← Diehard Trader/Privacy Policy

Privacy Policy

Effective date: 22 May 2026 Last updated: 11 June 2026

This Privacy Policy describes how Ask AI Trade, Raipur, Chhattisgarh, India ("we", "us", "our") collects, uses, discloses, and protects personal information when you use Diehard Trader (the "Service") through diehardtrade.com, diehardtrader.com, the dashboard, the MetaTrader 5 expert advisor ("EA"), and any related API.

We are the data controller (under GDPR / UK GDPR) and data fiduciary (under India's Digital Personal Data Protection Act 2023, "DPDP Act") for the personal data described below.

By using the Service you confirm that you have read and understood this Policy. If you do not agree, do not use the Service.


1. What personal data we collect

We deliberately collect the minimum data needed to run the Service. We do not sell personal data, we do not use it for behavioural advertising, and we do not run third-party advertising or marketing trackers on the dashboard.

1.1 Data you give us directly

  • Account data. Email address and a password (stored only as a one-way hash by Supabase, our authentication provider — we never see your plaintext password).
  • Billing data. Subscription plan you select (monthly or yearly), preferred payment provider (Razorpay or PayPal), and any billing details you choose to share with us by email. Card numbers, bank details, UPI IDs, and PayPal credentials are entered directly with the payment provider and are never transmitted to or stored on our servers. We only receive a provider-side customer reference, a subscription ID, payment status, and the amount charged.
  • Support correspondence. Anything you send to [email protected], including any details voluntarily included in support messages.

1.2 Data the Service generates while you use it

  • License data. A license key and an API key used by the EA to authenticate to our backend.
  • Username. When you sign up we assign a default public username, which you can change in your settings. Your username — not your email or real name — is the identifier shown next to your live traders' activity on our public live feed (see section 1.5).
  • Connected terminals. Identifiers of the MT5 terminals you connect (broker name, account login number, terminal build, last-seen timestamp). We do not receive your broker password.
  • AI trader configurations. The traders you create — their mandate, markets, indicators, active schedule, and the hard risk limits you set — described by you in plain English and stored in structured form.
  • AI decisions, theses, and journals. For each trader, the decisions the AI makes on its heartbeat, the rationale ("thesis") behind them, the guardrail checks they passed, and the journal notes the trader writes after a trade. Paper traders also generate a simulated trade record and equity history.
  • Executions. For a trader you have switched to live, each order placed on your MT5 account — timestamp, license, the trader's routing number, symbol, side, volume, requested and executed price, broker response code, profit/loss on close, and any broker error.
  • AI usage. A metered record of how much AI your account consumes (token counts and cost), used to manage your AI-credit balance and budget. It records that the AI ran and how much it cost — not the content of market data.
  • Failures and diagnostic events. Errors and rejections returned by the broker or generated inside the EA, including stack traces and timestamps.
  • Audit log. Security- and billing-relevant events — for example, login, subscription start/cancel/renewal, license rotation, password change, suspicious access — along with the IP address of the actor and minimal metadata about the event.
  • AI assistant conversations. Messages you send to our in-product AI assistants — the public "Ask AI" guide on our website and the in-dashboard support assistant — together with the assistant's replies. For the public assistant (which you can use before you sign in) we store the conversation with a one-way hashed network identifier rather than your IP address; for the dashboard assistant we associate the conversation with your account. We use these conversations to provide the assistant features, to maintain their quality and safety, and to produce internal summaries — including an automated daily summary report that a member of our team reads — that help us understand what users need and improve the Service. Authorised members of our team may also review individual conversations for support, safety, and quality purposes. Our AI provider processes these messages to generate replies but does not use them to train its models.

1.3 Data collected automatically

  • Network metadata. When you visit the website or the dashboard, our reverse proxy (nginx, behind Cloudflare) logs the request IP address, user agent, requested path, response status, and timestamp. This is standard server logging used for security, abuse prevention, and debugging.
  • Authentication cookies. A Supabase session cookie is set after sign-in. It is required to keep you signed in and to enforce access controls. We do not use marketing, advertising, or analytics cookies. See section 8 for details.
  • Error telemetry. Application errors (both browser and server) are forwarded to Sentry, our error-monitoring provider. Telemetry can include stack traces, the requested route, the browser type, and an internal user identifier; it can incidentally include the IP address of the request. We have configured Sentry to scrub obvious secrets (auth tokens, cookies, passwords, API keys) before they are stored.

