Privacy Policy

Piggyback Trader Effective date: August 3, 2026 Last updated: July 13, 2026


This Privacy Policy explains what information Piggyback Trader LLC ("Piggyback Trader," "we," "us," or "our") collects about you, how we use it, who we share it with, and the choices you have. This Policy applies to the Piggyback Trader website, apps, alerts, dashboards, APIs, and related services (the "Service").

By using the Service, you agree to the practices described here. If you do not agree, do not use the Service.

1. Information we collect

1.1 Information you give us

  • Account information: email address, password (stored as a salted hash), display name if provided
  • Billing information: name, billing address, payment card details (payment card details are collected and stored by Stripe, not by us; we receive only tokenized identifiers and last-four digits)
  • Configuration information: platforms and symbols you subscribe to, alert thresholds you set, delivery channels you enable (email, Slack webhook, SMS, custom webhook), notification preferences
  • Support information: any information you send us via support@piggyback-trader.com or in-product feedback forms
  • Invite/referral information: any invite codes you enter or referral tags associated with your signup

1.2 Information we collect automatically

  • Usage information: the pages you view, the features you use, the alerts you receive and interact with, the timestamps of your activity, and the API endpoints you call
  • Device information: device type, operating system, browser type and version, screen resolution, language preference, time zone
  • Network information: IP address, approximate location derived from IP (city/region only, not precise location), internet service provider
  • Cookies and similar technologies: see §5 below

1.3 Information from third parties

  • Payment processor (Stripe): subscription status, invoice history, refund events
  • OAuth or SSO providers, if we offer login via such providers in the future
  • Communication providers (email, SMS, Slack) — delivery status and interaction events for alerts we send you

We do NOT collect brokerage account information, trading positions, portfolio balances, or bank account information from you. The Service does not connect to your brokerage.

2. How we use your information

We use your information to:

  • Operate, maintain, and improve the Service
  • Deliver alerts and notifications you have configured
  • Process payments and manage your subscription
  • Respond to support requests and communicate with you about the Service
  • Detect, prevent, and address technical issues, fraud, security threats, and abuse
  • Comply with legal obligations
  • Analyze usage patterns to improve the Service (see §5 on cookies for detail)
  • Send transactional emails (welcome, receipts, alert delivery, cancellation confirmations)
  • Send occasional product updates and announcements, which you may opt out of at any time

We do NOT use your information to train third-party AI models, sell your data, or share your trading configuration with other users.

3. How we share your information

We share your information only in these circumstances:

3.1 Service providers ("sub-processors")

We share information with vendors who perform services on our behalf, under confidentiality agreements. Our current sub-processors include:

  • Stripe (payment processing) — https://stripe.com/privacy
  • Neon (Postgres database hosting) — https://neon.tech/privacy
  • Replit (application hosting) — https://replit.com/privacy
  • Postmark or SendGrid (transactional email) — TBD before launch
  • Twilio (SMS delivery, Pro+ tier only) — https://www.twilio.com/legal/privacy
  • Slack (webhook delivery, when configured by user) — governed by user's Slack workspace

[LAWYER REVIEW] Finalize sub-processor list before launch. Consider maintaining a live sub-processor page (/subprocessors) linked from this policy for enterprise / GDPR customers.

3.2 Legal obligations

We may disclose your information if required by law, court order, subpoena, or government request, or if we believe disclosure is necessary to protect our rights, property, or safety, or the rights, property, or safety of others.

3.3 Business transfers

If Piggyback Trader LLC is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will notify you if this happens and if your information becomes subject to a different privacy policy.

3.4 Aggregated or de-identified data

We may share aggregated or de-identified data (data that cannot reasonably be used to identify you) with third parties for research, analytics, marketing, or other purposes.

4. Your rights and choices

Depending on where you live, you may have some or all of the following rights:

  • Access — request a copy of the personal information we hold about you
  • Correction — request that we correct inaccurate information
  • Deletion — request that we delete your personal information, subject to legal retention requirements
  • Portability — request a machine-readable copy of your information
  • Objection — object to certain processing activities
  • Opt-out — opt out of marketing communications and (in some jurisdictions) the sale or sharing of personal information

To exercise any of these rights, email support@piggyback-trader.com with the subject "Privacy Request." We will respond within 30 days.

4.1 California residents (CCPA / CPRA)

California residents have the specific rights described above, plus the right to know what personal information we collect, use, disclose, and (if applicable) sell or share. We do not sell your personal information. We do not share personal information for cross-context behavioral advertising.

