PRIVACY POLICY
Version / Last Updated: May/2026
This Privacy Policy governs the manner in which Anny.trade collects, uses, maintains, and discloses information from users ("User" or "you") of https://anny.trade (the "Website"), our mobile applications for iOS and Android (the "App"), and all products and services offered by MECABOTS LTDA ("Anny.trade", "we", "us", or "our").
Table of Contents
- Who We Are
- Personal Data We Collect
- How We Use Your Personal Data
- AI Data Processing
- Third-Party Data Processors
- Cross-Border Data Transfers
- How We Protect Your Information
- Data Retention
- Your Rights
- Automated Decision-Making and Profiling
- Cookies and Tracking
- Children's Privacy
- Data Breach Notification
- Change of Operatorship
- Third-Party Sites
- Changes to This Privacy Policy
- Contacting Us
1. Who We Are
Anny.trade is a product developed and licensed by MECABOTS LTDA, a company incorporated under Brazil's law.
Data Protection Officer: [email protected]
For the purposes of the EU General Data Protection Regulation (GDPR), MECABOTS LTDA is the data controller for the personal data processed through the Platform.
2. Personal Data We Collect
2.1 Account Data
When you register for an account, we collect:
- Name
- Email address
- Password (managed by Firebase Authentication; we do not store plaintext passwords)
- Authentication tokens from social login providers, if used:
- Google Sign-In: name, email address, profile picture
- Apple Sign-In: name, email address (Apple may provide a private relay email)
- Facebook Login: name, email address, profile picture (we do not request access to your friends list, posts, or other Facebook content)
- X/Twitter Sign-In: name, email address, profile picture
2.2 Financial and Trading Data
When you use our trading and portfolio features, we collect and process:
- Subscription plan and billing history
- Credit balance and usage history
- Exchange API keys (encrypted with AES-256 and unique per-user salts)
- Exchange OAuth tokens (for supported exchanges)
- Portfolio positions and balances (retrieved from connected exchanges)
- Order history and trade execution data
- Bot and strategy configurations
- Backtest and optimization results
2.3 AI Interaction Data
When you use our AI-powered features (Ask Anny, AI Insights, Research Agent, AI Support), we collect:
- Your chat messages and questions
- Portfolio context provided to the AI (positions, performance data, market context)
- AI-generated responses
- Feedback you provide on AI responses (if any)
- Support ticket content and resolution data
2.4 Guest User Data
When you use the Platform without an account (Guest Access), we collect:
- Your chat messages and questions
- IP address
- Session identifier
- Browser type and version
Guest data is not linked to any registered account.
2.5 Technical Data
We automatically collect:
- IP address
- Browser type and version
- Operating system
- Device type and device tokens (for push notifications)
- Pages visited and interaction patterns
- Referral source
2.6 Communication Preferences
- Email opt-in/opt-out preferences
- Push notification settings
- Telegram user ID (if connected)
- Discord webhook URL (if configured)
3. How We Use Your Personal Data
We use your information for the following purposes:
| Purpose | Legal Basis (GDPR) |
|---|---|
| Provide and maintain the Platform and its features | Performance of contract (Art. 6(1)(b)) |
| Process payments and manage subscriptions | Performance of contract (Art. 6(1)(b)) |
| Provide AI-powered analysis and conversational assistance | Performance of contract (Art. 6(1)(b)) |
| Execute automated trades on your behalf via connected exchanges | Performance of contract (Art. 6(1)(b)) |
| Send transactional emails (order confirmations, security alerts, service updates) | Performance of contract (Art. 6(1)(b)) |
| Provide customer support (AI and human) | Performance of contract (Art. 6(1)(b)) |
| Improve AI quality and train our proprietary models (using anonymized, aggregated data only) | Legitimate interest (Art. 6(1)(f)) |
| Prevent fraud, abuse, and enforce our Terms | Legitimate interest (Art. 6(1)(f)) |
| Send marketing communications | Consent (Art. 6(1)(a)) |
| Comply with legal and regulatory obligations (KYC, AML, CTF, tax reporting) | Legal obligation (Art. 6(1)(c)) |
| Detect and prevent security incidents | Legitimate interest (Art. 6(1)(f)) |
| Conduct internal analytics and benchmarking (aggregated, de-identified data) | Legitimate interest (Art. 6(1)(f)) |
4. AI Data Processing
4.1 How AI Features Work
Our AI-powered features (Ask Anny, AI Insights, Research Agent, AI Support) use third-party large language model (LLM) services to generate responses. When you use these features:
- Your input (chat messages, questions) along with relevant context (portfolio data, market conditions) is sent to our AI provider.
- The AI provider processes this data and returns a generated response.
- We display the response to you within the Platform.
4.2 Third-Party AI Provider
We use Anthropic, PBC (San Francisco, California, USA) as our primary AI provider, via their Claude API. When you use AI features:
- Your data is transmitted from our servers in the EU (AWS eu-central-1, Frankfurt) to Anthropic's servers in the United States.
- Anthropic processes the data solely to generate a response to your query.
