1. Information We Collect
We collect the following information when you use VibeTraders:
- Account information: Email address and password (hashed) when you register
- API keys: Your Alpaca and AI provider API keys, encrypted at rest using AES-256 encryption
- Trading data: Trade history, auto-trade plans, scan results, watchlists, and journal entries generated through your use of the Service
- Usage data: Feature usage events (which tools you use and when) to improve the Service
- Payment information: Processed by Stripe. We store your Stripe customer ID and subscription status but never your credit card details
2. How We Use Your Information
- To provide and maintain the Service
- To execute trades and AI analysis on your behalf using your API keys
- To process subscription payments
- To send transactional emails (trade confirmations, account notifications)
- To understand how features are used and improve the Service
3. API Key Security
Your API keys are encrypted at rest using AES-256 encryption before being stored in our database. Keys are decrypted only at the moment they are needed to make API calls on your behalf. We never log, display, or transmit your decrypted keys except to the intended third-party service (Alpaca, AI providers).
4. Data Storage and Hosting
Your data is stored in a PostgreSQL database hosted by Neon. The web application is hosted on Vercel. Both providers maintain SOC 2 compliance and encrypt data in transit and at rest.
5. Third-Party Services
We share data with the following third parties only as necessary to operate the Service:
- Alpaca Markets: Your Alpaca API keys to execute trades and fetch market data
- AI Providers (Anthropic, OpenAI, Google, xAI, DeepSeek): Your AI API keys and market data for analysis. We do not send personal information to AI providers.
- Stripe: Email and payment information for subscription billing
- Neon: Database hosting
- Vercel: Application hosting
6. Data Retention
Your data is retained as long as your account is active. When you delete your account, all associated data (trading history, API keys, watchlists, settings) is permanently deleted via cascade deletion. We do not retain backups of deleted user data.
7. Your Rights
You have the right to:
- Access your data through the Service interface
- Export your trading journal and history
- Delete your account and all associated data at any time
- Revoke API keys at any time through your account settings
8. Cookies
We use session cookies for authentication (NextAuth). We do not use tracking cookies or third-party analytics cookies.
9. Children
The Service is not intended for use by anyone under the age of 18. We do not knowingly collect information from children.
10. Changes to This Policy
We may update this policy from time to time. We will notify you of material changes via the email associated with your account.