Privacy Policy

Last updated: May 21, 2026. Version 1.0 (pilot launch).

Plain-English summary. We collect your email, your (encrypted) Alpaca API credentials, and the trades your bot makes. We use it to run your bot. We don't sell or share your data. You can delete your account any time.

1. Who we are

The Trading Optimizer is software-as-a-service that connects to your Alpaca paper trading account and runs automated trades according to a strategy you select. These privacy practices apply to thetradingoptimizer.com and any subdomains.

2. Data we collect

Information you provide directly

DataWhy we collect itHow we protect it
Email address Account identification, authentication, security alerts, opt-in trade notifications Stored in Cognito + DynamoDB, encrypted at rest with AWS KMS
Password Account authentication Hashed by Cognito (SRP); we never see the plaintext password
Alpaca API key + secret Required to execute trades on your behalf Envelope-encrypted with a dedicated AWS KMS key (cred-cmk) before storage. Decryptable only by the bot worker. Never logged in plaintext.
Strategy selection Determines which trading algorithm runs on your account Stored in DynamoDB, encrypted at rest
Notification preferences Controls which emails we send you Stored in DynamoDB, encrypted at rest

Information we generate from your usage

DataWhy
Trade history (orders placed by the bot) To populate your dashboard; for performance analytics
Daily P&L, equity curve, win rate To populate your dashboard
Audit log of account actions Security, debugging, and (rare) admin support cases
Server logs (IP, user-agent, timestamps) Security, abuse prevention, debugging. Retained 30 days.

What we DO NOT collect

3. How we use your data

4. Who we share data with

We share the minimum data required to provide the Service with these subprocessors:

SubprocessorWhat they seeWhy
Amazon Web Services (AWS) All data (we host everything here) Cloud infrastructure: Cognito, DynamoDB, Lambda, KMS, SES (email delivery), EC2
Alpaca Markets, Inc. Your API key + secret + trade requests we submit on your behalf To execute trades on the account you authorized
(Future) Stripe Payment data (card, billing address) — never your trading data If/when we add paid tiers, payments are processed by Stripe

We do NOT sell your data, share it for marketing purposes, or transfer it to third parties for any purpose unrelated to providing the Service.

We may disclose data if required by a valid legal process (subpoena, court order, regulatory request) — we will notify you unless legally prohibited from doing so.

5. Where your data lives

All data is stored in AWS data centers in the US East (N. Virginia) region. We may add multi-region replication for redundancy; we will not store your data outside the US.

6. How long we keep your data

7. Your rights

You have the right to:

California residents have additional rights under the CCPA. EEA / UK residents have additional rights under GDPR. Email us to exercise any of these rights.

8. Cookies + tracking

We use a minimal set of essential cookies for authentication (Cognito session tokens). We do NOT use:

If we add basic analytics later (e.g., for sign-up funnel optimization), we will use a privacy-respecting tool (e.g., Plausible, Fathom) and update this policy.

9. Security

Despite reasonable safeguards, no system is impenetrable. If we detect a breach affecting your data, we will notify you by email within 72 hours.

10. Children

The Service is not for children. We do not knowingly collect data from anyone under 18. If we learn we have collected data from a child, we will delete it.

11. Changes to this policy

We may update this policy from time to time. Material changes will be emailed to users with at least 14 days' notice. The "Last updated" date at the top of this page indicates when the policy was last revised.

12. Contact

Questions, requests, or complaints? Email support@thetradingoptimizer.com.