What we collect, why, how long we keep it, and how to delete it.
Effective: 2026-04-26 · Version: 1.0
TL;DR: Trading Hub is a static-JS app. Your scores, watchlists, journal entries, and settings are stored in your browser (IndexedDB), not on our servers. There are no user accounts, no analytics tracking, no advertising tracking, no third-party trackers. The only network traffic is to public data feeds (you can see them in DevTools) and — when you explicitly invoke an AI feature — to Anthropic's Claude API via our serverless proxy.
1. What we collect
1a. In your browser (never sent to us)
Data
Where
Why
Retention
Scores, factors, regime data
IndexedDB thv2-store
Caching for offline use + fast hot path
Until you clear browser data
Watchlist, journal, settings
localStorage
Persist your preferences across sessions
Until you clear browser data
Service-worker cache
Cache Storage
Offline shell + asset caching
Replaced on each cache-version bump
1b. Server-side (only when you make a request)
Data
When
Why
Retention
Request logs (IP, path, status, timing)
Every request
Vercel platform logs for debugging + abuse prevention
30 days
AI prompts (input only)
When you use /ask, /counter-thesis, /decision-replay, /daily-newsletter
Cost metering + abuse detection
30 days, then aggregated
Usage metering
Per AI call
Stay under Anthropic budget; circuit-break per Bible §15.3
90 days for ledger; rolling 24h for circuit breaker
We do not store: your name, email, address, payment info, broker credentials, holdings details (unless you opt-in to journal them locally), or any data tied to a personal identifier. There are no cookies set by Trading Hub itself.
2. Third parties we contact
Visible in DevTools → Network panel. All public, all read-only:
Anthropic Claude — only when AI features are explicitly invoked. Anthropic does not retain prompts for training when called via API per their data-retention policy.
Public data feeds — CoinGecko, Yahoo Finance, FRED, SEC EDGAR, FDA, EIA, IMF, DeFi-Llama, Tradier, Binance Futures, COT, Coinbase Exchange. See /trust for full list with TTLs.
3. What we do NOT do
No advertising tracking (no Google Analytics, no Facebook Pixel, no DoubleClick, no LinkedIn Insight, no nothing).
No selling data — we have no data to sell.
No fingerprinting or cross-site tracking.
No behavioural profiling.
No data brokers.
4. Your rights (GDPR / CCPA / NY SHIELD)
Because there are no user accounts and no server-side personal data tied to you, most rights are exercisable directly:
Right to access: Open DevTools → Application → IndexedDB / Local Storage / Cache Storage. That's everything.
Right to deletion: Browser → Site Settings → Clear data. Or: Settings page → "Reset all data" button.
Right to portability: Watchlist + journal export to CSV/JSON via the Settings page.
Not directed at children under 13. Per COPPA, we do not knowingly collect data from children. The Service has no signup flow, so no PII is collected from anyone — including children.
6. Security
See /.well-known/security.txt for the responsible-disclosure policy. Strict CSP, HSTS, X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin enforced on every response.
7. Changes to this policy
Material changes announced 30 days in advance via /changelog. Versioned with effective date.