Legal · Privacy

Privacy Policy

What we collect, why we collect it, who we share it with, and the controls you have. No dark patterns, no third-party ad networks, no behavioral profiling.

Last updated: 14 May 2026 · Applies to eatrading.ai and the Quant AI Agents EA

01Who we are

eatrading.ai ("we", "us") operates this website and the Quant AI Agents Expert Advisor for the MetaTrader 5 platform. For the purposes of data protection regulations (GDPR, UK GDPR, similar regional laws), we act as the data controller for personal data you provide through this website.

Contact: [email protected].

02What we collect

We try to collect the minimum needed to run the service. Here's the full list — nothing else, nothing hidden:

CategoryWhat's in itSource
Account Email address, hashed password (bcrypt), account creation date, last login timestamp, role (free / paid / admin), email-verified flag You, at signup
License & activation MT5 account number(s) bound to your license, license key, plan, activation status You, at checkout / activation
Payment Order ID, amount, currency, payment method (crypto / PayPal), processor reference, payer email returned by the processor. We never see your card number, CVV, or wallet seed. Payment processor (PayPal, crypto gateway)
Telegram link (optional) Telegram chat ID if you opt in to bot notifications or admin OTP You, by clicking a Telegram deep link
Support Whatever you send us in support emails or Telegram chats — typically MT5 account number, broker name, screenshot of an error You, when you ask for help
Technical (server logs) IP address, user agent, request path, timestamp, HTTP status. Used for debugging and abuse detection. Your browser, automatically

What we don't collect: your trading history outside what's needed for license activation; your AI provider API key (it stays on your MT5 terminal); marketing-tracking cookies from third parties; advertising-network identifiers.

03Why we collect it

Each category above has a specific reason and legal basis under GDPR / similar laws:

  • Account, license, payment — to perform the contract you entered into when you signed up and paid (GDPR Art. 6(1)(b)).
  • Telegram link, support — based on your consent, which you can withdraw any time by unlinking or asking us to delete the records (Art. 6(1)(a)).
  • Server logs — our legitimate interest in keeping the service running and free from abuse (Art. 6(1)(f)).

04Your AI API key (BYOK)

BYOK guarantee Your DeepSeek / OpenAI / Anthropic API key is configured directly into your local MT5 terminal. It is never sent to our servers, never written to our database, and never shows up in any of our logs. AI calls go from your machine directly to your provider.

If we ever go offline, your EA still trades because the API call never crosses our infrastructure. The trade-off is that you're responsible for keeping your key safe — see the Terms for what that means in practice.

05Cookies & local storage

We use browser local storage for two things: keeping you logged in (your JWT session token) and remembering your theme preference (dark/light). Both stay on your device — we don't shadow-copy them to our servers.

We do not use third-party advertising cookies, tracking pixels, behavioral profiling, or social-media trackers. We do not run Google Analytics, Meta Pixel, or similar tools on the site. Server-side request logs are anonymized after 30 days.

Clearing your browser storage will sign you out and reset the theme. Nothing else lives there.

06Third parties

The service depends on a few external providers. Each gets only what they need:

ProviderWhat they getWhy
CloudflareIP address, request metadataCDN, DDoS protection, TLS termination
PayPalEmail, payment amount (if you choose PayPal)Process your payment
Crypto payment gatewayOrder amount, wallet address (if you choose crypto)Process your crypto payment
TelegramYour chat ID (if you opt in)Send you bot notifications / OTP
Email delivery providerYour email, message body of transactional emailsVerify your address, send password resets
Your AI provider (DeepSeek / OpenAI / etc.)Prompts and market data you send via the EAThis is BYOK — controlled by you, not us. See section 4.

We do not sell, rent, or trade personal data to anyone. We only share data with a third party when (a) it's needed to deliver the service you asked for, (b) you've explicitly opted in, or (c) we're legally required to (court order, valid law-enforcement request).

07How long we keep it

  • Account & license records — for as long as your account is active, plus 12 months for tax / audit / dispute reasons after closure
  • Payment records — 5 years (typical tax-record retention requirement)
  • Server logs — 30 days, then anonymized or deleted
  • Support correspondence — 24 months, then archived or deleted on request
  • Telegram chat ID — until you unlink, then immediately removed

You can ask us to delete your account at any time (see your rights); we'll remove personal data faster than these defaults where lawfully possible.

08Your rights

Depending on where you live, you have some or all of the following rights over personal data we hold about you:

  • Access — ask for a copy of what we have on you
  • Rectification — correct anything that's wrong or out of date
  • Deletion ("right to be forgotten") — ask us to delete your records, subject to the retention rules above
  • Restriction — ask us to pause processing while we resolve a dispute
  • Portability — get your data in a machine-readable format
  • Objection — object to processing based on legitimate interest
  • Withdraw consent — any time, for the parts that depend on consent (e.g. Telegram)

To exercise any right, email [email protected] from the address on your account. We respond within 30 days; most requests are handled within a week.

If you're unhappy with our response, you have the right to complain to your local data-protection authority. For EU/EEA residents, that's the supervisory authority in your country.

09Security

We take security seriously because trading platforms are a high-value target. What we do:

  • Passwords are hashed with bcrypt (work factor 12). We never see your plaintext password — not even in logs, not even temporarily.
  • Sessions use signed JWT tokens with a 30-day expiry; admin actions are gated on server-side role checks plus optional Telegram OTP.
  • HTTPS is enforced site-wide (HSTS preload, TLS 1.2+); the site is served behind Cloudflare.
  • The database is on a private VPS with restrictive firewall rules, daily encrypted backups, and write-only logging from the application user.
  • Strict Content Security Policy, X-Frame-Options DENY, no inline trackers, no third-party JS beyond what's listed in section 6.

No system is 100% secure. If you believe you've found a vulnerability, please email [email protected] (or use the support address with "security" in the subject). We respond fast and we credit responsible disclosure.

10International transfers

Our servers are currently hosted in Asia / Europe regions (Cloudflare anycast at the edge, primary VPS in a single region). If you live outside those regions, your data crosses borders to reach us. For EU/EEA residents, transfers to non-adequate countries are protected by Standard Contractual Clauses or equivalent safeguards under GDPR.

11Children

The service is not intended for, and not directed to, anyone under 18. We don't knowingly collect data from minors. If you believe a child has registered, email us and we'll delete the account.

12Changes to this policy

If we change anything substantive — new data category, new provider, longer retention — we'll update the "Last updated" date at the top of this page and notify active accounts by email or in-app banner. Editorial / clarity edits that don't change practice are made silently.

13Contact

Privacy questions, deletion requests, data exports, complaints: