Skip to main content
    TTTrepeat

    Last updated: 2026-06-12

    Privacy Policy

    This Privacy Policy explains how Trepeat ("we", "us") collects, uses, stores, and shares personal data when you use our services at trepeat.com and app.trepeat.com. We process personal data in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR") and the Maltese Data Protection Act.

    1. Data Controller

    The data controller is Trepeat, a Malta sole trader. We are not required to appoint, and have not appointed, a Data Protection Officer; our data-protection contact point for all privacy enquiries is contact@trepeat.com.

    2. Data We Collect

    • Account data: email address, display name, account creation timestamp, and (if you enable two-factor authentication) an authenticator-app secret and bcrypt-hashed recovery codes (managed by Supabase Auth). We use passwordless authentication (magic links plus optional authenticator-based two-factor) and never store account passwords.
    • Broker credentials: MetaTrader login, server, and password — encrypted at rest in Supabase Vault using authenticated encryption (libsodium AEAD via pgsodium). The plaintext password is never visible through the user interface or accessible to support staff.
    • Broker account data: connected MetaTrader account IDs, broker server names, account balance and equity (read-only, fetched from MetaAPI), open positions, order history.
    • Trade history: trades executed on the source account and the corresponding repeats on follower accounts, including symbol, volume, side, timestamps, latency, and status.
    • Repeater configuration: source-to-follower links, contract multipliers and risk-scaling settings, symbol allowlists, symbol remapping rules.
    • Payment data: billing address, last-four card digits, subscription status. Full card details are never stored on our servers — they are tokenised and held by Stripe.
    • Technical data: IP address, user-agent, session timestamps, server logs, error reports.

    3. Lawful Basis for Processing

    We process personal data on the following lawful bases under Article 6 GDPR: (a) contractual necessity — operating the Service you have subscribed to; (b) legitimate interests — securing our infrastructure, preventing abuse, and improving the Service; (c) legal obligation — meeting accounting, tax, and regulatory requirements; and (d) consent — where you have given specific, freely given consent (e.g. optional product update emails).

    Providing your account email is a contractual requirement to create an account, and providing your broker credentials is a contractual requirement to connect a trading account. If you do not provide them we cannot create your account or connect your accounts, and the Service will not function. All other data is provided voluntarily.

    4. How We Use Your Data

    • Provide, operate, and maintain the Service.
    • Authenticate you and secure your account.
    • Process payments, invoices, and refunds.
    • Send transactional email (sign-in confirmations, billing receipts, security alerts).
    • Detect, prevent, and respond to fraud, abuse, and security incidents.
    • Comply with legal, accounting, and regulatory obligations.
    • Provide customer support when you contact us.

    We do not sell your personal data. We do not use your trade data to train machine-learning models or share it with advertisers. We do not carry out automated decision-making or profiling that produces legal or similarly significant effects concerning you.

    5. Sub-Processors

    We use the following sub-processors. Each is bound by a data processing agreement and processes personal data only on our documented instructions.

    • Supabase (United States): primary database, authentication, encrypted vault for broker credentials.
    • Stripe (United States / EU, PCI SAQ A): payment processing, billing, tax calculation.
    • Amazon Web Services (United States, us-east-1): serverless functions (Lambda), trade-engine compute (ECS Fargate), Secrets Manager.
    • MetaAPI (London, default region): connectivity to MetaTrader 4 and MetaTrader 5 broker servers.
    • Cloudflare, Inc. (global edge network): DNS, edge CDN, DDoS protection.
    • Resend (EU): transactional email delivery.
    • PostHog (Frankfurt, Germany — EU region): product analytics. Receives an identify-payload (your Supabase user id, email address, display name, plan name, subscription status, and trial-used flag) once you have opted in, plus a closed-set event taxonomy covering signup, login, account connection, repeater lifecycle (created / started / stopped / archived / deleted), trade-copied (carrying only the repeater id — no symbol / side / qty / price), trade- flatten, checkout, and subscription state changes, plus page views. We do not autocapture clicks or keystrokes — only those explicit events. All analytics is disabled by default and runs only after you give explicit opt-in via the consent banner — until then PostHog captures nothing and sets no cookies. Session recording is disabled entirely. IP addresses are anonymised at ingest. Data residency is the EU (Frankfurt). You can withdraw consent at any time via the Cookie Preferences link in the footer, and we honour your browser's Do Not Track signal. You may also request manual opt-out by emailing support@trepeat.com with the subject "opt out of analytics."

    6. International Data Transfers

    Some of our sub-processors are based in the United States or other jurisdictions outside the European Economic Area. Transfers to these countries are protected by the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, supplementary technical measures (encryption in transit and at rest, key separation, access controls).

    7. Data Retention

    • Account data: retained for the lifetime of your account and deleted within 30 days of account closure, unless retention is required for legal or accounting reasons.
    • Trade history: retained for the lifetime of your account so you have a complete journal. Exportable via CSV at any time.
    • Payment data: billing records retained for ten (10) years to satisfy Maltese accounting and VAT obligations.
    • Server logs: retained for 90 days for security and debugging, then deleted automatically.
    • Broker credentials: deleted from Supabase Vault immediately upon account-removal request.
    • Unactivated accounts: if you sign up but do not start a subscription within thirty (30) days, your account and any data it owns are automatically deleted (GDPR data-minimization). You receive an email warning seven (7) days before deletion. Subscribing within that window cancels the deletion.

    8. Your Rights Under GDPR

    You have the following rights regarding your personal data:

    • Access — request a copy of the data we hold about you.
    • Rectification — correct inaccurate or incomplete data.
    • Erasure ("right to be forgotten") — request deletion of your personal data, subject to retention exceptions.
    • Portability — receive your data in a structured, commonly used, machine-readable format.
    • Restriction — request that we limit processing in specific circumstances.
    • Objection — object to processing based on legitimate interests, including direct marketing.
    • Withdraw consent — for any processing based on consent, at any time.
    • Lodge a complaint with the Maltese Information and Data Protection Commissioner (idpc.org.mt) or your local data-protection authority.

    Exercise any of these rights by emailing support@trepeat.com. We respond within 30 days.

    9. Security

    We apply industry-standard security measures including TLS 1.2+ in transit, AEAD (libsodium) authenticated encryption at rest for broker credentials in Supabase Vault, encryption at rest on the underlying database storage layer, key separation between the vault and the application database, row-level security on every public-schema table, and strict CORS allowlists on every Lambda endpoint. Read our vulnerability disclosure policy if you have identified a security issue.

    10. Minors

    The Service is not intended for individuals under 18. We do not knowingly collect personal data from anyone under 18. If you believe we have done so, contact us so we can delete it.

    11. Changes to This Policy

    We may update this Policy from time to time. When we make a material change we will revise the "Last updated" date above and notify registered users by email before the change takes effect. Continued use of Trepeat after the effective date constitutes acceptance of the revised Policy.

    12. Contact

    Privacy questions or requests: support@trepeat.com.

    We use privacy-friendly product analytics (PostHog, EU-hosted, IP-anonymised) to understand how Trepeat is used. Essential cookies for sign-in are always on. You can change this anytime. Cookie Policy