Legal

Privacy Policy

Last updated: 14 April 2025

1. Who We Are

TradePilot (“TradePilot”, “we”, “our”, or “us”) operates the website tradepilot.co.in and the TradePilot Chrome extension (collectively, the “Service”).

For the purposes of the Digital Personal Data Protection Act, 2023 (DPDP Act) of India, TradePilot is the Data Fiduciary. For the purposes of the General Data Protection Regulation (EU) 2016/679 (GDPR), TradePilot is the Data Controller.

Contact: itsvishnups@gmail.com

2. Personal Data We Collect

We collect only the data necessary to provide and improve the Service:

  • Account data — name, email address, and profile picture, collected via Google OAuth or email/password through Clerk (our authentication provider). This data is provided by you at registration.
  • Usage data — prompts and messages you submit, the Pine Script code generated in response, credit balance changes, session history, and feature interactions. This data is created when you use the Service.
  • Subscription and billing data — your subscription plan and payment status. Card numbers, bank details, and billing addresses are handled entirely by our payment processor (Dodo Payments) and are never stored by TradePilot.
  • Technical data — IP address, browser type, operating system, referrer URL, and standard server access logs, collected automatically when you access the Service. Used solely for security monitoring and diagnosing errors.
  • Extension data — an authentication token stored locally in your browser's chrome.storage.local. This token never leaves your device except to authenticate requests to our API. No trading data, TradingView account data, or Pine Script content is transmitted without your explicit action.

We do not collect sensitive personal data as defined under the DPDP Act (financial data beyond plan status, health data, biometric data, etc.) or special-category data under GDPR.

3. Legal Basis for Processing (GDPR)

For users in the European Economic Area (EEA) and UK, we rely on the following lawful bases under Article 6 GDPR:

  • Performance of a contract (Art. 6(1)(b)) — processing your account data, usage data, and billing status is necessary to create your account, process your prompts, and deliver the Service you have subscribed to.
  • Legitimate interests (Art. 6(1)(f)) — we process technical data to detect fraud, prevent abuse, ensure security, and analyse aggregate usage patterns to improve the Service. Our interests do not override your rights.
  • Legal obligation (Art. 6(1)(c)) — we may retain certain records to comply with applicable Indian law, tax obligations, and law-enforcement requests.
  • Consent (Art. 6(1)(a)) — we will ask for your explicit consent before sending any promotional or marketing communications. You may withdraw consent at any time.

4. Consent Under the DPDP Act (India)

Under the DPDP Act, 2023, we process your personal data only for purposes you have consented to at the time of registration or as otherwise permitted by law. By creating an account you consent to the processing described in this policy. You may withdraw consent at any time by requesting account deletion (see Section 8). Withdrawal of consent will result in termination of the Service.

Where we rely on “legitimate uses” as permitted under Section 7 of the DPDP Act (e.g. compliance with a court order, or performance of a function of the State), we will document and retain such basis.

5. Purposes of Processing

  • Authenticating you and maintaining your account.
  • Processing your prompts and returning AI-generated Pine Script via our backend API.
  • Tracking credit usage and enforcing plan limits.
  • Processing payments and managing subscription lifecycle events (upgrades, renewals, cancellations).
  • Sending transactional emails — receipts, password resets, service announcements. We do not send marketing emails without your separate consent.
  • Detecting and preventing fraud, abuse, and security threats.
  • Improving the Service through anonymised, aggregated analytics.
  • Complying with applicable legal obligations.

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.

6. Sub-Processors and Third-Party Services

We share your data only with the following processors, each bound by their own data protection agreements:

ProcessorPurposeLocation
ClerkAuthentication, session managementUSA
MongoDB AtlasDatabase hosting (user data, chat sessions)USA / India
OpenRouterAI model routing (processes your prompts)USA
Dodo PaymentsPayment processing and subscription managementIndia
VercelFrontend hosting and edge deliveryUSA / Global

We do not sell your personal data to any third party, ever.

7. International Data Transfers

TradePilot is based in India. Because several of our sub-processors are located in the United States, your personal data may be transferred to and processed in the USA, which currently does not have an adequacy decision from the European Commission.

For EEA/UK users, transfers to US-based sub-processors are governed by the European Commission's Standard Contractual Clauses (SCCs) incorporated into our Data Processing Agreements with each processor, or other appropriate safeguards under Article 46 GDPR.

