Privacy Policy
Last updated: 26 May 2026
1. Introduction
Treapy Ltd ("Treapy", "we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights under UK data protection law, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Please read this policy carefully before using Treapy. By creating an account, you confirm that you have read and understood how we process your personal data.
2. Who We Are
Treapy Ltd is the data controller responsible for your personal data.
Contact: support@treapy.co
ICO Registration Number: To be completed upon registration
3. What Personal Data We Collect
3.1 Account and Identity Data
- Full name
- Email address
- Account preferences and settings
3.2 Financial Data
- Linked bank account information (account numbers, balances, transaction history) retrieved via open banking connections
- Brokerage account holdings, transactions, and portfolio data retrieved via brokerage API connections
- Cryptocurrency exchange account data (portfolio balances, transaction history) retrieved via exchange API connections
- Cryptocurrency wallet addresses and their associated on-chain balances and transaction history
3.3 Device and Technical Data
- Device identifiers
- Push notification tokens
- IP address
- App version, operating system, and device type
- Crash reports and anonymised error logs
3.4 Usage Data
- App usage patterns and feature interactions
- Session data
3.5 Communications Data
- Messages you send to our support team
- Content you explicitly type in the Tripp AI chat interface
4. Legal Bases for Processing (UK GDPR)
We process your personal data on the following legal bases under UK GDPR Article 6:
Name, email address
Contract performance (Art 6(1)(b))
Required to create and maintain your Treapy account.
Financial account data, portfolio holdings, transaction history
Contract performance (Art 6(1)(b))
The core portfolio tracking service cannot be delivered without this data.
Cryptocurrency wallet addresses
Contract performance (Art 6(1)(b))
Required to display your on-chain portfolio data.
Device identifiers, push notification tokens
Legitimate interests (Art 6(1)(f))
Delivering push notifications you opt into; detecting fraud and security threats.
IP address
Legitimate interests (Art 6(1)(f))
Security monitoring, fraud prevention, and service operation.
Crash reports and error logs
Legitimate interests (Art 6(1)(f))
Improving app stability and diagnosing technical issues.
Messages in the Tripp AI chat
Contract performance (Art 6(1)(b))
Delivering the Tripp AI assistant feature.
5. How We Use Your Data
We use the personal data we collect to:
- Create and manage your account
- Aggregate and display your investment portfolio across connected accounts and wallets
- Power the Tripp AI assistant with portfolio context relevant to your questions
- Send push notifications you have opted into (price alerts, portfolio summaries, trade follower updates, daily digest)
- Process subscription payments and manage your subscription entitlements
- Detect and prevent fraud or unauthorised access to your account
- Diagnose and fix technical problems in the app
- Respond to your support requests
- Comply with our legal and regulatory obligations
6. Third-Party Data Processors
We share your data only with the processors listed below, under data processing agreements, and only to the extent strictly necessary to deliver the service. We do not sell your data to any third party, ever.
TrueLayer
UK / EUReceives:OAuth access tokens and financial data retrieved from your connected bank accounts via open banking
Purpose:Secure open banking data aggregation
TrueLayer is authorised by the FCA as an Account Information Service Provider (AISP). Data shared with TrueLayer is governed by their own privacy policy and your consent to the open banking connection.
SnapTrade
CanadaReceives:Read-only brokerage credentials and portfolio data from connected brokerage accounts
Purpose:Brokerage account aggregation
Canada benefits from an EU adequacy decision. SnapTrade processes data under a data processing agreement with Treapy.
Moralis / Helius
USAReceives:Blockchain wallet addresses (public identifiers)
Purpose:Fetching on-chain balances and transaction history from public blockchain networks
Wallet addresses are public by design on blockchain networks. No private keys or seed phrases are ever shared. Standard Contractual Clauses are in place for data transfers.
Anthropic
USAReceives:Anonymised portfolio context (portfolio composition, asset classes, general metrics) and messages you explicitly type in the Tripp chat interface
Purpose:Powering the Tripp AI assistant
Anthropic's API data policy confirms that data submitted via their API is not used to train AI models. We do not include your name, email address, or account identifiers in prompts sent to Anthropic unless you type them yourself. Standard Contractual Clauses are in place.
RevenueCat
USAReceives:Purchase receipts, subscription status, and device identifiers
Purpose:Subscription management and entitlement tracking for in-app purchases
Standard Contractual Clauses are in place for data transfers.
Stripe
USA / EUReceives:Payment card details and billing address
Purpose:Processing subscription payments made via treapy.co
Treapy never stores your full payment card details. All payment data is handled directly by Stripe's PCI-DSS-compliant infrastructure. Treapy only retains a Stripe customer reference ID.
Sentry
USAReceives:Anonymised crash reports, error logs, device type, operating system version, and app version
Purpose:Error monitoring and app stability
We configure Sentry to exclude personally identifying information from error reports. Standard Contractual Clauses are in place.
