billing records kept for 7 years as required by tax law).
• Your control: You can export, correct, or delete your data at any time. You can revoke your API keys instantly. Email support@tradecopilot.app for any request.

This Privacy Policy explains how Trade Copilot collects, uses, stores, and protects your personal data when you use our AI-powered trading decision-support platform.

Trade Copilot is based in Sofia, Bulgaria (EU). We follow the General Data Protection Regulation (GDPR), UK data protection law (UK GDPR), the EU AI Act, the Bulgarian Personal Data Protection Act (ZZLD), and US state privacy laws including the California Consumer Privacy Act (CCPA/CPRA). Where these frameworks conflict, we apply whichever gives you stronger protection.

1. Data Controller

The data controller responsible for processing your personal data is:

Trade Copilot
Trade Copilot LTD
Okolovrasten pat 60V Blvd., fl. 4, office 16, Sofia, Bulgaria
UIC 208764692
Email: support@tradecopilot.app

If you have any questions about this Privacy Policy or how we handle your data, please contact us at the email address above. We will respond to all privacy-related inquiries within one month, as required by GDPR. If a longer response period is necessary (up to two additional months for complex requests), we will notify you within the initial month.

We have assessed our obligation to appoint a Data Protection Officer under GDPR Article 37 and have determined that our processing activities do not currently require one. This assessment is documented internally and reviewed annually as our user base grows. For all data protection inquiries, please contact us at the email address above.

2. Personal Data We Collect

2.1 Account Information

When you create an account, we collect:

• Email address
• Display name or username
• Password (stored in hashed form only; we never store plaintext passwords)
• Billing information (processed by our third-party payment processor; we do not store full payment card details)

2.2 Exchange API Credentials

Trade Copilot connects to cryptocurrency exchanges using read-only API keys that you provide. These keys grant Trade Copilot permission to view your exchange data only. We want to be explicit about what this means:

Read-only access only. Trade Copilot requires only read/view permissions on your exchange API keys. We never request trade execution, withdrawal, or fund transfer permissions. Our system is designed to operate exclusively with read-only access and to reject API keys that have write permissions. It does not include functionality to execute trades or move funds. However, the security of your exchange account ultimately depends on the permissions you configure on your exchange — we recommend always restricting API keys to read-only.

What we access through your API keys: Account balances, open positions, trade history, and order history. This data is used to power features such as automated trade journaling, live trade review, and AI-assisted performance analysis.

Encryption. Your API keys are encrypted at rest using AES-256 encryption and transmitted exclusively over TLS-encrypted connections. Keys are stored with dedicated access controls that limit decryption to authorized service components.

Revocation. You may revoke your API keys at any time, either within Trade Copilot (which deletes them from our systems) or directly on your exchange (which immediately invalidates them regardless of our records). We recommend revoking keys on the exchange side if you have any security concerns.

Permission validation. Our system validates the permissions of API keys when you connect them. Keys that have permissions beyond read-only access are rejected and not stored. If permission detection fails in an edge case and a non-read-only key is inadvertently accepted, we will notify you upon detection and recommend that you revoke the key on your exchange and generate a new one with read-only permissions only.

2.3 Trading Data

Through your connected exchange accounts, we collect and store:

• Trade history (entries, exits, instruments, sizes, prices, timestamps)
• Open and closed positions
• Account balances and portfolio composition
• Performance metrics derived from your trading activity

This data powers Trade Copilot’s core features: Daily Briefs, Setup Analysis, automated journaling, Mistake Radar, and AI-powered Performance Reviews. These features provide AI-generated analytical context and data organization tools. Feature names describe the category of analysis provided, not a recommendation or directive. All outputs are informational summaries that require your independent judgment.

2.4 AI Conversation Data

When you interact with Trade Copilot’s AI features, we collect:

• Your messages, prompts, and instructions to the AI
• AI-generated responses and analysis
• Context data assembled for each AI interaction (market data, your trading history, instrument levels, and other structured context provided to the AI model)

We save your messages and the AI’s responses so you can revisit past conversations and so the AI can build on earlier analysis. We do not use your individual conversation data to train AI models or to improve the service for other users.

Context data assembled for individual AI requests (such as real-time market data snapshots and structured instrument data) is logged in our AI observability platform (LangSmith, operated by LangChain, Inc.) for quality assurance, debugging, and service improvement. These logs include the full context sent to the AI model and the model’s response. LangSmith logs are retained for up to 90 days and then deleted. LangSmith processes data under a data processing agreement and does not use your data to train models. For details on international transfers related to this processing, see Section 6.

2.5 Usage and Technical Data

We automatically collect:

• IP address and approximate geolocation (country/region level)
• Browser type, operating system, and device information
• Pages visited, features used, session duration, and interaction patterns
• Error logs and performance data

This data is collected for service reliability, security monitoring, and product improvement. We do not use this data to build advertising profiles.

2.6 Data We Do Not Collect

Trade Copilot does not collect:

• Exchange account passwords or login credentials
• Government-issued identification documents
• Biometric data
• Data from social media accounts
• Precise GPS location data

2.7 Google Account Data

Trade Copilot uses Google services in two ways:

Google Sign-In (optional). You may create an account or log in using your Google account. When you do, we receive your Google email address, display name, and basic profile information through Google’s OpenID Connect protocol. This data is used solely for account authentication and is stored as part of your account information (see Section 2.1).

Google Sheets integration (optional). You may connect your Google account to enable trade journaling in Google Sheets. When you connect this integration, we request the following permissions (scopes):

• Google Sheets (read and write): We create, write to, and read from a specific spreadsheet in your Google Drive designated for your trade journal. Write operations include automatic logging of closed trades and manual journal entries. Read operations include importing existing journal entries and backfilling trade history for analysis.
• Google Drive (file-level): We use file-level Drive access to create and access your designated journal spreadsheet. This scope limits our access to spreadsheets that Trade Copilot created or that you explicitly opened with Trade Copilot. We cannot see, list, browse, or access any other files or folders in your Google Drive.

How we use Google data: Google Sheets access is used solely for trade journal functionality — writing trade entries, reading journal data for analysis and import, and locating your journal spreadsheet. We do not use your Google data for advertising, profiling, or any purpose unrelated to the trade journal feature.

Token storage: When you connect Google Sheets, we store an encrypted refresh token in our database to maintain the connection. Access tokens are cached briefly in memory (up to 30 seconds) and are not persisted. If your refresh token becomes invalid (for example, if you revoke access on Google’s side), we automatically detect this, remove the stored token, and mark the integration as disconnected.

Data retention: Trade journal data written to your Google Sheets remains in your Google Drive under your control. We do not store a separate copy of your Google Sheets content on our servers beyond what is needed to process individual read or write requests. Authentication tokens are retained only while the integration is active and are deleted immediately when you disconnect.

Revocation: You can disconnect your Google account from Trade Copilot at any time through your account settings. This revokes our access token with Google and deletes the stored refresh token from our systems. You can also revoke access directly through your Google Account permissions at https://myaccount.google.com/permissions. Revoking access does not delete data already written to your Google Sheets — that data remains in your Google Drive under your control.

Trade Copilot’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

3. How and Why We Use Your Data

3.1 Data Usage

We process your personal data for the following purposes, each with a specific legal basis under GDPR:

• To provide and operate the core Service (Legal basis: performance of contract). This includes storing and displaying your trading data, automated trade journaling, account management, and basic platform functionality.
• To generate AI-powered analysis (Legal basis: legitimate interest). This includes assembling market context, generating Daily Briefs, analyzing setups, and producing Performance Reviews. Our legitimate interest is providing differentiated analytical tools that form the core value proposition of the Service. We have balanced this interest against the sensitivity of financial data and the international transfers involved, and concluded the processing is proportionate given the data minimization, encryption, and contractual safeguards applied. You have the right to object to this processing (see Section 8.1).
• To store and process AI conversation data (Legal basis: legitimate interest). Your messages and AI responses are stored to maintain conversation continuity, enable the AI to reference your prior analysis, and provide conversation history. AI interaction logs stored in our observability platform (LangSmith) are also processed under this basis. Our legitimate interest is providing a coherent, context-aware analysis experience and monitoring service quality. You have the right to object to this processing.
• To maintain and improve the Service (Legal basis: legitimate interest). Our legitimate interest is ensuring service reliability and developing features that better serve users. This includes analyzing usage patterns, diagnosing technical issues, and developing new features.
• To communicate with you (Legal basis: performance of contract / legitimate interest). This includes account notifications, service updates, security alerts, and responding to support requests.
• To ensure security and prevent fraud (Legal basis: legitimate interest). Our legitimate interest is protecting the Service, our users’ data, and our infrastructure from unauthorized access and abuse. This includes monitoring for unauthorized access, detecting anomalous activity, and protecting the integrity of our systems.
• To comply with legal obligations (Legal basis: legal obligation). This includes responding to lawful requests from authorities and maintaining records as required by applicable law.

