Security & data handling

We never have your broker login

TradeGuardX runs entirely in your browser as a Chrome extension. We don't ask for, store, or transmit your broker username, password, API keys, or session cookies. The extension reads what's already visible on the broker page (your open positions, the Buy/Sell buttons, your P&L) and enforces rules at the click. No backdoor into your broker.

Authentication

Sign-in is handled by Supabase, an industry-standard auth provider. We never see your password. Sessions use signed JWT tokens with a 1-hour expiry; the extension uses a separate, scoped pairing token that only authorizes the trading account it's paired to.

What we collect

• Account info: email, display name (you set), and authentication identifier from Supabase.
• Trading account metadata: the prop firm/broker, account name, starting balance, and currency you enter when adding an account.
• Trade events: symbol, side, quantity, entry/exit price, P&L, and timestamps for trades you take in your paired broker tab.
• Risk rules: your configured rules and parameters (e.g., 'daily loss limit: 2%').
• Subscription state: your plan tier and billing reference (the actual card is at Dodo, never on our servers).

What we do NOT collect

• Broker passwords, API keys, 2FA codes, or session cookies.
• Page content unrelated to trading (account numbers in non-trading pages, broker chat, support tickets, etc.).
• Browsing activity outside your paired broker domain. The extension stays dormant on every other website.
• Personal financial information beyond what you enter (we don't pull credit scores, bank info, etc.).

Where your data lives

Your account, rules, and trade history are stored in a PostgreSQL database hosted on AWS in the ap-south-1 (Mumbai) region. Local extension state (pairing token, recent trades cache, your selectors) lives only in your browser via chrome.storage.local — it never leaves until you sync it by trading.

Encryption

• In transit: TLS 1.2+ on every API call and webhook. No HTTP, ever.
• At rest: AWS RDS encrypts the database disk; backups are encrypted snapshots.
• Tokens: Auth tokens are signed JWTs (HS256) with short expiries. Pairing tokens are scoped to a single trading account and revocable.

Third-party services we use

• Supabase: authentication only. We never see your password.
• AWS: application hosting, database, and Lambda compute. Mumbai region.
• Dodo Payments: subscription checkout and recurring billing. Card details are stored at Dodo, not on our servers.
• Anthropic (Claude): AI-generated journal insights. Only the trade context you choose to analyze is sent — never bulk-export of your data.
• Sentry (EU region): crash and error reporting. We strip query strings and skip console breadcrumbs to avoid leaking session tokens or P&L.

We don't sell your data

TradeGuardX makes money from subscriptions, not from selling user data. Your trade history, rules, and behavior patterns are not aggregated, anonymized, or sold to anyone. They are yours.

Account deletion

Email support@tradeguardx.com from your account email and we'll permanently delete your profile, trading accounts, rules, trade history, and authentication record within 30 days. Backups containing your data are purged within 90 days of deletion. The deletion is irreversible — export your data first if you want a copy.

Vulnerability disclosure

If you discover a security issue, please email security@tradeguardx.com with the details. We'll acknowledge within 48 hours, work with you privately to confirm the issue, fix it, and credit you (if you'd like) once a patch is deployed. We don't currently run a paid bug bounty but we genuinely appreciate responsible disclosure.

Open questions

If something here is unclear or you have a specific concern about how your data is handled, email support@tradeguardx.com — we'll answer honestly.