Privacy Policy

Last updated: May 28, 2026

Tradebio is operated by Tradebio LLC, a Georgia limited liability company ("Tradebio," "we," "us," or "our"). This Privacy Policy explains what we collect, how we use it, how long we keep it, and your rights.

1. What Tradebio Is

Tradebio is a software-as-a-service analytics platform that lets a trader correlate their own biometric data (sleep, heart-rate variability, resting heart rate, recovery scores, workout heart rate) with their own trading activity to spot patterns in their personal performance. Each user's data is private to that user; there is no cross-user data sharing in the Service.

2. Data We Collect

When you authorize a third-party integration, we receive and store only the data within the scopes you grant:

Biometric Data

WHOOP: Recovery score, Strain score, Heart Rate Variability (HRV), Resting Heart Rate (RHR), sleep duration, sleep stages, sleep performance score, workout heart-rate samples, and your WHOOP user identifier. Scopes requested: read:recovery, read:cycle, read:sleep, read:workout, read:profile.
Oura: Sleep score, readiness score, HRV, RHR, total sleep, sleep efficiency, daytime stress and recovery minutes, body temperature deviation, and heart-rate samples.
Apple HealthKit (via the Health Auto Export iOS app, if you choose to enable it): heart-rate samples pushed to our server over HTTPS.

Trading Data

Closed trades, fills, account balances, positions, account names, and historical orders from TopstepX (ProjectX) and from CSV exports you upload from Tradovate-based prop firms (Tradeify, FundedNext, Apex, MyFundedFutures, Alpha Futures, and similar).
For TopstepX, we receive only what your TopstepX API key grants us; we never receive your TopstepX password.

Account & Authentication Data

Your Google account email, name, and profile picture when you sign in via Google OAuth.
A session cookie (tradebio_session) used solely to maintain your authenticated session. This cookie is HMAC-signed, HTTP-only, and not used for tracking or advertising.
OAuth tokens and API keys from connected services, used solely to fetch your data on your behalf.

What We Do Not Collect

We do not collect government identifiers, social-security numbers, or device fingerprints.
We do not store payment card numbers; payments (when enabled) are processed by Stripe, Inc.
We use no tracking pixels, advertising SDKs, or third-party analytics that profile users across sites.

3. How We Use Your Data

To compute aggregate statistics over your own data (win rate, P&L, MAE/MFE, daily bio tier classification, account performance metrics, etc.).
To correlate your biometric signals with your trade outcomes and surface patterns in your personal performance.
To maintain your authenticated session and route data within the Service.
To deliver email about your account or material changes to the Service.
To comply with applicable law and enforce our Terms of Service.

We do not sell, lease, rent, or trade your data. We do not use your data for advertising, profile building, or any purpose unrelated to the analytics features described in this Policy. We do not use your data to train machine-learning models for the benefit of third parties.

4. Biometric Information Privacy

This section provides additional disclosures regarding the collection and handling of Biometric Identifiers and Biometric Information ("Biometric Data") under applicable state laws, including the Illinois Biometric Information Privacy Act ("BIPA"), 740 ILCS 14/1 et seq., the Texas CUBI Act, and the Washington Biometric Privacy Act.

Purpose of Collection

We collect Biometric Data solely for the purpose of computing the trading-analytics correlations described in Section 1 of this Policy. Biometric Data is collected only after you explicitly connect a biometric data source (WHOOP, Oura, Apple HealthKit, or similar) through the Service's Settings page. By connecting such a source you provide written informed consent to the collection, storage, and use of your Biometric Data.

Retention Schedule

We retain Biometric Data for as long as your account remains active and you continue to use the Service. Biometric Data will be permanently destroyed at the earlier of:

Three (3) years after your last interaction with the Service;
Thirty (30) days after you disconnect the relevant integration and request deletion of historical Biometric Data;
Thirty (30) days after the termination of your account; or
The date the initial purpose for collecting the Biometric Data has been satisfied.

Destruction

When Biometric Data is destroyed, we permanently delete it from our production database and any active backups within thirty (30) days. We do not retain copies for backup, archive, or any other purpose beyond the schedule above.