We do not use your personal data for advertising, profiling for marketing purposes, or selling to third parties. We do not use your trading data to inform our own trading decisions or share it with other users.

Where we rely on legitimate interest as a legal basis, we have conducted a balancing test for each processing activity, weighing our specific interest (described above alongside each purpose) against your rights and freedoms. In each case, we have concluded that the processing is proportionate and does not override your interests, considering: the nature and sensitivity of the data, the safeguards in place (encryption, access controls, data processing agreements), the measures taken to minimize data processed, and your reasonable expectations as a user of an AI-powered trading analysis service. You may request the full details of our legitimate interest assessments by contacting us. You have the right to object to any processing based on legitimate interest (see Section 8.1).

3.2 Automated Processing and Profiling.

Trade Copilot uses automated processing, including profiling, to analyze your trading activity and generate insights. The general logic of each profiling activity is as follows:

• Mistake Radar: Analyzes your trade entries and exits against your own historical patterns and the market context at the time of each trade to identify recurring deviations from your stated or observed trading process (such as entering positions outside your typical size range, deviating from planned stop-loss levels, or trading outside your usual market sessions). Inputs: your trade history, position sizes, timing data, and market data at time of trade.
• Performance Reviews: Analyzes your trading results over a defined period, calculating metrics such as win rate, average risk/reward, drawdown, and consistency, then uses AI to identify patterns and areas for improvement. Inputs: your trade history, profit/loss data, and position durations.
• Trade Reviews: Analyzes individual completed trades against the market context and your stated rationale (if provided) to generate a post-trade assessment. Inputs: individual trade data, market data, and your AI conversation history related to that trade.
• Daily Briefs and Setup Analysis: Assembles current market data, your open positions, and relevant trading history to generate a contextual summary. Inputs: market data from your connected exchanges, your current positions, and recent trade history.

This processing does not produce decisions with legal or similarly significant effects on you — all outputs are informational summaries that require your independent evaluation. The features do not restrict your access to the Service, affect your subscription terms, or produce any binding effect. No trading, financial, or account-related decisions are made by automated processing without your intervention. You have the right to object to specific profiling activities by contacting us (see Section 8.1).

4. AI Processing and Third-Party AI Providers

4.1 How AI Processing Works

Trade Copilot uses large language models (LLMs) from third-party providers to generate trading analytical context, analyze setups, review trades, and respond to your questions. When you use an AI-powered feature, Trade Copilot assembles a structured context package containing relevant market data, your trading history, instrument levels, and your specific query, and sends this to the selected AI model for processing.

You should be aware that:

• All AI-generated analysis is produced by third-party AI models (currently from OpenAI and Anthropic), not by proprietary Trade Copilot models.
• Trade Copilot carefully selects and structures the data sent to these models to produce useful analysis. However, the AI models generate their responses independently — we do not hand-write or pre-approve each response.
• AI outputs may contain errors, inaccuracies, or omissions. AI-generated analysis should always be evaluated critically and independently verified before being used to inform any trading decision.
• AI hallucination risk in financial data. Large language models can generate outputs that are factually incorrect but presented with apparent confidence. In a financial context, this means AI-generated analysis may include fabricated price levels, incorrect calculations of profit/loss or risk/reward ratios, non-existent chart patterns, or inaccurate descriptions of your own trading positions. These errors (“hallucinations”) are an inherent limitation of current AI technology. You must independently verify all factual claims, numerical values, and analytical conclusions against your own data and trusted market data sources.

4.2 Third-Party AI Provider Data Handling

When your data is sent to third-party AI providers for processing:

• We use API-level access to these providers, which means your data is processed under enterprise-grade data processing agreements.
• Under our agreements with OpenAI and Anthropic, your data sent through the API is not used to train their models.
• Data is transmitted over encrypted connections (TLS) and is not retained by the providers beyond the time needed to generate a response, as specified in their respective data processing agreements.