1.4 What we do not collect

  • We do not collect your broker password.
  • We do not receive or store credentials for any charting platform or third-party site.
  • We do not collect bank account numbers, card numbers, UPI IDs, or PayPal credentials.
  • We do not collect government identification (Aadhaar, PAN, passport, driver licence) from end users. Payment providers may collect these directly during their own KYC; that data is governed by their privacy policies, not this one.
  • We do not collect biometric data, precise GPS location, health data, or any data about minors (the Service is restricted to adults — see section 11).

1.5 What is shown on the public live feed

To let prospective and current users see the Service in action, we operate a public page at /live that shows a real-time, scrolling feed of trades placed by live AI traders across the Service. This page is visible to anyone, including people who are not signed in.

For each qualifying trade, the feed shows: your username (never your email, real name, trader name, broker, or account number), the instrument, the direction (buy/sell), the entry, stop-loss, and take-profit prices, the position size, whether the position is open or closed, the realised profit or loss once closed, the timestamps, and the short rationale ("thesis") the AI recorded for the trade.

Key points:

  • Only live trades appear. Trades made by paper traders are never shown.
  • It is pseudonymous. Only your chosen username is shown. We do not publish anything that identifies you personally, nor your account balance, broker, trader mandate, or configuration.
  • It stores nothing new. The feed is generated on demand from your existing execution records; it does not create a separate store of personal data.
  • How to avoid appearing. Keep your traders on paper (paper trades never appear), and/or email us at [email protected] to ask that your live activity be excluded from the feed — we will honour reasonable requests. You can also change your username at any time in settings.

By switching a trader to live, you acknowledge that the trade information described above will be displayed on this public feed under your username. This is also covered in the Terms of Service.

2. How we use personal data, and the legal basis

Purpose Data used Legal basis (GDPR / UK GDPR)
Create and authenticate your account Email, password hash, session cookie Contract (Art. 6(1)(b))
Run the AI traders you create and route their live orders to your MT5 terminals Trader configurations, AI decisions/theses/journals, license & API key, terminal identifiers, execution records, AI-usage records Contract
Process subscription payments and renewals Email, plan, provider subscription/customer IDs, payment status Contract
Send service emails (sign-in, password reset, billing receipts, security alerts) Email Contract
Prevent abuse, detect fraud, secure the Service, enforce these terms IP, user agent, request logs, audit log, failures Legitimate interest (Art. 6(1)(f)) — running a secure trading-adjacent platform
Debug and improve reliability Error telemetry, failures, server logs Legitimate interest
Comply with tax, payment-regulation, anti-money-laundering, and other legal requirements Billing data, audit log Legal obligation (Art. 6(1)(c))
Respond to your support requests Support correspondence Contract + Legitimate interest
Provide our AI assistants and improve the Service from what users ask AI assistant conversations (messages and replies) Contract (in-dashboard assistants) + Legitimate interest (public pre-sign-in assistant; understanding user needs and improving the Service)

We will only use your data for a different purpose if it is compatible with the original purpose, you have consented, or the law requires or permits it.

Under the DPDP Act (India), our processing is grounded in (i) the contract between us and (ii) the specified legitimate uses set out in section 7 of the Act (e.g., complying with law, responding to medical emergencies as required, employment-related — only the relevant ones apply here).

3. Who we share personal data with

We share data only with the third parties listed below, and only to the minimum extent needed for them to deliver their service. All are bound by their own terms and privacy/security obligations. We do not sell or rent personal data to anyone. (Separately, certain pseudonymous trade information from live traders is shown on our public live feed under your username — see section 1.5.)

