Privacy Policy

1. Data Controller

TradePhin is operated by PhinLabs (Markus Egolf), based in Stäfa, Switzerland. For any privacy-related inquiries, contact us at markus@phin-labs.com.

2. Data We Collect

We collect only the data necessary to provide our service: email address, name, and trading data you voluntarily upload. We do NOT use tracking cookies, analytics tools, or advertising pixels.

2a. Cookies (strictly necessary only)

We only use strictly necessary cookies. The landing page (tradephin.com) itself sets no cookies at all — no tracking, no analytics, no marketing. The TradePhin app (app.tradephin.com) sets a single session cookie "tradephin.sid" (httpOnly, secure, 7-day lifetime) after login for authentication. This cookie is strictly necessary for operating the application and contains no personal data other than the session ID. We do not use Google Analytics, Facebook Pixel or any third-party trackers. Because we only use strictly necessary cookies, no cookie consent banner is required (Art. 6(1)(f) GDPR, legitimate interest).

3. Data Storage

All data is stored on servers in the European Union (Hetzner, Nuremberg, Germany). We do not transfer data outside the EU/EEA.

4. Paddle (Payment Processing as Merchant of Record)

We use Paddle.com Market Ltd as Merchant of Record for all payments. Paddle is the legal seller and contractual partner for the payment transaction.

• Data processed: Name, email, billing address, country, payment method, transaction history, IP address
• Purpose: Subscription billing, invoicing, VAT handling, fraud prevention
• Legal basis: Art. 6(1)(b) GDPR (contract performance), Art. 31 DPA (Switzerland)
• Registered office: Paddle.com Market Ltd, Judd House, 18-29 Mora Street, London EC1V 8BT, UK
• Data transfer: UK Adequacy Decision (EU Commission, 28 June 2021) + Standard Contractual Clauses
• Retention: As required by law (max. 10 years for tax records)
• Privacy Policy: paddle.com/legal/privacy
• Data Processing Agreement: Signed, available upon request

4a. Databento (Market Data)

For historical chart data (OHLCV) and backtesting analysis we use the Databento API. Only anonymous market data requests (symbol, date, timeframe) are sent — NO personal data, NO user IDs, NO emails are transmitted to Databento. Legal basis: Art. 6(1)(f) GDPR (legitimate interest in accurate market data). Privacy policy: databento.com/privacy

5. AWS Bedrock (AI Processing)

Phin AI uses AWS Bedrock in the eu-central-1 region (Frankfurt, Germany) with Claude models from Anthropic. AWS Bedrock is certified under the EU-US Data Privacy Framework (EU Commission Adequacy Decision of 10 July 2023). Additionally, Standard Contractual Clauses (SCCs) apply as a second legal basis. All data transfers are encrypted with TLS 1.3. AWS uses a Zero-Data-Retention configuration for Bedrock — your requests are NOT used for model training and NOT stored at AWS or Anthropic.

6. Your Rights (GDPR Art. 15-22 & nDSG Art. 25)

You have the right to access, correct, export, restrict processing, data portability, and delete your data at any time. You may also lodge a complaint with the competent supervisory authority (Switzerland: FDPIC, EU: your member state's data protection authority). Contact markus@tradephin.com to exercise these rights.