Privacy Policy

1. What we collect

When you use MrPaperTrade we store:

• Account data — email (required for login + password reset), encrypted password.
• Profile data — username, avatar, bio (all optional and under your control).
• Activity data — your trades, positions, orders, holdings, virtual balance, watchlist, and follows. Trades and positions are visible on the public leaderboard by default; you can flip your profile to private at any time.
• Technical data — IP address and user-agent for rate limiting and abuse prevention.

We do not collect payment information, government ID, bank details, or brokerage credentials. There is nothing to collect — no real money is involved.

2. How we use it

• To run the simulator — your trades must be stored for the sim to work.
• To show the public leaderboard and community feed (public profiles only).
• To send account-related emails (password reset, security notices). We do not send marketing email.
• To prevent abuse (rate limiting, spam detection).

We do not sell your data. We do not share it with advertisers.

3. Third parties

Your data is processed by:

• Supabase — database, authentication, realtime sync. Hosted on their cloud; see supabase.com/privacy.
• Vercel — application hosting and edge network. See vercel.com/legal/privacy-policy.
• Market data providers (Binance, Bybit, Alpaca, Yahoo, TradingView) — we fetch public price data from these; we do not send them any information that identifies you.

4. Your rights (GDPR / UK GDPR)

You can:

• Access your data — available in the app (portfolio, trade history export).
• Correct your data — via your profile settings.
• Delete your data — use "Delete account" in your profile menu. This permanently removes your profile, trades, positions, holdings, and follows from our database. This action is irreversible.
• Export your data — download your trade history as CSV or JSON from the portfolio page.
• Object to processing — set your profile to private, or delete your account.
• Complain to a supervisory authority (e.g. the UK's ICO, or your national data-protection regulator).

5. Data retention

Account data and trading history are kept while your account is active. When you delete your account, all personal data is removed within 30 days.

6. Cookies

We use session cookies to keep you logged in. We do not use advertising cookies or third-party tracking cookies.

7. Security

Passwords are hashed via industry-standard algorithms and never stored in plaintext. Traffic is encrypted in transit (TLS). Database access is restricted by row-level security so users can only read their own data (plus any public profiles they've chosen to expose). No system is 100% secure; if we discover a breach affecting you, we'll notify you promptly.

8. Contact

For any privacy request — access, correction, deletion, or a question — contact us via the site.