Sub-processor What it processes Where Purpose
Supabase (Supabase, Inc.) Account data, license data, subscription records, AI trader configurations and decisions/journals, executions, failures, AI-usage records, audit log, AI assistant conversations South Asia (Mumbai, India) Database, authentication, transactional emails
Anthropic (Anthropic PBC) For your AI traders: the trader's mandate and the public market data/indicators it observes, to produce each trading decision. For the assistants: your messages and (for the dashboard assistant) relevant account context. Plus the generated outputs. US Power the autonomous AI traders and the assistants. Does not train on your data.
Razorpay (Razorpay Software Pvt. Ltd.) Email, billing details, payment data India Process INR subscription payments
PayPal (PayPal Holdings, Inc.) Email, billing details, payment data US / global Process USD subscription payments
Hostinger (Hostinger International Ltd.) Server logs, all data stored on the VPS EU (Mumbai region used here) Hosting the backend and dashboard
Cloudflare (Cloudflare, Inc.) IP, request metadata, TLS termination Global edge DDoS protection, CDN, DNS
Sentry (Functional Software, Inc.) Error telemetry, stack traces, route, user id, incidental IP US / EU Error monitoring and debugging
UptimeRobot (UptimeRobot Service Provider Ltd.) Public health-check endpoint responses only — no personal data Global Uptime monitoring

We may also disclose personal data:

  • to comply with a lawful request from a court, regulator, tax authority, or law-enforcement body with jurisdiction over us;
  • to enforce our Terms of Service;
  • to protect the rights, property, or safety of Ask AI Trade, our users, or the public;
  • in connection with a merger, acquisition, or asset sale, in which case we will give notice before personal data is transferred and becomes subject to a different privacy policy.

4. International transfers

Some of our sub-processors are located outside India and outside the European Economic Area (in particular, the United States). Where we transfer personal data internationally:

  • For transfers from the EEA/UK to a country without an adequacy decision, we rely on the EU Standard Contractual Clauses (and UK equivalents) put in place by the sub-processor, supplemented by appropriate technical and organisational safeguards (encryption in transit, encryption at rest, access controls).
  • For transfers from India, we transfer only to countries that are not restricted by the Government of India under section 16 of the DPDP Act, and we apply equivalent contractual safeguards.

You can request a copy of the safeguards in place for any specific transfer by writing to us at [email protected].

5. How long we keep your data

We keep personal data only as long as needed for the purposes set out above, or as required by law.

Category Retention
Account data While your account is active, plus 30 days after deletion (to allow account recovery), unless you ask us to delete sooner.
Username and public profile While your account is active; removed or anonymised when you close your account. The public live feed (section 1.5) is generated on demand from your execution records and stores no additional data.
License and connected-terminal data While the license is active, plus 90 days, then deleted.
AI decisions, executions, and trade records 24 months rolling, then deleted. We keep this long enough to support customer dispute resolution.
Failures and diagnostic events 12 months, then deleted.
Audit log 7 years from the event — required for tax, anti-money-laundering, and dispute defence.
Server logs (nginx, fail2ban) 90 days rolling on the VPS.
Error telemetry (Sentry) 90 days rolling, per Sentry's default retention.
Billing records (invoices, payment status) 7 years from the financial year, as required by Indian tax law.
Support correspondence 24 months from the last contact.
AI assistant conversations (public "Ask AI" and dashboard support assistant) 90 days rolling, then automatically deleted.
AI trader configurations, decisions, theses, and journals Kept as your account content while your account is active; deleted when you delete the trader or close your account.
AI-usage (credit metering) records 24 months rolling, then deleted.

When retention expires, data is either deleted or anonymised. Anonymised data may be kept indefinitely for aggregate analytics.

6. Your rights

Depending on where you live, you have the following rights. Some rights have conditions and exceptions — we will explain in our response if any apply.

6.1 Under GDPR / UK GDPR (EEA + UK residents)

  • Access the personal data we hold about you and receive a copy.
  • Rectify inaccurate or incomplete data.
  • Erase ("right to be forgotten") your data, subject to legal retention obligations (e.g., we cannot delete invoices we are required by tax law to keep).
  • Restrict processing while a dispute or correction is pending.
  • Object to processing carried out on the basis of legitimate interest.
  • Portability — receive your data in a structured, machine-readable format.
  • Withdraw consent at any time, where processing is based on consent (without affecting the lawfulness of earlier processing).
  • Lodge a complaint with your local supervisory authority. (You can find a list of EU authorities at edpb.europa.eu. The UK supervisory authority is the ICO at ico.org.uk.)

6.2 Under the DPDP Act 2023 (India residents)

  • Access a summary of the personal data we process about you and the identities of the data fiduciaries / processors we have shared it with.
  • Correction, completion, updating, or erasure of your personal data.
  • Grievance redressal — escalate any complaint to our Grievance Officer (section 12).
  • Nominate another person to exercise these rights on your behalf in case of death or incapacity.
  • Withdraw consent where processing is based on consent.

