Privacy & data handling

• Email address. Required to identify your account and to send transactional emails (verification, password reset).
• Password. Stored only as a one-way bcrypt hash. The plain-text value is never persisted and never logged.
• Team name. Defaults to "<email>'s Team". You can rename it later from Settings.
• Sign-up time + IP address. Captured in an activity log so we can spot abuse and so you can see your own account history.

We do not collect:

• Your name (we don't ask for it during sign-up)
• Your address or postcode
• Your phone number
• Any payment details (Stripe holds those — see "Where data lives" below)

Each customer enquiry you paste into TradeAssist is saved against your team, alongside:

• The customer's name (required) and optional email and phone
• The original message text you pasted
• The lead's source (email / WhatsApp / web form / etc.)
• The AI's draft reply, summary, job classification, urgency, and confidence label
• Any forbidden-claim warnings the AI flagged at draft time
• A list of missing information items the AI thought worth asking about
• Status (new, drafted, copied, replied, won, lost, archived)
• An optional outcome record after the job closes (final price, callback count, revision count, free-text notes)

Only members of your team can see your leads. We do not cross-share data between teams.

TradeAssist's draft engine runs inside the application on a deterministic, regex-based "mock" provider. It produces a draft reply, a confidence band, and a missing-information list from the enquiry text alone. It never speaks on your behalf — every draft is reviewed by you before it leaves TradeAssist.

The AI does not:

• Send any message on your behalf
• Make any commitment to your customer
• Reach the internet during draft generation
• See data from other teams

During controlled early-access beta we run a second AI provider — Anthropic Claude — in shadow mode. This means:

• The shadow provider sees a truncated copy of your enquiry text (max 280 characters) so we can compare its draft to the mock's.
• The shadow provider's output is logged to an internal audit table and is never shown to you or your customers.
• Shadow runs are part of how we evaluate whether to ever promote a real LLM to be customer-facing. That decision is gated by a published evaluation plan; today's answer is "not yet".
• You can ask us to exclude your team's traffic from shadow comparisons — email the support address below.
• An operator kill-switch can disable all shadow calls at any time.

• No automatic sending. TradeAssist is a draft-and-copy assistant. The "Copy reply" button puts text on your clipboard; you paste it into your usual tool (email, WhatsApp, SMS) to send.
• No customer-facing Anthropic output. Only the deterministic mock provider's draft is shown to you.
• No model training claim. We make no claim that any AI provider does or does not train on your data. Stripe's, Resend's, and Anthropic's own terms govern what they do with data routed to them; check their documentation if that matters to your decision.
• No third-party data sharing, beyond the operational integrations listed in the next section.

• Postgres (managed database) — every column described above. This is the primary store for your account and leads.
• Stripe — billing only. They hold your card details, billing address (if collected via Stripe Checkout), and subscription status. TradeAssist sees only the subscription state (active / past_due / canceled / etc.) and the Stripe customer & subscription ids. We never receive your card number.
• Resend — transactional email only (account verification, password reset, early-access invite links). They see your email address and the email body. The body never contains your customer's data.
• Anthropic — shadow-only (see above). They see a 280-character truncation of the enquiry text you paste.
• Vercel (or equivalent host) — server logs from the application. We do not log raw passwords, raw tokens (verification / reset / invite), API keys, or the email of failed sign-in attempts.

• Passwords stored as bcrypt hashes only.
• Email verification, password reset, and early-access invite tokens stored as SHA-256 hashes; the raw token only ever appears in the link sent to you.
• All such tokens expire (24h for verification, 1h for reset, 14d for early-access invites).
• Sessions can be revoked centrally by bumping a per-user version; password resets and email verifications bump it automatically.
• Rate limiting on sign-in, sign-up, password reset, and lead creation.
• An append-only security audit log records sensitive events. It deliberately never contains raw passwords, raw tokens, API keys, or the email of a failed sign-in attempt (which would enable enumeration).
• Standard HTTP security headers (CSP, X-Frame-Options, etc.).

Email hello@tradeassistai.co.uk with:

• "Delete my account" to request full deletion of your account and all associated leads. We process within 14 days.
• "Export my data" to request a copy of the data we hold about you and your team.
• "Stop using my data for shadow comparison" if you want us to exclude your team from internal AI evaluation.

Cancelling your subscription does not delete your data — your account stays for 30 days in case you change your mind. After that the data is deleted as part of routine clean-up.

This is a working document for a pre-launch product. It is not a legal contract. If you need a formal data processing agreement, ask us.

We date this page on every substantive change. We will not silently change what we store about you. If a major change happens (for example, a customer-facing LLM is ever promoted), we will tell you before it goes live.