ArbiTrade

Privacy Policy

Last updated: 1 June 2026

1. Overview

This Privacy Policy describes how ArbiTrade (“we”, “us”) collects, uses, and protects personal information in connection with the arbitrade.app platform. By using the Platform you agree to the collection and use of information consistent with this Policy.

2. Information we collect

We collect the following categories of information:

  • Account data: name, work email, company, role, tier, terms-acceptance timestamp.
  • Usage data: pages viewed, signals interacted with, RFQs created, RFQ recipients selected, search queries.
  • Communications data: outbound RFQ subjects, body previews, recipient addresses, SMTP message IDs, send timestamps. Reply content is not stored unless explicitly forwarded by you.
  • Technical data: IP address, browser, device, approximate location derived from IP.
  • Counterparty data: publicly listed names, emails, phone numbers, and corporate details of brokers, traders, suppliers, buyers, finance providers, logistics, and inspection companies.
  • Payment data (paid tiers): handled by our payment processor; we do not store full card numbers.

3. How we use information

We use information to:

  • Provide, operate, and improve the Platform.
  • Compute and surface arbitrage signals and route RFQs to selected counterparties.
  • Audit RFQ and outreach activity for fraud, spam, and abuse prevention.
  • Communicate with you about your account, billing, and product updates.
  • Comply with applicable legal obligations.

4. Lawful Basis for Processing (EU/UK GDPR)

Where applicable under GDPR and UK GDPR, we process personal information on the following lawful bases:

  • Contract (Article 6(1)(b)): Processing is necessary to provide the Platform and fulfil subscription agreements.
  • Legitimate Interest (Article 6(1)(f)): We process contact and CRM data for B2B counterparty due diligence, fraud prevention, and service improvement. Our legitimate interests are balanced against your privacy rights.
  • Consent (Article 6(1)(a)): Marketing emails, waitlist signups, and non-essential analytics require your explicit consent.
  • Legal Obligation (Article 6(1)(c)): Processing necessary to comply with legal requirements (e.g. sanctions screening, tax/regulatory reporting).

5. Sharing and third parties

We share information only with the following categories of recipients, all under contractual confidentiality:

  • Supabase — database, authentication, and storage.
  • Vercel — hosting and edge delivery.
  • Google (Gmail SMTP) — email dispatch for RFQs and account notifications.
  • Anthropic via OpenRouter — LLM processing of pasted broker messages (for content moderation and signal enrichment).
  • Paddle (when billing is enabled) — subscription payment processing.
  • Government and legal authorities — only where compelled by law, subpoena, or court order.

We do not sell personal information. We do not share information with advertisers. Counterparty contact data in the curated database is not sold or shared outside the Platform.

6. Data Subject Rights (EU/EEA & UK)

Under GDPR Articles 15–22 and UK GDPR equivalents, EU/EEA and UK residents have the following rights:

  • Right of Access (Article 15): You may request a copy of the personal data we hold about you.
  • Right of Rectification (Article 16): You may request correction of inaccurate or incomplete data.
  • Right of Erasure (Article 17): You may request deletion of your personal data, subject to legal retention obligations.
  • Right of Data Portability (Article 20): You may request your data in a portable, machine-readable format.
  • Right to Restrict Processing (Article 18): You may request that we limit processing of your data while a complaint or accuracy claim is under review.
  • Right to Object (Article 21): You may object to processing based on legitimate interest. We will then balance our interests against your rights.
  • Right to Withdraw Consent (Article 7): If processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

7. Data Retention

Account and audit data is retained for the duration of the subscription plus 6 years (to meet regulatory retention obligations for trade documentation). RFQ and outreach send logs are retained for 3 years for compliance and dispute-resolution purposes. Contact records for active counterparty relationships are retained for the duration of the relationship plus 6 years, then anonymised. Telegram intelligence data is retained for 90 days unless promoted to an audited price quote.

8. Data Processor / Sub-Processors

Where ArbiTrade acts as a data processor on behalf of a user (e.g. when users upload their own contact lists), the user is the data controller and bears responsibility for lawful basis and GDPR compliance. The following sub-processors are authorised:

  • Vercel (hosting and edge delivery)
  • Supabase (database and storage)
  • Anthropic via OpenRouter (LLM processing)
  • Google (Gmail SMTP for transactional email)

9. How to Exercise Your Rights

To exercise any of the rights above (access, rectification, erasure, portability, restriction, objection, or consent withdrawal), email support@arbitrade.app. Please include your name, email, and a clear description of your request. We will respond within 30 days, or notify you if an extension is needed due to complexity or volume.

10. Your rights (General)

Depending on your jurisdiction, you may have the right to access, correct, delete, port, or restrict processing of your personal information, and to object to processing. EU/UK users have rights under GDPR; California users have rights under CCPA. To exercise any of these rights, email support@arbitrade.app.

11. Security

We employ technical and organizational measures including encryption in transit (TLS), encryption at rest (Supabase / Vercel infrastructure), least-privilege access, and audit logging. No system is perfectly secure; you acknowledge that use of the Platform involves residual risk.

12. International transfers

ArbiTrade infrastructure is hosted in multiple regions including the European Union and the United States. By using the Platform, you consent to the transfer of your information across these jurisdictions, subject to applicable safeguards (Standard Contractual Clauses where relevant).

13. Cookies

We use a minimum of essential cookies for authentication and session management. We do not use third-party advertising or behavioural-tracking cookies. We may use privacy-respecting analytics (such as Plausible or Fathom) to measure aggregate Platform usage.

14. Children

ArbiTrade is a business product and is not directed to individuals under 18. We do not knowingly collect personal information from children.

15. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or in-Platform notice. Continued use after notice constitutes acceptance.

16. Contact

Privacy questions or rights requests: support@arbitrade.app.

This Privacy Policy is provided as a starting framework and does not constitute legal advice. You should consult counsel licensed in your jurisdiction before relying on it for regulated activities.