DrawLine is built on a privacy-by-default principle. Your trading data and API keys are sensitive assets — we collect only what is strictly necessary to perform automated post-trade enforcement and provide you with behavioral analytics. We do not build advertising profiles, sell data to third parties, or retain information beyond what the service requires.
Account Data: Email address, name (optional), and timezone to sync Guardian session and reset periods correctly.
Exchange Data: API keys and secrets, encrypted at rest. We pull position data, trade history, and account balances to compute your Guardian status in real time and to evaluate post-trade rule compliance (daily R limit, consecutive losses, RSI compliance at entry).
Behavioral Data: Breach events, session lock history, RSI compliance evaluations at entry, trading timing patterns, and audit trail records. This data powers your Discipline Insights report — surfacing which rules you break, when, and against which instruments.
Device & App Data: On mobile (iOS/Android), we collect device identifiers for push notification delivery only. We do not collect location, contacts, or any data unrelated to the Service.
- To monitor your exchange activity and evaluate each trade against your configured rules post-trade.
- To activate session locks (Guard) and execute auto-close orders (Sentinel) as per your configuration.
- To evaluate RSI compliance at entry after each position is logged from your exchange.
- To build your audit trail and surface behavioral patterns in the Insights dashboard.
- To send push notifications (mobile) for breach alerts and approaching-limit warnings.
- To aggregate anonymised, non-identifiable usage patterns to improve the Service. Individual trading data is never included in aggregate analysis.
We do not sell your individual trading data to third-party hedge funds, data brokers, signal providers, or any other parties.
Your API secret is never stored in plain text. We use AES-256-GCM encryption with keys managed through secure environment secrets. Our workers decrypt your keys only in volatile memory, only during the duration of an active API request to your exchange — not at rest, not in logs.
All data is transmitted over TLS 1.2 or higher. Access to production systems is restricted to authorised personnel and logged.
Active accounts: We retain your data for as long as your account is active and for up to 90 days after account deletion to allow for dispute resolution, after which all data is purged from active databases.
Breach audit log: Stored for the duration of your account and purged immediately upon account deletion.
API keys: Purged immediately upon disconnection or account deletion — not retained in any backup for more than 24 hours after purge.
Backups: Encrypted database backups are retained for up to 30 days for disaster recovery. Backup purge follows the same schedule as production data after account deletion.
DrawLine uses a minimal set of cookies strictly necessary for the Service to function:
Session cookie: Maintains your authenticated session. Expires when you close the browser or after 30 days of inactivity.
Preference cookie: Stores your UI preferences (timezone display, billing cycle toggle). Non-identifiable, session-scoped.
We do not use advertising cookies, tracking pixels, or third-party analytics scripts (e.g. Google Analytics, Meta Pixel). We do not track your activity across other websites.
We use the following sub-processors:
- AWS: Hosting and database infrastructure. Data processed in Singapore region.
- Redis: Job queuing for Guardian enforcement workers.
- Postmark: Transactional email (breach notifications, billing receipts).
- FCM / APNs: Push notification delivery for mobile (Android / iOS). Only a device token and notification payload are transmitted — no trading data.
- Stripe: Payment processing. We do not store your full card details — Stripe tokenises all payment data.
All sub-processors are contractually prohibited from using your data for their own purposes and comply with applicable data protection regulations.
You have full ownership of your data. Depending on your jurisdiction, you may have the following rights:
Access: Request a copy of all data we hold about you.
Correction: Request correction of inaccurate data.
Deletion: Delete your account at any time from Settings → Account → Delete account. Upon deletion, all associated API keys, trade records, session lock history, RSI evaluation logs, and behavioral data are purged from our active databases immediately. Encrypted backups are purged within 30 days. This action is irreversible.
Portability: Request an export of your breach audit log and session history in JSON format.
Restriction / Objection: Request that we limit or stop processing your data in specific circumstances.
To exercise any of these rights, email us at support@drawline.io. We will respond within 30 days.
DrawLine is operated from Singapore. If you access the Service from the European Economic Area (EEA), United Kingdom, or Switzerland, your data may be transferred to and processed in Singapore.
If you are located in the EEA or UK, you have rights under the General Data Protection Regulation (GDPR) and UK GDPR, including the rights listed in Section 8. Our lawful basis for processing is:
- Contract performance: Processing necessary to deliver the Service you subscribed to.
- Legitimate interests: Fraud prevention, abuse detection, and Service improvement using anonymised aggregate data.
- Consent: Push notification delivery (you may withdraw consent by disabling notifications in your device settings at any time).
If you believe we have not handled your data in accordance with applicable law, you have the right to lodge a complaint with your local data protection authority.
We may update this Privacy Policy to reflect changes in our practices or legal requirements. Material changes will be communicated by email and in-app notification at least 14 days before taking effect. The current effective date is always shown at the top of this page.