Privacy Policy

Effective Date: April 11, 2026

1. What Data We Collect

Account Data

Email address, hashed password, display name, subscription tier. We do not store plain-text passwords.

Usage Data

Pages visited, features used, session duration, AI queries (anonymized). Used to improve the platform. IP addresses are hashed before storage — we do not store raw IPs.

Trade & Journal Data

Paper trades, trade journal entries, watchlists, and alert configurations you create. This data is yours — we don't sell or share it.

Verification Data

Phone number (if you enable SMS 2FA). We store only the E.164 formatted number and verified status. SMS codes are never stored after use.

Payment Data

We do not store card numbers. Payments are handled by Stripe. We store your Stripe Customer ID and subscription status only.

2. How We Store Your Data

Your data is stored in encrypted SQLite databases on DigitalOcean servers in the United States. Databases are backed up daily and backups are retained for 30 days. We use HTTPS for all data in transit. Passwords are hashed using bcrypt with a work factor of 12.

3. Cookies

We use minimal cookies:

auth_token — JWT session token (HttpOnly, Secure, SameSite=Strict). Essential for login. Expires in 7 days.
theme — Your light/dark theme preference. Local storage only, never transmitted to our server.

We do not use advertising cookies, tracking pixels, or third-party analytics (no Google Analytics, no Facebook Pixel).

4. Third-Party Services

Stripe

Payment processing. Subject to Stripe's Privacy Policy. stripe.com/privacy

Twilio

SMS verification codes (if enabled). Twilio receives your phone number to send codes. twilio.com/legal/privacy

Anthropic (Claude AI)

AI-powered features (AskDoc, AI analysis). Your queries are sent to Anthropic's API. Anthropic's data handling applies to API calls. anthropic.com/privacy

Schwab / Alpaca / Tradier

Broker integrations (if you connect). We store OAuth tokens; the broker receives trade instructions you initiate. See each broker's privacy policy

Finnhub / Alpha Vantage / Polygon

Market data providers. We query these APIs server-side — your identity is not shared with these providers.

5. How We Use Your Data

To provide, maintain, and improve the platform.
To send transactional emails (password reset, subscription confirmation). We don't send marketing emails without consent.
To enforce our Terms of Service and detect abuse.
To generate aggregated, anonymized analytics (e.g., "most-used features").

We never sell your personal data to third parties.

6. Your Rights (CCPA / GDPR)

Regardless of where you live, you have the following rights:

Access — Request a copy of all personal data we hold about you.
Correction — Request correction of inaccurate data.
Deletion — Request deletion of your account and personal data ("right to be forgotten").
Portability — Request your trade journal, watchlists, and account data in JSON format.
Opt-out — Opt out of usage analytics at any time in Settings → Privacy.

California residents: under CCPA you may also request disclosure of categories of personal information sold. We do not sell personal information.

To exercise any right, email privacy@docai.trade. We respond within 30 days.

7. Data Retention

We retain your account data as long as your account is active. If you delete your account, personal data is removed within 30 days except where retention is required by law. Anonymized usage analytics may be retained indefinitely.

8. Children's Privacy

Doc-AI is not directed to users under 18. We do not knowingly collect personal data from minors. If we learn we have collected data from a minor, we will delete it promptly.

9. Changes to This Policy

We may update this policy. Significant changes will be communicated via email or in-app notification at least 14 days in advance.

10. Contact

Privacy questions or requests: privacy@docai.trade