- Anthropic's data retention and processing terms apply to API calls. As of the date of this policy, Anthropic does not use API customer data to train their models.
- For current information about Anthropic's data practices, see Anthropic's privacy policy and API terms of service.
4.3 What Data is Sent to the AI Provider
| Feature | Data Sent |
|---|---|
| Ask Anny (registered user) | Your question, portfolio positions, signal history, market context |
| Ask Anny (guest user) | Your question only (no portfolio data) |
| AI Insights | Portfolio positions, performance data, market conditions |
| Research Agent | Your research query, portfolio context, market data |
| AI Support | Your support question, relevant account context, knowledge base articles |
4.4 Opting Out of AI Data Processing
AI features are a core part of the Platform. If you do not wish your data to be processed by our AI provider, you may choose not to use AI-powered features. Non-AI features (portfolio tracking, manual trading, exchange connection) remain available.
5. Third-Party Data Processors
We do not sell your personal data to third parties. We do not share personal data for cross-context behavioral advertising. Data is shared with third-party processors only as described below, solely for the purposes of operating the Platform.
Payment Processors
| Provider | Data Shared | Purpose |
|---|---|---|
| Stripe (USA) | Name, email, payment card details, billing address | Subscription and credit pack payments |
| PayPal (USA) | Name, email, transaction amounts | Alternative payment processing |
| CoinPayments (Canada) | Name, email, transaction amounts | Cryptocurrency payment processing |
Payment card information is collected and processed directly by Stripe. Anny.trade does not store, process, or have access to your full credit card number. Stripe is certified as a PCI Level 1 Service Provider.
AI Processing
| Provider | Data Shared | Purpose |
|---|---|---|
| Anthropic (USA) | Chat messages, portfolio context, support queries | AI-powered analysis and conversational features |
Authentication
| Provider | Data Shared | Purpose |
|---|---|---|
| Firebase Authentication (Google, USA) | Email, authentication tokens, social login profile | User authentication and account management |
Cloud Infrastructure
| Provider | Data Shared | Purpose |
|---|---|---|
| Amazon Web Services (EU region: eu-central-1, Frankfurt) | All Platform data | Database hosting (RDS/PostgreSQL), file storage (S3), message queuing (SQS), compute (EC2) |
Email and Communications
| Provider | Data Shared | Purpose |
|---|---|---|
| AWS Simple Email Service (EU) | Email address, message content | Transactional and marketing emails |
| SendGrid (USA) | Email address, message content | Backup email delivery |
| Firebase Cloud Messaging (Google, USA) | Device tokens | Push notifications (mobile app) |
| Telegram Bot API | Telegram user ID, message content | Notifications and bot interactions |
| Discord | Webhook URL, message content | Notification delivery |
CDN and Security
| Provider | Data Shared | Purpose |
|---|---|---|
| Cloudflare (USA) | IP address, HTTP traffic metadata | CDN, DDoS protection, Web Application Firewall |
| Cloudflare Turnstile | Challenge tokens, IP address | Bot detection and abuse prevention |
Cryptocurrency Exchanges
| Provider | Data Shared | Purpose |
|---|---|---|
| Binance, Bybit, OKX, Kraken, Coinbase, KuCoin, Gate.io, and 70+ others via CCXT | API keys (encrypted), trade orders | Portfolio data retrieval, trade execution |
Analytics
| Provider | Data Shared | Purpose |
|---|---|---|
| Google Tag Manager | Page views, interaction events | Analytics orchestration |
6. Cross-Border Data Transfers
Our primary infrastructure is hosted in the European Union (AWS eu-central-1, Frankfurt, Germany). However, some of our third-party processors are based in the United States and other countries outside the EU/EEA.
For transfers to the United States and other non-EU countries, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission, where applicable.
- Adequacy decisions by the European Commission, where available.
- The EU-US Data Privacy Framework, where the recipient is certified.
Key cross-border transfers:
| Data Flow | Origin | Destination | Safeguard |
|---|---|---|---|
| AI processing (Anthropic) | EU (Frankfurt) | USA | SCCs / DPF |
| Payment processing (Stripe, PayPal) | EU | USA | SCCs / DPF |
| Authentication (Firebase/Google) | EU | USA | SCCs / DPF |
| Email delivery (SendGrid) | EU | USA | SCCs / DPF |
| CDN (Cloudflare) | EU | Global edge network | SCCs |
7. How We Protect Your Information
We have adopted appropriate data collection, storage, and processing practices and security measures to protect against unauthorized access, alteration, disclosure, or destruction of your personal information:
- Encryption at rest: Exchange API keys are encrypted with AES-256 with unique per-user salts. Database connections use SSL/TLS.
- Encryption in transit: All Platform communications use HTTPS/TLS.
- Access control: Personal data is accessible only to authorized personnel on a need-to-know basis, bound by confidentiality agreements.
- Infrastructure security: Hosted on AWS with VPC isolation, security groups, and automated patching.
- Session management: JWT-based session tokens with configurable expiry (7 days web, 30 days mobile).