Disclosure and Sale

We do not sell, lease, trade, or otherwise profit from Biometric Data. We do not disclose Biometric Data to any third party except: (a) with your express written consent; (b) to complete a financial transaction you have requested; (c) as required by valid subpoena, warrant, or court order; or (d) as required by federal, state, or municipal law.

5. Where Your Data Is Stored

Data is stored in a PostgreSQL database hosted on Render (United States region). The application servers also run on Render. Render's infrastructure provides encryption in transit (TLS) and encryption at rest. We do not back data up to any other third-party service.

6. Data Retention

Apart from the Biometric Data schedule in Section 4, we retain your data for as long as your account remains active. If you disconnect a third-party integration via Settings, the OAuth token for that integration is deleted immediately. If you delete your account or request data deletion, we permanently delete your stored data within thirty (30) days of receiving the request, except where retention is required to comply with applicable law.

7. Your Rights

All Users

Disconnect any integration at any time from Settings → Integrations. Disconnecting deletes the OAuth token for that integration, stopping all future syncs.
Request export of all data we hold about you in a portable, machine-readable format.
Request deletion of all data we hold about you. We will fulfill verifiable deletion requests within 30 days.
Revoke this app's access to WHOOP, Oura, Google, or any other connected service through that service's own controls.

California Residents (CCPA / CPRA)

If you are a California resident, you have the right to: (a) know what personal information we collect, the sources, the purposes, and the categories of third parties (if any) with whom it is shared; (b) request access to or deletion of that personal information; (c) correct inaccurate personal information; (d) opt out of any "sale" or "sharing" of personal information; and (e) be free from retaliation for exercising these rights.

Do Not Sell or Share My Personal Information. Tradebio LLC does not sell or share personal information for cross-context behavioral advertising, and has not done so in the preceding twelve (12) months. If this changes, we will update this Policy and provide a clear opt-out mechanism.

Illinois Residents (BIPA)

Illinois residents have all the rights described in Section 4 above, including the right to revoke biometric consent and the right to receive a copy of our written biometric retention and destruction policy on request. To exercise these rights, use the contact information in Section 12.

European Residents (GDPR)

The Service is operated from the United States and is not directed to residents of the European Economic Area, the United Kingdom, or Switzerland. If you are a resident of one of these regions and you nonetheless use the Service, you have rights under the General Data Protection Regulation including access, rectification, erasure, restriction of processing, data portability, and objection. To exercise these rights, contact us using the information in Section 12.

8. Security

OAuth tokens and API keys are stored in our database in a per-user table and are accessed only by server-side processes that synchronize your data on your behalf. We do not log token values. Application access is restricted to authorized employees and contractors of Tradebio LLC. All connections to the Service and to the database use TLS 1.2 or higher. We follow industry-standard practices for credential hashing, session management, and access control.

No method of transmission or storage is one hundred percent secure. While we strive to protect your data, we cannot guarantee absolute security. If we become aware of a security breach affecting your data, we will notify you as required by applicable law.

9. Third-Party Services

The Service interacts with the following third parties on your behalf, only when you authorize the connection:

WHOOP API (api.prod.whoop.com)
Oura Cloud API (api.ouraring.com)
TopstepX / ProjectX Gateway API (api.topstepx.com)
Tradovate-based prop firm CSV exports (uploaded by you)
Apple HealthKit (via the Health Auto Export iOS app)
Google OAuth (sign-in)
Stripe, Inc. (for payments, when enabled)
Render (hosting and database)

Each third party has its own privacy policy. We encourage you to review them. The Service contains no advertising or cross-site tracking technology.

10. Children's Privacy

The Service is not directed to children under 18 and we do not knowingly collect personal information or biometric data from children. If we learn we have collected such information from a child under 18, we will delete it.

11. Changes to This Policy

We may update this Policy from time to time. The "Last updated" date at the top will reflect the most recent revision. For material changes, we will provide notice via the Service or by email at least seven (7) days before the change takes effect.

12. Contact

For questions, to exercise any of your rights described in this Policy, or to revoke biometric consent:

Tradebio LLC
8735 Dunwoody Place STE R
Atlanta, GA 30350
Email: aamirsurani123@gmail.com