TradeEcho logoTradeEcho

Privacy Policy

Last updated: 12 June 2026

This Privacy Policy explains how TomTech Digital SRL (CUI 52861283), operating the TradeEcho service at trade-echo.com ("we", "us", "our"), collects, uses, stores, and protects your personal data when you use our website, dashboard, and cloud sync API.

We process personal data in accordance with the EU General Data Protection Regulation (GDPR) and applicable Romanian data protection law.

1. Data controller

The data controller responsible for your personal data is TomTech Digital SRL, CUI 52861283, registered address: Aleea Calarasilor, Nr. 5, Bl. G, Ap. 54, 550344, Sibiu, Romania.

TradeEcho is the trade name of our MT5 copy-trading cloud service. For privacy enquiries or to exercise your rights, contact us at office@trade-echo.com.

2. What data we collect

We collect only the data necessary to provide the TradeEcho service:

  • Account data: name, email address, password hash (if you sign up with email), and profile image (if you sign in with Google).
  • Session data: authentication cookies, session tokens, and optionally your IP address and browser user-agent when you use the web dashboard.
  • Subscription data: plan tier, subscription status, and Stripe customer identifier. Payment card details are collected and stored by Stripe, not by us.
  • Trading sync data: broker company name, account balance, equity, open positions, and closed trade history sent by your MetaTrader 5 Expert Advisors. We do not collect your MT5 login number or trading account password.
  • EA API credential: your TradeEcho User ID, transmitted in the x-user-id header by EAs. Treat this as a secret — anyone with your User ID and an active subscription could access your sync API.
  • Onboarding data: whether you have completed the setup wizard.

3. How we use your data and legal bases

We process your personal data for the following purposes and on the following legal bases under GDPR Article 6:

  • Providing your account, dashboard, and cloud sync service — performance of our contract with you (Art. 6(1)(b)).
  • Processing subscriptions and billing via Stripe — performance of contract and legal obligation for financial records (Art. 6(1)(b) and (c)).
  • Securing the service, preventing abuse, and protecting API access — legitimate interest (Art. 6(1)(f)).
  • Google OAuth sign-in (if you choose it) — your consent at sign-in (Art. 6(1)(a)).
  • Responding to support requests and legal enquiries — legitimate interest or legal obligation, as applicable.

4. Cookies

We use strictly necessary session cookies to keep you logged in to the TradeEcho dashboard. These cookies are essential for the service and do not require consent under the ePrivacy Directive.

When enabled, we use Cloudflare Web Analytics on our marketing pages. This is a cookieless, aggregate analytics service that does not identify individual users and does not use advertising or third-party tracking cookies.

We do not use advertising or third-party tracking cookies. If we introduce other non-essential cookies in the future, we will update this policy and request your consent where required.

5. Third-party processors

We share personal data with trusted processors who help us operate the service. Each processor processes data only on our instructions and under appropriate data protection agreements:

  • Stripe — payment processing and subscription billing (stripe.com/privacy). Stripe acts as an independent controller for payment data it collects directly.
  • Neon — managed PostgreSQL database hosting for account and trading sync data.
  • Railway — application hosting and infrastructure.
  • Google — OAuth authentication, only if you choose to sign in with Google (policies.google.com/privacy).
  • Cloudflare — cookieless Web Analytics on marketing pages when enabled, and CDN/security for trade-echo.com (cloudflare.com/privacypolicy).

6. International data transfers

Some of our processors may store or process data outside the European Economic Area (EEA), including in the United States. Where such transfers occur, we rely on appropriate safeguards such as the EU Standard Contractual Clauses and the processor's compliance with applicable data protection frameworks.

7. Data retention

We retain your data only as long as necessary for the purposes described in this policy:

  • Account and profile data: retained while your account is active and for a reasonable period after deletion request or account closure, unless a longer period is required by law.
  • Trading sync data: active positions are replaced on each master sync; closed trade history is retained while your account is active to power dashboard metrics.
  • Session data: retained until the session expires or you log out.
  • Billing records: retained as required by applicable tax and accounting law, in line with Stripe's retention practices.

8. Your rights under GDPR

If you are in the EEA or UK, you have the following rights regarding your personal data:

  • Right of access — request a copy of the personal data we hold about you.
  • Right to rectification — request correction of inaccurate data.
  • Right to erasure — request deletion of your data, subject to legal retention obligations.
  • Right to restriction — request that we limit how we use your data in certain circumstances.
  • Right to data portability — receive your data in a structured, machine-readable format where technically feasible.
  • Right to object — object to processing based on legitimate interests.
  • Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting prior lawful processing.
  • Right to lodge a complaint — with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) at dataprotection.ro, or your local supervisory authority.

9. How to exercise your rights

To exercise any of the rights above, email us at office@trade-echo.com from the email address associated with your account. We will respond within one month, as required by GDPR. We may need to verify your identity before processing your request.

Account deletion is not yet available self-service in the dashboard. Email us to request erasure of your account and associated data.

10. Security

We implement technical and organisational measures to protect your data, including HTTPS encryption, password hashing, and access controls scoped to your user account. Your TradeEcho User ID acts as an API credential — do not share it publicly or embed it in shared files.

11. Children

TradeEcho is not directed at children under 16. We do not knowingly collect personal data from anyone under 16. If you believe a child has provided us data, contact us and we will delete it.

12. Trading data disclaimer

Trading data displayed in the dashboard or transmitted through our sync API is operational information about your MetaTrader accounts. It is not financial advice, investment research, or a recommendation to trade. Trading carries substantial risk of loss.

13. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be posted on this page with an updated date. Continued use of the service after changes constitutes acceptance of the updated policy.

14. Contact

For privacy questions or data subject requests: office@trade-echo.com

TomTech Digital SRL, CUI 52861283, Aleea Calarasilor, Nr. 5, Bl. G, Ap. 54, 550344, Sibiu, Romania