- Monitoring: Correlation IDs for request tracing, centralized logging, and anomaly detection.
8. Data Retention
We retain your personal data for as long as necessary to fulfill the purposes described in this Privacy Policy:
| Data Category | Retention Period | Reason |
|---|---|---|
| Account data | Duration of account + 18 months after inactivity | Service provision; account recovery |
| Financial/billing data | 7 years after last transaction | Legal/tax obligations |
| Trading data | Duration of account | Service provision |
| AI conversation history | Duration of account | Service provision; support quality |
| Exchange API keys | Until user revokes or account is deleted | Service provision |
| Guest interaction data | 30 days | Abuse prevention |
| Technical/server logs | 90 days | Security and debugging |
| Marketing consent records | Duration of consent + 3 years | Proof of consent (GDPR) |
Upon account deletion, we permanently delete or anonymize all personal data except where retention is required by law.
9. Your Rights
9.1 EU/EEA Users (GDPR)
If you are located in the EU/EEA, you have the following rights:
- Right of access (Art. 15): Request a copy of your personal data.
- Right to rectification (Art. 16): Request correction of inaccurate data.
- Right to erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
- Right to restriction (Art. 18): Request restriction of processing.
- Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
- Right to object (Art. 21): Object to processing based on legitimate interests, including profiling.
- Right to withdraw consent (Art. 7(3)): Withdraw consent for marketing at any time.
- Rights related to automated decision-making (Art. 22): Not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.
9.2 Brazilian Users (LGPD)
If you are located in Brazil, you have equivalent rights under the Lei Geral de Protecao de Dados (LGPD), including the right to access, correction, anonymization, portability, deletion, and information about sharing.
9.3 Account Deletion
You may delete your account at any time from Settings > Account > Delete Account within the App, or by emailing [email protected]. Upon deletion, all personal data, Exchange API keys, trading history, AI conversation data, and credit balances will be permanently deleted within 30 days, except where retention is required by law (see Section 8).
If you registered using Facebook Login, you may also initiate data deletion through Facebook's settings. This triggers the same deletion process described above.
9.4 How to Exercise Your Rights
To exercise any of the above rights, send an email to our Data Protection Officer at [email protected] together with a valid proof of identity (such as a government-issued ID). We will respond within 30 days.
You also have the right to lodge a complaint with a supervisory authority. For EU users, this is the data protection authority of your country of residence. For Brazilian users, contact the Autoridade Nacional de Protecao de Dados (ANPD).
10. Automated Decision-Making and Profiling
The Platform uses automated processing in the following ways:
| Process | Description | Human Oversight |
|---|---|---|
| AI Insights generation | Automated analysis of portfolio based on positions and market data | User initiates; no trades executed |
| Credit billing | Automated calculation of credit cost based on AI token consumption | Transparent; user sees cost before/after |
| Account tier gating | Automated feature access based on subscription plan | User controls via plan upgrade |
| Abuse detection | Automated rate limiting for guest users and API access | Manual review for account blocks |
None of these automated processes produce legal effects or similarly significant effects on users without human oversight. Automated trading features are explicitly configured and initiated by the User.
11. Cookies and Tracking
Our Platform uses cookies and similar technologies:
| Cookie Type | Purpose | Duration |
|---|---|---|
| Essential/session cookies | Authentication, security, preferences | Session |
| Analytics cookies | Usage patterns, performance monitoring (via Google Tag Manager) | Up to 2 years |
| Marketing cookies | Advertising effectiveness (if applicable) | Up to 2 years |
You may configure your browser to refuse cookies. Note that refusing essential cookies may impair Platform functionality.
Mobile App Tracking: Our mobile applications do not use the Apple Advertising Identifier (IDFA) or Google Advertising ID for tracking or advertising purposes. We do not participate in cross-app or cross-site tracking.
12. Children's Privacy
The Platform is not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us at [email protected] and we will promptly delete it.
13. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33.
- Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34.
- Document the breach, its effects, and remedial actions taken.
14. Change of Operatorship
In case of incorporation, acquisition, merger, or any other change of operatorship of the Services, you expressly consent that your registration data and information may be transferred to the new operator. When and if this occurs, Anny.trade will comply with the duty of information and applicable data protection laws.
15. Third-Party Sites
The Platform may contain links to third-party websites and services. We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party site you visit.
16. Changes to This Privacy Policy
Anny.trade may update this Privacy Policy at any time. When we make material changes, we will:
- Update the "Last Updated" date at the top of this page.
- Notify you by email and/or through the Platform.
- Where required by law, seek your renewed consent.
Your continued use of the Platform after notification constitutes acceptance of the updated Privacy Policy.
17. Contacting Us
If you have any questions about this Privacy Policy, your personal data, or wish to exercise your rights, please contact us at:
MECABOTS LTDA Brazil
- General support: [email protected]
- Data Protection Officer: [email protected]
- Website: https://anny.trade
This Privacy Policy was last updated on May 20, 2026.
Campinas, SP, Brazil
CNPJ: 13.234.093/0001-60