Supabase
EUReceives:All data stored by Treapy, including account data, financial data, portfolio data, and settings
Purpose:Database, authentication, and backend infrastructure
Treapy uses Supabase's EU server region. Your data remains within the European Union.
Expo
USAReceives:Push notification tokens
Purpose:Delivering push notifications to your mobile device
Standard Contractual Clauses are in place for data transfers.
7. Exchange API Keys and Wallet Addresses
7.1 Exchange API Keys
When you connect a cryptocurrency exchange using an API key, Treapy handles that key with the following safeguards:
- Encrypted at rest using AES-256 encryption
- Never logged in any system log, application log, or error report
- Never shared with any third party
- Used exclusively to read your portfolio data; we will never use API keys to place trades, initiate withdrawals, or take any financial action on your behalf
7.2 Cryptocurrency Wallet Addresses
Cryptocurrency wallet addresses are public identifiers inherent to how blockchain networks operate. When you connect a self-custody wallet via WalletConnect v2:
- Your wallet address is stored in plaintext, which is standard practice as wallet addresses are public information on the blockchain
- Only the wallet addresses you explicitly connect to Treapy are stored
- Treapy never requests, stores, or transmits private keys or seed phrases under any circumstances
- Treapy has no ability to sign transactions or move funds from your wallet
8. Data Retention
Account data
Deleted within 30 days of account deletion
Financial sync data (bank, brokerage, exchange)
Deleted immediately upon disconnecting the linked account
Push notification tokens
Deleted upon account deletion or when you disable notifications in app settings
Support communications
Retained for 3 years from the date of the last communication
Audit logs
Retained for 7 years to meet legal and regulatory obligations
After account deletion, fully anonymised and non-identifiable aggregate data (for example, aggregate usage statistics) may be retained indefinitely for internal analytics.
9. Your Rights
Under UK GDPR, you have the following rights in relation to your personal data:
Right of access
Request a copy of the personal data we hold about you (Art 15).
Right to rectification
Request correction of inaccurate or incomplete personal data (Art 16).
Right to erasure
Request deletion of your personal data, subject to our legal retention obligations (Art 17).
Right to restriction
Request that we limit how we process your data in certain circumstances (Art 18).
Right to portability
Receive your personal data in a structured, machine-readable format (Art 20).
Right to object
Object to processing based on legitimate interests at any time (Art 21).
To exercise any of these rights, email us at support@treapy.co. We will respond within one calendar month. If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
10. Children
Treapy is not intended for use by anyone under 18 years of age. We do not knowingly collect personal data from children under 18. If you believe a child has provided us with personal data, please contact support@treapy.co and we will delete it promptly.
11. Data Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include:
- Encryption in transit using TLS 1.2 and above for all data
- AES-256 encryption at rest for sensitive credentials (exchange API keys)
- Role-based access controls limiting internal access to personal data
- Regular security reviews
- Supabase Row-Level Security enforcing that users can only access their own data
No method of data transmission or storage is 100% secure. If you have reason to believe your Treapy account has been compromised, contact support@treapy.co immediately.
12. No Advertising or Data Sales
Treapy operates on a subscription model. We have no advertising business and no incentive to monetise your data beyond your subscription. As a result:
- We do not sell your personal data to any third party, ever
- We do not use your data for advertising or marketing profiling
- We do not use advertising networks, tracking pixels, retargeting scripts, or ad exchanges
- We do not share your data with data brokers
- We do not use behavioural analytics platforms beyond what is described in Section 6
13. AI (Tripp) and Anthropic
The Tripp AI assistant is powered by Anthropic's Claude API. When you interact with Tripp, the following applies:
- Your portfolio context (composition, asset classes, general metrics) may be sent to Anthropic's API to generate contextually relevant responses
- The text of messages you type in the Tripp chat interface is sent to Anthropic
- We do not include your name, email address, or linked account identifiers in prompts sent to Anthropic unless you type them yourself
- Anthropic's API data policy confirms that data submitted via the API is not used to train Anthropic's AI models
- Tripp does not have access to your linked account credentials, encryption keys, or your full transaction history
14. International Data Transfers
Treapy's primary database is hosted on Supabase within the European Union. Some of our third-party processors, including Anthropic, RevenueCat, Sentry, and Expo, are based in the United States.
Where we transfer personal data to countries outside the UK that are not covered by an adequacy decision, we rely on Standard Contractual Clauses (SCCs) in the form approved by the UK Information Commissioner's Office (the International Data Transfer Addendum, IDTA) to ensure an adequate level of protection for your data.
15. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. If we make material changes, we will notify you by email at least 30 days before the changes take effect, and we will update the "Last updated" date at the top of this page.
Your continued use of Treapy after any changes take effect constitutes acceptance of the revised policy. If you do not accept the revised policy, you should stop using Treapy and may delete your account.
16. Contact Us
For any questions about this Privacy Policy, or to exercise your data subject rights, please contact us:
You also have the right to contact the Information Commissioner's Office directly if you have a complaint about how we handle your personal data: ico.org.uk or 0303 123 1113.