Privacy Policy
Last updated: 2026-06-22
This Privacy Policy explains how personal data is processed when you use the application provided at deeptrading.io (the “Service”). The controller is based in Switzerland and the Swiss Federal Act on Data Protection (revFADP) applies. For users resident in the EU/EEA, the General Data Protection Regulation (GDPR) may additionally apply; the legal bases cited under Art. 6 GDPR apply insofar as the GDPR is applicable.
1. Controller
Controller within the meaning of the revFADP (and, where applicable, Art. 4(7) GDPR):
Hentschel Consulting GmbH
Sandmatte 2a, 5712 Beinwil am See, Switzerland
Email: support@deeptrading.io
Data protection contact: support@deeptrading.io. An EU representative under Art. 27 GDPR is currently not appointed; please direct any requests to the contact address above.
2. Categories of data processed
- Account data: email address, password (stored only as a cryptographic hash), optional name and avatar, language/display preferences, verification and password-reset tokens.
- Contract and payment data: selected plan, subscription/billing status, customer ID at the payment provider. Payment details (e.g. card data) are processed solely by the payment provider.
- Usage and content data: chat history and messages, uploaded attachments, generated documents, investment profile (e.g. goal, risk capacity, horizon, regions, sectors, ESG preferences, savings goal), portfolio data (securities, transactions, cash balances), notifications and usage counters.
- Technical data: IP address, timestamps, server logs, device/browser information, and data used for bot detection and rate limiting.
- Shared content (share links): when you share an analysis result, we create a publicly accessible page under a random address containing only privacy-preserving metrics (e.g. percentage performance, scores, benchmark and security names, as-of date) — no position sizes, amounts, portfolio values, profile data or rationale text.
3. Purposes of processing
As a controller based in Switzerland, our processing follows primarily the data processing principles of the revFADP (lawfulness, good faith, proportionality, purpose limitation, transparency and data security, Art. 6 revFADP). The revFADP does not require a specific “legal basis” for processing by private persons. The GDPR legal bases cited below apply only where the GDPR is applicable to you (users in the EU/EEA).
We process account, content and usage data to register, authenticate and provide the contractually agreed features. For paid subscriptions we process contract/billing data and transmit the required data to our payment provider. To generate analyses, your inputs and relevant profile/portfolio data are transmitted to and processed by a specialised AI processor — please do not enter sensitive personal data (Art. 5(c) revFADP / Art. 9 GDPR). We send transactional emails. For security and abuse prevention we use rate limiting and bot detection, and where enabled process aggregated diagnostics to improve stability – including error reports and a pseudonymised session replay via Sentry (Functional Software, Inc.), in which entered text, form fields and media are masked by default so that portfolio and financial data are not recorded in clear text; you can object via the settings opt-out. Where the GDPR applies, the legal bases are Art. 6(1)(b), (c) and (f) GDPR as relevant to each purpose.
At your explicit request, you can share individual analysis results via a link. This creates a page accessible without login under a random, unguessable address that contains only the privacy-preserving metrics described above and is excluded from search engine indexing (noindex). The associated preview image (Open Graph) is generated on our own infrastructure (hosting provider Vercel); we do not actively transmit any data to social media providers. However, if you share a link on a social network or messenger, that provider retrieves the page itself to generate a preview and thereby receives the privacy-preserving values contained in it. The page contains no reference to your person or account. You can revoke a shared link at any time, after which the page is no longer accessible. Where the GDPR applies, the legal basis is your consent (Art. 6(1)(a) GDPR) and contract performance (Art. 6(1)(b) GDPR).
4. Market data and news
To answer your requests, the Service retrieves market data (e.g. quotes, FX rates, metrics) and news from external sources. No account identifiers are transmitted to these sources.
5. Cookies
We use strictly necessary cookies for login/session management and to store preferences such as language and theme, based on our legitimate interest in a secure and functional service (where the GDPR applies: Art. 6(1)(f) GDPR).
6. Recipients and processors
We use carefully selected providers as processors, whose processing takes place on the basis of the respective data processing clauses of the providers (Art. 9 revFADP; where applicable Art. 28 GDPR), in particular: Vercel Inc. (hosting, CDN, serverless infrastructure, bot detection and routing of AI requests via the Vercel AI Gateway); Neon Inc. (managed PostgreSQL database); Anthropic, PBC, provided via Amazon Web Services (AWS Bedrock), for processing AI analysis requests; Stripe, Inc. (payment processing); Resend (Plus Five Five, Inc.) (transactional email delivery); Sentry (Functional Software, Inc.) (error and performance monitoring as well as session replay for stability improvements); and Upstash, Inc. (Redis service for rate limiting and session security). A current overview is available on request.
7. International transfers
Some providers may process data outside Switzerland and the EEA (notably the USA). Where data is disclosed to a country without an adequate level of protection, we ensure appropriate safeguards, e.g. Standard Contractual Clauses (recognised by the Swiss Federal Data Protection and Information Commissioner, FDPIC, and/or the EU Commission) or Swiss-US / EU-US Data Privacy Framework certification. Some of the providers named above are based in the USA; transfers take place on the basis of the safeguards described.
8. Retention
We retain personal data only as long as necessary for the stated purposes or required by law. You can delete chats and generated documents yourself; certain data (e.g. a portfolio’s transaction history) is kept for functional integrity while the portfolio exists. On account deletion, associated data is deleted unless retention obligations apply (e.g. invoicing data, typically up to 10 years).
9. Your rights
Under the revFADP you have in particular the right to information (access), rectification of inaccurate data, and to obtain or transfer your data, as well as to request deletion or blocking or to object to processing. Where the GDPR applies, you additionally have the following rights:
- access (Art. 15), rectification (Art. 16), erasure (Art. 17);
- restriction (Art. 18), data portability (Art. 20);
- objection to processing based on Art. 6(1)(f) (Art. 21).
You may withdraw consent at any time with effect for the future. To exercise your rights, contact us using the details above. You also have the right to lodge a complaint with the competent authority — in Switzerland the Federal Data Protection and Information Commissioner (FDPIC, edoeb.admin.ch); where the GDPR applies, also a supervisory authority in your country of residence.
10. Changes
We update this policy when our processing or the legal framework changes. The version published on this page applies.