← Back to Doc-AI

Privacy Policy

Effective Date: April 11, 2026

1. What Data We Collect

Account Data

Email address, hashed password, display name, subscription tier. We do not store plain-text passwords.

Usage Data

Pages visited, features used, session duration, AI queries (anonymized). Used to improve the platform. IP addresses are hashed before storage — we do not store raw IPs.

Trade & Journal Data

Paper trades, trade journal entries, watchlists, and alert configurations you create. This data is yours — we don't sell or share it.

Verification Data

Phone number (if you enable SMS 2FA). We store only the E.164 formatted number and verified status. SMS codes are never stored after use.

SMS / Text Messaging

Program: We collect phone numbers for SMS notifications. Doc-AI uses Twilio's messaging service to send text messages to users who have explicitly opted in.

Message types: 2FA verification codes, trade execution alerts, price alert notifications, AI signal notifications, and account security notifications.

Message frequency: Varies based on your alert settings and account activity, typically 1–10 messages per day. 2FA codes are sent on-demand only.

Message and data rates may apply. Check with your mobile carrier.

Opt-out: You can opt out at any time by replying STOP to any Doc-AI message, or by disabling SMS in Settings → Notifications. You will receive one final confirmation. No further messages will be sent unless you re-opt in.

Help: Reply HELP to any message or email support@docai.trade.

No sharing: We do not sell or share phone numbers with third parties for marketing purposes. Your number is used solely to deliver the messages described above.

Data retention: Phone numbers are stored securely and deleted upon account deletion. SMS verification codes are never stored after use.

Payment Data

We do not store card numbers. Payments are handled by Stripe. We store your Stripe Customer ID and subscription status only.

2. How We Store Your Data

Your data is stored in encrypted SQLite databases on DigitalOcean servers in the United States. Databases are backed up daily and backups are retained for 30 days. We use HTTPS for all data in transit. Passwords are hashed using bcrypt with a work factor of 12.

3. Cookies & Analytics

We use minimal cookies. See our full Cookie Policy for the complete list. Summary:

  • docai_refresh — Authentication refresh token (httpOnly, Secure). Essential for login. Expires in 30 days.
  • ph_* — PostHog anonymous usage analytics (page views, feature usage). No personal data is shared. You can opt out in Settings → Privacy.
  • crisp-* — Crisp customer support chat session (only set if you open the chat widget).
  • _ga / _gid — Google Analytics anonymised page view counts. IP addresses are anonymised before transmission.

We do not use advertising cookies or tracking pixels. We do not serve targeted ads.

4. Third-Party Services

Stripe

Payment processing. Subject to Stripe's Privacy Policy. stripe.com/privacy

Twilio

SMS verification codes (if enabled). Twilio receives your phone number to send codes. twilio.com/legal/privacy

Resend

Transactional email delivery (welcome series, alerts, billing). Your email address is transmitted to send emails. resend.com/privacy

PostHog

Anonymous product analytics and feature flags. No personal data is shared beyond an anonymous user ID. posthog.com/privacy

Crisp

In-app customer support chat. If you open the chat widget, Crisp receives your email and name to pre-fill the session. crisp.chat/en/privacy

Anthropic (Claude AI)

AI-powered features (AskDoc, AI analysis). Your queries are sent to Anthropic's API. Anthropic's data handling applies to API calls. anthropic.com/privacy

Schwab / Alpaca / Tradier

Broker integrations (if you connect). We store OAuth tokens; the broker receives trade instructions you initiate. See each broker's privacy policy

Finnhub / Alpha Vantage / Polygon

Market data providers. We query these APIs server-side — your identity is not shared with these providers.

5. Brokerage Account Data

When you connect a brokerage account:

  • We access your account data solely to display it in the Doc-AI interface and to submit orders you explicitly initiate.
  • We store OAuth access tokens, encrypted at rest. We do not store your brokerage username or password.
  • We do not share your brokerage account data, positions, or trading history with other users or third parties.
  • We do not use your individual trading activity to train AI models. Only aggregate, anonymized market data patterns are used for model training.
  • You can disconnect your broker at any time in Settings → Brokers, which immediately revokes our access token.

6. AI Models and Analytics

Our AI models are trained on publicly available market data, not on user trading behavior. Specifically:

  • AI signals are generated from public market data (price, volume, technical indicators). They do not incorporate your personal portfolio or trades.
  • We use aggregated, anonymized usage patterns to improve platform features and model performance. No individual user's data is identifiable in this process.
  • AskDoc queries are processed via third-party AI APIs. Queries may be used for safety monitoring by the AI provider per their terms. We do not share your identity or account data with the AI provider.

7. How We Use Your Data

  • To provide, maintain, and improve the platform.
  • To send transactional emails (password reset, subscription confirmation, alerts). We don't send marketing emails without consent.
  • To enforce our Terms of Service and detect abuse.
  • To generate aggregated, anonymized analytics (e.g., "most-used features").
  • To prevent fraud and unauthorized access.

We do not sell your personal data, trading data, or portfolio information to third parties.

8. Your Rights (CCPA / GDPR)

Regardless of where you live, you have the following rights:

  • Access — Request a copy of all personal data we hold about you.
  • Correction — Request correction of inaccurate data.
  • Deletion — Request deletion of your account and personal data ("right to be forgotten").
  • Portability — Request your trade journal, watchlists, and account data in JSON format.
  • Opt-out — Opt out of usage analytics at any time in Settings → Privacy.

California residents: under CCPA you may also request disclosure of categories of personal information sold. We do not sell personal information.

To exercise any right, email support@docai.trade. We respond within 30 days.

9. Data Retention

We retain your account data as long as your account is active. If you delete your account, personal data is removed within 30 days except where retention is required by law. Anonymized usage analytics may be retained indefinitely.

  • Phone numbers — stored securely and permanently deleted upon account deletion or upon request.
  • SMS verification codes — never stored after use; one-time use only.
  • Trade & journal data — retained for the life of the account; exported or deleted on request.

10. Children's Privacy

Doc-AI is not directed to users under 18. We do not knowingly collect personal data from minors. If we learn we have collected data from a minor, we will delete it promptly.

11. Changes to This Policy

We may update this policy. Significant changes will be communicated via email or in-app notification at least 14 days in advance.

12. Contact

Privacy questions or requests: support@docai.trade

Terms of ServiceCookie PolicyComplianceHome