4.2 European Union and United Kingdom residents (GDPR / UK GDPR)

If you are in the EU or UK, our legal bases for processing your information include: (a) performance of a contract (to provide the Service), (b) legitimate interests (fraud prevention, security, product improvement), (c) legal obligation (tax, accounting), and (d) consent (marketing communications, non-essential cookies). You have the right to lodge a complaint with your national data protection authority.

[LAWYER REVIEW] If we plan to intentionally market to or serve EU users, consider appointing an EU representative under GDPR Article 27.

4.3 Other jurisdictions

Users in other jurisdictions (e.g., Brazil, Canada, Australia) may have similar rights under local law. We honor those rights on request.

5. Cookies and similar technologies

We use cookies, local storage, and similar technologies for essential functions and analytics.

5.1 Essential cookies (cannot be disabled)

  • Session cookies for authentication and login state
  • CSRF tokens for security
  • Preference cookies (dark/light mode, filter settings, dismissed banners)

5.2 Analytics cookies (opt-in in EU/UK, opt-out elsewhere)

We use analytics to understand how users interact with the Service. Our current analytics stack is minimal — likely Plausible or self-hosted PostHog for privacy-respecting metrics. We do not use Google Analytics, Facebook Pixel, or ad-network tracking.

[LAWYER REVIEW] Finalize analytics stack before launch. If any analytics provider transfers data outside the user's jurisdiction, disclose it here.

5.3 Third-party cookies

  • Stripe sets cookies on payment pages to prevent fraud. Governed by Stripe's privacy policy.
  • If you connect a Slack webhook or configure SMS delivery, those providers set their own cookies during the OAuth or configuration flow.

5.4 Managing cookies

You can control cookies through your browser settings. Disabling essential cookies will break the Service. On first visit from an EU/UK IP, you will see a cookie consent banner where you can accept or reject non-essential cookies.

[LAWYER REVIEW] Confirm consent banner implementation meets EU ePrivacy Directive requirements (must default to "no consent" for non-essential cookies, cannot use pre-checked boxes).

6. Data retention

We retain your personal information for as long as your account is active or as needed to provide the Service. When you delete your account:

  • Immediately deleted: account details, configuration, saved thresholds, alert history
  • Retained for 30 days in encrypted backup form, then permanently deleted
  • Retained indefinitely (anonymized): aggregated usage statistics, sub-processor logs required for security audits
  • Retained per legal obligation: billing and tax records (typically 7 years in the US)

7. Data security

We use industry-standard security measures to protect your information:

  • All data in transit is encrypted with TLS 1.2 or higher
  • Passwords are stored as salted hashes using bcrypt
  • Payment card information never touches our servers — it is collected and stored by Stripe
  • Database backups are encrypted at rest
  • Access to production infrastructure is limited to authorized personnel and requires multi-factor authentication

No system is perfectly secure. We cannot guarantee absolute security. In the event of a data breach affecting your personal information, we will notify you and the appropriate authorities as required by law.

[LAWYER REVIEW] Ensure breach notification procedures comply with US state breach notification laws (all 50 states have some form) plus GDPR 72-hour notification if EU users are affected.

8. Children's privacy

The Service is not directed to children under 18. We do not knowingly collect personal information from children under 18. If we learn that we have inadvertently collected such information, we will delete it. If you believe a child has provided us with personal information, contact support@piggyback-trader.com.

9. International transfers

Piggyback Trader is operated from the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States. By using the Service, you consent to this transfer.

For EU/UK users, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards for cross-border transfers.

[LAWYER REVIEW] SCCs need to be executed with any sub-processor that receives EU personal data. Verify Stripe, Neon, and other sub-processors have executed SCCs with us or that their global-services terms cover us.

10. Do Not Track

Some browsers offer a "Do Not Track" signal. Because there is no universally accepted standard for how to respond to Do Not Track signals, we currently do not respond to them.

11. Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will notify you by email or in-app notice at least 14 days before the changes take effect. Your continued use of the Service after the effective date constitutes acceptance of the updated Policy.

12. Contact us

For any privacy-related question, request, or complaint:

  • Email: support@piggyback-trader.com
  • Mail: Piggyback Trader LLC, Houston, Texas
  • Data protection inquiries (EU/UK): support@piggyback-trader.com with subject line "GDPR Request"

Piggyback Trader LLC Houston, Texas Registered in the State of Wyoming support@piggyback-trader.com


This Privacy Policy is provided as a starting draft. It has been drafted to reflect current best practices for SaaS products handling US, EU, and UK users, but it has NOT been reviewed by an attorney. Do not publish this document until it has been reviewed by counsel licensed in your operating jurisdictions. Every clause tagged [LAWYER REVIEW] should be examined first. Also verify all named sub-processors match the actual production infrastructure at launch.