We encourage you to review the privacy policies of our AI providers:

• OpenAI: https://openai.com/policies/privacy-policy
• Anthropic: https://www.anthropic.com/privacy

4.3 AI Transparency Disclosure

Under the EU AI Act (Regulation 2024/1689), we provide the following disclosures:

• Risk classification. We have assessed that Trade Copilot’s AI features are classified as limited-risk under the AI Act, triggering transparency obligations under Article 50. We periodically review this classification as the Service evolves and as implementing guidance is published.
• AI-generated content. When you interact with AI-powered features, you are interacting with AI-generated content, not human analysis. All AI-generated content is identified as such within the Service interface.
• Capabilities and limitations. AI-generated outputs are probabilistic text completions, not deterministic calculations. They may contain factual errors, reflect biases in training data, fail to account for market conditions not included in the input context, produce inconsistent results for similar inputs, or generate analysis that appears confident but is incorrect. AI-generated analysis has no demonstrated predictive reliability for future market movements.
• Human oversight required. All AI outputs require your independent evaluation and judgment. You should not rely on any AI output as a sole or primary basis for any trading or investment decision.

5. Who We Share Your Data With

We share your personal data only with the following categories of recipients, and only to the extent necessary for the stated purposes:

• AI model providers (OpenAI, Anthropic) — to process AI-powered features. Data shared includes conversation context, market data, and trading history relevant to the specific query. Governed by data processing agreements.
• AI observability (LangSmith, operated by LangChain, Inc.) — to monitor AI quality, debug issues, and improve the Service. Data shared includes AI request context and model responses. Governed by a data processing agreement; data is retained for up to 90 days.
• Cloud infrastructure providers — (Supabase for database and storage, Vercel for website hosting, Render for backend services) — to host and operate the Service. Governed by data processing agreements with GDPR-compliant safeguards.
• Secrets management (Doppler) — to securely manage encryption keys and service credentials. Doppler does not store your personal data directly but manages the keys used to protect it.
• Payment processors (Polar for card payments, Coinbase Commerce for cryptocurrency payments) — to process subscription payments. We do not store full payment card details; these are handled entirely by our payment processors.
• Analytics (Vercel Analytics) — to understand usage patterns and improve the Service. Vercel Analytics does not use cookies and does not track users across sites.
• Google (Google Sheets API, Google Drive API) — to enable optional trade journal functionality. Data shared is limited to trade journal entries (trade history, performance data) written to and read from your designated Google Sheets spreadsheet. Authentication via Google OAuth 2.0. Governed by Google’s API Terms of Service.
• Legal and regulatory authorities — when required by law, court order, or governmental regulation.

We do not sell, rent, or trade your personal data to any third party. We do not share your trading data, API keys, or AI conversation history with other users, advertisers, or data brokers.

6. International Data Transfers

Trade Copilot is operated from the European Union (Bulgaria). However, some of our third-party service providers, including AI model providers, may process your data in the United States or other countries outside the European Economic Area (EEA).

When personal data is transferred outside the EEA, we ensure appropriate safeguards are in place. The specific mechanisms for our key providers are:

• OpenAI, Inc. (USA): European Commission 2021 Standard Contractual Clauses, Module 2 (Controller to Processor) and data processing agreement.
• Anthropic, PBC (USA): European Commission 2021 Standard Contractual Clauses, Module 2 (Controller to Processor) and data processing agreement.
• LangChain, Inc. (USA — LangSmith): European Commission 2021 Standard Contractual Clauses, Module 2 (Controller to Processor) and data processing agreement.
• Supabase, Inc. (USA — database hosted in EU region, US corporate jurisdiction): European Commission 2021 Standard Contractual Clauses, Module 2 (Controller to Processor) and data processing agreement.
• Vercel, Inc. (USA): European Commission 2021 Standard Contractual Clauses, Module 2 (Controller to Processor) and data processing agreement.
• Render (USA): EU-US Data Privacy Framework certification, supplemented by European Commission 2021 Standard Contractual Clauses (Module 2) as a fallback mechanism, and data processing agreement.

We have conducted a Transfer Impact Assessment (TIA) for transfers to each provider, in accordance with EDPB Recommendations 01/2020. Our TIAs assessed the legal framework in the United States, including FISA Section 702 and Executive Order 12333, and concluded that the supplementary measures in place — including encryption of data in transit and at rest, contractual commitments from each provider regarding government access requests, data minimization in the context sent to providers, and the limited retention periods for processed data — provide adequate protection for the categories of personal data transferred. TIA summaries are available upon request.

If any transfer mechanism is invalidated by a court or regulatory authority, we will promptly implement alternative safeguards or, if none are available, suspend transfers to the affected provider.

You may request details of the specific safeguards applied to transfers of your data by contacting us at the email address in Section 1.

7. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes described in this Privacy Policy, or as required by law.

• Account data: Retained for the duration of your active subscription and for up to 30 days after account deletion to allow for reactivation.
• Exchange API keys: Deleted immediately upon your request or upon account deletion. Keys are also invalidated server-side when removed.
• Trading data and journal entries: Retained for the duration of your subscription. Upon account deletion, this data is permanently deleted within 30 days.
• AI conversation history: Retained for the duration of your subscription to enable persistent context and historical reference. Deleted within 30 days of account deletion.
• AI observability logs (LangSmith): Retained for up to 90 days for quality assurance and debugging, then permanently deleted.
• Usage and technical data: Personal identifiers (such as IP addresses and device information) are retained for up to 30 days for security monitoring and debugging. After this period, data is anonymized or aggregated and may be retained for up to 12 months for product improvement.
• Billing records: Retained for up to 7 years after the end of the subscription as required by Bulgarian law (Article 38 of the Accountancy Act / Закон за счетоводството and Article 71 of the VAT Act / ЗДДС).

We maintain a Record of Processing Activities and have conducted Data Protection Impact Assessments for our AI-powered processing activities and international data transfers, as required by GDPR Articles 30 and 35.

8. Your Rights

8.1 Rights Under GDPR (EEA Residents)

If you are located in the European Economic Area, you have the following rights under the General Data Protection Regulation:

• Right of access: You may request a copy of the personal data we hold about you.
• Right to rectification: You may request correction of inaccurate or incomplete personal data.
• Right to erasure: You may request deletion of your personal data, subject to legal retention obligations.
• Right to restrict processing: You may request that we limit the processing of your data in certain circumstances.
• Right to data portability: You may request your personal data in a structured, commonly used, machine-readable format. We provide data portability exports in JSON format (and CSV for tabular trading data).
• Right to object: You may object to processing based on legitimate interest, including AI-powered analysis of your trading data. If you object, we will stop the relevant processing unless we can demonstrate compelling legitimate grounds that override your interests. To object to AI processing specifically, contact us and we will discuss available alternatives.
• Right to withdraw consent: Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing performed prior to withdrawal.

How to exercise your rights: Send an email to support@tradecopilot.app with your request. We will confirm receipt within 3 business days and complete your request within one month. If a request is unusually complex, we may need up to three months total — but we will tell you why and give you a new timeline within the first month. To protect your privacy, we will verify your identity through your registered email address before fulfilling any request.

You also have the right to lodge a complaint with a supervisory authority. The relevant authority for Trade Copilot is the Commission for Personal Data Protection (CPDP) in Bulgaria. You may also contact the supervisory authority in your own EU/EEA member state.

8.2 Rights Under US State Privacy Laws

If you are a resident of California or another US state with comprehensive privacy legislation (including Virginia, Colorado, Connecticut, and others), you may have additional rights, including:

• Right to know: You may request information about the categories and specific pieces of personal information we have collected about you.
• Right to delete: You may request deletion of your personal information.
• Right to opt out of sale: We do not sell your personal information. No opt-out is necessary, but we confirm this right is available to you.
• Right to opt out of profiling: You may opt out of profiling in furtherance of decisions that produce legal or similarly significant effects. While Trade Copilot’s AI analysis is informational and does not produce such effects, we honor opt-out requests for automated profiling upon request.
• Right to non-discrimination: We will not discriminate against you for exercising any of these rights.
• Right to appeal: If we decline your privacy request, you have the right to appeal by contacting us at support@tradecopilot.app with the subject line “Privacy Rights Appeal.” We will respond within 60 days.

