AlpacaTrader
Terms of UseSign In

Privacy Policy

Last updated: April 17, 2026

1. Overview

AlpacaTrader ("we", "us", "the Platform") is committed to protecting your privacy. This Policy explains what personal data we collect, how we use it, and your rights regarding that data. By using the Platform, you agree to the practices described here.

2. Information We Collect

2.1 Account Information

  • Email address
  • Username and display name
  • Password (stored as a bcrypt hash — never in plaintext)
  • Profile photo (if uploaded)

2.2 Brokerage Credentials

If you connect via API key, your Alpaca API key and secret are stored encrypted at rest. If you connect via OAuth, we store only the OAuth access token. We never store your Alpaca account password.

2.3 Trading Data

  • Trade history you import (Robinhood, Webull CSV uploads)
  • Watchlists, chart layouts, and indicator settings
  • Copy-trading relationships and settings
  • Trading bio, styles, and media images you publish on your community profile

2.4 Usage Data

Standard server logs including IP address, browser type, pages visited, and timestamps. This data is used for security monitoring and improving the Platform.

3. How We Use Your Information

  • To authenticate your account and maintain your session
  • To execute trades and retrieve account data via the Alpaca API on your behalf
  • To power copy-trading features (matching traders with followers)
  • To display your public community profile to other users (only when you opt in)
  • To send critical account-related notifications (no marketing emails without consent)
  • To detect fraud, abuse, and security incidents
  • To improve Platform performance and features

4. Data Sharing

We do not sell, rent, or broker your personal data. We share data only as follows:

4.1 Alpaca Securities LLC

All order and account requests are forwarded to Alpaca's API using your credentials. Alpaca's own Privacy Policy governs how Alpaca handles your data.

4.2 Infrastructure Providers

We use cloud hosting and database providers (such as Supabase/PostgreSQL) to store your data securely. These providers are bound by data processing agreements and do not use your data for their own purposes.

4.3 Community Profile

If you enable "Show in Community" in Settings, your display name, performance statistics, trading styles, bio, and uploaded media will be visible to other logged-in users of the Platform. You can disable this at any time.

4.4 Legal Requirements

We may disclose your information if required by law, court order, or to protect the rights and safety of our users or the public.

5. Data Security

We employ the following security measures:

  • Passwords hashed with bcrypt
  • API keys and secrets encrypted at rest using AES-256
  • All data transmitted over TLS (HTTPS)
  • Session tokens stored in HttpOnly, Secure cookies
  • Database access restricted to the application server

No method of transmission or storage is 100% secure. In the event of a data breach that affects your personal information, we will notify you as required by applicable law.

6. Cookies and Local Storage

We use:

  • Session cookie — an HttpOnly cookie containing your JWT session token, required for authentication
  • localStorage — stores UI preferences such as watchlist layout and auth state (no sensitive data)

We do not use advertising cookies or third-party tracking pixels.

7. Data Retention

We retain your account data for as long as your account is active. Imported trade history is retained until you clear it from Settings. If you delete your account, your personal data, credentials, and trading history will be permanently deleted within 30 days, except where retention is required by law.

8. Your Rights

Depending on your location, you may have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Request deletion of your data ("right to be forgotten")
  • Object to or restrict processing of your data
  • Receive a machine-readable export of your data (data portability)

To exercise these rights, contact us through the Platform or via the email below.

9. Children's Privacy

The Platform is not directed at individuals under 18 years of age. We do not knowingly collect personal data from minors. If we learn that a minor has created an account, we will delete it promptly.

10. Changes to This Policy

We may update this Policy from time to time. When we do, the "Last updated" date at the top of this page will change. Material changes will be communicated via an in-app notice or email. Continued use after changes constitutes acceptance of the updated Policy.

11. Contact

For privacy-related questions, data access requests, or to report a concern, please contact us through the Platform or at the support email listed on our website.