6.3 How to exercise your rights

Email [email protected] from the address registered on your account, describing your request. We will respond within:

  • 30 days for GDPR / UK GDPR requests (extendable by up to 60 days for complex requests, with notice).
  • The timeframes set by the DPDP Act for India residents.

We may need to verify your identity before fulfilling a request that would expose personal data.

7. Security

We take security seriously and have put in place technical and organisational measures to protect personal data, including:

  • TLS encryption in transit for all dashboard and API traffic;
  • Encryption at rest at the database layer (Supabase / Postgres);
  • Row-Level Security policies so users only access their own data;
  • HMAC-signed signal transport between the dashboard, backend, and EA;
  • API key rotation for licenses;
  • Key-only SSH and a firewall (ufw) on the production VPS, with fail2ban blocking brute-force attempts;
  • Auditing of security-relevant events;
  • Least-privilege access — only the operator (currently the sole proprietor) has administrative access.

No system is perfectly secure. If we become aware of a personal-data breach that is likely to result in a risk to your rights and freedoms, we will notify the appropriate supervisory authority within 72 hours (where GDPR applies) and notify you without undue delay where required.

8. Cookies

We use only strictly necessary cookies:

  • Supabase session cookies — keep you signed in and enforce access controls. Without them the dashboard cannot function.
  • CSRF / security cookies — protect form submissions and authentication flows.

We do not use marketing, advertising, retargeting, social-media tracking, or analytics cookies, and we do not embed third-party advertising tags. Because we only use strictly necessary cookies, we do not show a cookie consent banner — your continued use of the dashboard implies acceptance of cookies that are essential to the Service. You can clear cookies in your browser at any time; if you do, you will need to sign in again.

9. Automated decision-making

The core of the Service is automated. Once you create an AI trader, set its mandate and risk limits, and — for live trading — explicitly switch it to live, the AI makes trading decisions and, for live traders, places the corresponding orders on your connected MT5 account automatically, without a human reviewing each one. These decisions can significantly affect you because they involve your money.

This automated processing is something you request and configure as the very service you sign up for. It operates only within the parameters and hard limits you set, on a broker account you open and control. Every trader starts on paper (no real money); no trader trades real funds unless you authorise it; and you can change a trader's limits or pause, stop, or revert it to paper at any time. To the extent Article 22 GDPR (and equivalent laws) applies, this processing is carried out because it is necessary to provide the service you have contracted for and on your explicit instruction. You may obtain human intervention from us, express your point of view, or contest a decision by writing to [email protected] — but for anything time-sensitive you should use the in-product controls (pause, stop, kill, or revert to paper), which take effect immediately.

We do not use automated decision-making to evaluate or profile you (for example, for pricing, credit, eligibility, or advertising). The automation acts on the markets under your mandate; it does not make decisions about you as a person.

10. Marketing

We may send you:

  • Service emails — sign-in, password reset, billing receipts, important security or policy notices. These are part of the contract and cannot be opted out of while your account is active.
  • Product updates about new features and material changes — sent infrequently and only to your registered email. You can opt out at any time by replying "unsubscribe" or by emailing [email protected]; we will continue to send transactional service emails.

We do not send unsolicited marketing to anyone other than our registered users.

11. Children

The Service is intended for adults only. We do not knowingly collect personal data from anyone under 18 (or the higher local age of majority, where applicable). Under the DPDP Act, processing data of children (under 18 in India) requires verifiable parental consent and we have chosen not to offer the Service to children. If you believe a child has provided personal data to us, contact [email protected] and we will delete it.

12. Grievance Officer (DPDP Act, India)

In compliance with section 8(10) of the DPDP Act 2023 and rule 11 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011:

Grievance Officer: Sandeep Pradhan, Ask AI Trade Address: Raipur, Chhattisgarh, India Email: [email protected]

We will acknowledge grievances within the timelines required by Indian law and aim to resolve them within 30 days.

13. Changes to this Policy

We may update this Policy from time to time. The "Last updated" date above will change accordingly. For material changes (for example, adding a new sub-processor that materially affects data processing, or expanding the purposes of processing), we will notify you by email and/or an in-dashboard notice at least 14 days before the change takes effect.

14. Contact

Privacy questions, data subject requests, or complaints: [email protected].

TermsPrivacy© Diehard Trader