We will respond to verifiable consumer requests within 45 days, as required by applicable US state privacy laws. If additional time is needed (up to 45 additional days), we will notify you of the extension.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of all data in transit using TLS 1.2 or higher
• Encryption of sensitive data at rest (including API keys) using AES-256
• Access controls and role-based permissions limiting who within our organization can access personal data
• Regular security reviews and monitoring of our systems
• Secure software development practices
• Incident response procedures for potential data breaches

No system is completely secure, and we cannot guarantee the absolute security of your data. However, we are committed to implementing and maintaining security measures that reflect current industry best practices and the sensitivity of the data we handle.

10. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
• Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34.
• Provide clear information about the nature of the breach, the data affected, the likely consequences, and the measures taken or proposed to address the breach.

If your exchange API keys are potentially affected by a breach, we will specifically advise you to revoke and regenerate your API keys on the affected exchange(s) immediately.

11. Cookies and Tracking Technologies

• Strictly necessary cookies: Required for the Service to function (authentication, session management, security). These do not require consent under the ePrivacy Directive and cannot be disabled.
• Analytics: We use Vercel Analytics to understand how users interact with the Service. Vercel Analytics does not use cookies and does not track users across websites. No cookie consent is required for this analytics tool.

We do not use advertising or marketing cookies. We do not serve third-party advertisements within Trade Copilot.

Your browser may offer a “Do Not Track” (DNT) signal. There is currently no uniform standard for DNT compliance; we do not currently respond to DNT signals. We do recognize and honor Global Privacy Control (GPC) signals as valid opt-out requests under the California Consumer Privacy Act (CCPA/CPRA).

12. Children's Privacy

Trade Copilot is not intended for use by individuals under the age of 18. While Bulgarian law sets the age of consent for information society services at 14, we require users to be at least 18 because the Service involves analysis of trading activity and financial data.

We do not knowingly collect personal data from minors. If we become aware that we have collected personal data from a person under 18, we will take steps to delete that data promptly. If you believe a minor has provided us with personal data, please contact us at the email address in Section 1.

13. Financial Disclaimer and Limitation of Liability

Trade Copilot provides AI-generated analytical context for informational purposes only — it is not financial advice, investment advice, or any form of professional advice. All trading and investment decisions are made solely by you. AI-generated analysis may contain errors, including fabricated data (“hallucinations”), and should always be independently verified.

For the complete financial and trading disclaimer, limitation of liability, and disclaimer of warranties, please refer to our Terms of Service. These provisions are a material part of our agreement with you.

14. Third-Party Services and Links

Trade Copilot integrates with third-party services, including cryptocurrency exchanges (currently Binance, Bybit, OKX, and Coinbase), AI model providers (OpenAI and Anthropic), and Google (for optional trade journal export to Google Sheets). We are not responsible for the privacy practices, content, or security of any third-party services. We encourage you to review the privacy policies of any third-party services you use in connection with Trade Copilot.

Your relationship with any cryptocurrency exchange is governed by that exchange’s own terms of service and privacy policy. Trade Copilot is not a party to that relationship and bears no liability for the actions, omissions, or policies of any exchange.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make material changes, we will:

• Post the updated policy on our website with a revised “Last Updated” date.
• Notify you by email or through an in-app notification at least 14 days before the changes take effect.
• Where required by law, obtain your consent to material changes.

For changes that affect our legal basis for processing or introduce new categories of data collection, we will seek your affirmative consent before implementing the changes. For other updates, your continued use of the Service after the effective date means the updated policy applies going forward. If you disagree with a change, you can delete your account at any time — we will delete your data as described in Section 7.

16. Governing Law and Jurisdiction

This Privacy Policy is interpreted in accordance with the laws of the Republic of Bulgaria. This does not affect your rights under the data protection or consumer protection laws of your country of residence. For dispute resolution, please refer to our Terms of Service.

17. Sanctions and Restricted Jurisdictions

Trade Copilot complies with applicable sanctions imposed by the European Union, the United States (OFAC), the United Kingdom, and the United Nations. For full eligibility requirements and sanctions representations, please refer to Section 3 of our Terms of Service.

18. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Email: support@tradecopilot.app
Address: Okolovrasten pat 60V Blvd., fl. 4, office 16, Sofia, Bulgaria

For GDPR-related inquiries, you may also contact the Bulgarian Commission for Personal Data Protection (CPDP):
Website: https://www.cpdp.bg
Address: 2 Prof. Tsvetan Lazarov Blvd., Sofia 1592, Bulgaria

© Trade Copilot. All rights reserved.