For Indian users, data transfers to foreign processors are made subject to contractual safeguards consistent with the DPDP Act.

8. Your Rights

Under GDPR (EEA / UK users)

  • Right of access (Art. 15) — request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16) — ask us to correct inaccurate or incomplete data.
  • Right to erasure (Art. 17) — request deletion of your personal data where there is no overriding legal ground for retention.
  • Right to restriction of processing (Art. 18) — ask us to pause processing while a dispute is resolved.
  • Right to data portability (Art. 20) — receive your data in a structured, machine-readable format and transfer it to another controller.
  • Right to object (Art. 21) — object to processing based on legitimate interests, including profiling.
  • Right to withdraw consent — withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
  • Right to lodge a complaint — contact your national data protection authority (e.g. ICO in the UK, your EU member state's DPA).

Under DPDP Act (Indian users)

  • Right to access information — obtain a summary of the personal data we process and the purposes for which it is processed.
  • Right to correction and erasure — request correction of inaccurate data and erasure of data that is no longer necessary for the stated purpose.
  • Right to grievance redressal — have your grievances addressed by our Grievance Officer within 30 days (see Section 12).
  • Right to nominate — nominate a person to exercise your rights in the event of your death or incapacity.
  • Right to complain to the Data Protection Board of India — if your grievance is not resolved to your satisfaction.

To exercise any of the above rights, email itsvishnups@gmail.com with subject line “Data Rights Request”. We will respond within 30 days. We may need to verify your identity before acting on a request.

9. Data Retention

  • Account data — retained for as long as your account is active. Deleted within 30 days of an account deletion request, subject to legal hold obligations.
  • Chat sessions and generated code — retained for 90 days after the last activity in each session, then automatically purged. You may delete individual sessions at any time from the dashboard.
  • Billing records — retained for 7 years to comply with Indian tax and accounting law.
  • Technical / server logs — retained for 90 days, then deleted.
  • Extension tokens — stored locally on your device; removed on uninstall. Server-side session data is invalidated within 24 hours of token expiry.

10. Cookies

We use strictly necessary cookies only — specifically, session cookies placed by Clerk to maintain your authenticated state. These are essential to the operation of the Service and do not require consent under GDPR (Recital 25 of the ePrivacy Directive) or the DPDP Act.

We do not use advertising cookies, cross-site tracking cookies, or behavioural profiling cookies. No third-party analytics scripts (e.g. Google Analytics) are embedded on our website.

11. Data Security

We implement the following technical and organisational measures to protect your personal data:

  • All data in transit is encrypted using TLS 1.2 or higher.
  • Data at rest in MongoDB Atlas is encrypted using AES-256.
  • API endpoints require a valid Clerk JWT; unauthenticated requests are rejected.
  • Admin-only routes have additional role-based access control.
  • Access to production systems is limited to authorised personnel only.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours (GDPR Art. 33) and notify affected individuals without undue delay (GDPR Art. 34 / DPDP Act Section 8(6)).

12. Grievance Officer (DPDP Act)

In accordance with Section 13 of the DPDP Act, 2023, and Rule 5 of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, TradePilot has designated the following Grievance Officer:

Name: TradePilot Support Team

Email: itsvishnups@gmail.com

Response time: Within 30 days of receipt of complaint

If you are dissatisfied with our response, you may escalate your complaint to the Data Protection Board of India once established under the DPDP Act.

13. Children's Privacy

The Service is intended for users aged 18 and above. We do not knowingly collect personal data from anyone under 18. If we become aware that a minor has provided personal data, we will delete it promptly. Under the DPDP Act, processing of children's data requires verifiable parental consent; we do not collect such data.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to registered users and/or a notice on our website at least 15 days before they take effect. Continued use of the Service after the effective date constitutes acceptance of the revised policy.

Under the DPDP Act, we will re-obtain your consent if any change involves a new purpose or a materially different use of your personal data.

15. Contact and Supervisory Authorities

For any privacy question, data rights request, or complaint, contact us first at itsvishnups@gmail.com.

If you are an EEA or UK resident and believe we have not adequately addressed your concern, you have the right to lodge a complaint with your local data protection authority. A list of EEA DPAs is available at edpb.europa.eu.

If you are an Indian resident, you may escalate to the Data Protection Board of India in accordance with the DPDP Act once the Board is constituted.