Legal

Privacy Policy

Last updated: 26 May 2026

1. Introduction

Treapy Ltd ("Treapy", "we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights under UK data protection law, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Please read this policy carefully before using Treapy. By creating an account, you confirm that you have read and understood how we process your personal data.

2. Who We Are

Treapy Ltd is the data controller responsible for your personal data.

Contact: support@treapy.co

ICO Registration Number: To be completed upon registration

3. What Personal Data We Collect

3.1 Account and Identity Data

  • Full name
  • Email address
  • Account preferences and settings

3.2 Financial Data

  • Linked bank account information (account numbers, balances, transaction history) retrieved via open banking connections
  • Brokerage account holdings, transactions, and portfolio data retrieved via brokerage API connections
  • Cryptocurrency exchange account data (portfolio balances, transaction history) retrieved via exchange API connections
  • Cryptocurrency wallet addresses and their associated on-chain balances and transaction history

3.3 Device and Technical Data

  • Device identifiers
  • Push notification tokens
  • IP address
  • App version, operating system, and device type
  • Crash reports and anonymised error logs

3.4 Usage Data

  • App usage patterns and feature interactions
  • Session data

3.5 Communications Data

  • Messages you send to our support team
  • Content you explicitly type in the Tripp AI chat interface
We do not collect special category data (health, biometric, political opinions, etc.) and we do not collect financial data beyond what you explicitly choose to connect to Treapy.

5. How We Use Your Data

We use the personal data we collect to:

  • Create and manage your account
  • Aggregate and display your investment portfolio across connected accounts and wallets
  • Power the Tripp AI assistant with portfolio context relevant to your questions
  • Send push notifications you have opted into (price alerts, portfolio summaries, trade follower updates, daily digest)
  • Process subscription payments and manage your subscription entitlements
  • Detect and prevent fraud or unauthorised access to your account
  • Diagnose and fix technical problems in the app
  • Respond to your support requests
  • Comply with our legal and regulatory obligations

6. Third-Party Data Processors

We share your data only with the processors listed below, under data processing agreements, and only to the extent strictly necessary to deliver the service. We do not sell your data to any third party, ever.

TrueLayer

UK / EU

Receives:OAuth access tokens and financial data retrieved from your connected bank accounts via open banking

Purpose:Secure open banking data aggregation

TrueLayer is authorised by the FCA as an Account Information Service Provider (AISP). Data shared with TrueLayer is governed by their own privacy policy and your consent to the open banking connection.

SnapTrade

Canada

Receives:Read-only brokerage credentials and portfolio data from connected brokerage accounts

Purpose:Brokerage account aggregation

Canada benefits from an EU adequacy decision. SnapTrade processes data under a data processing agreement with Treapy.

Moralis / Helius

USA

Receives:Blockchain wallet addresses (public identifiers)

Purpose:Fetching on-chain balances and transaction history from public blockchain networks

Wallet addresses are public by design on blockchain networks. No private keys or seed phrases are ever shared. Standard Contractual Clauses are in place for data transfers.

Anthropic

USA

Receives:Anonymised portfolio context (portfolio composition, asset classes, general metrics) and messages you explicitly type in the Tripp chat interface

Purpose:Powering the Tripp AI assistant

Anthropic's API data policy confirms that data submitted via their API is not used to train AI models. We do not include your name, email address, or account identifiers in prompts sent to Anthropic unless you type them yourself. Standard Contractual Clauses are in place.

RevenueCat

USA

Receives:Purchase receipts, subscription status, and device identifiers

Purpose:Subscription management and entitlement tracking for in-app purchases

Standard Contractual Clauses are in place for data transfers.

Stripe

USA / EU

Receives:Payment card details and billing address

Purpose:Processing subscription payments made via treapy.co

Treapy never stores your full payment card details. All payment data is handled directly by Stripe's PCI-DSS-compliant infrastructure. Treapy only retains a Stripe customer reference ID.

Sentry

USA

Receives:Anonymised crash reports, error logs, device type, operating system version, and app version

Purpose:Error monitoring and app stability

We configure Sentry to exclude personally identifying information from error reports. Standard Contractual Clauses are in place.

Supabase

EU

Receives:All data stored by Treapy, including account data, financial data, portfolio data, and settings

Purpose:Database, authentication, and backend infrastructure

Treapy uses Supabase's EU server region. Your data remains within the European Union.

Expo

USA

Receives:Push notification tokens

Purpose:Delivering push notifications to your mobile device

Standard Contractual Clauses are in place for data transfers.

7. Exchange API Keys and Wallet Addresses

7.1 Exchange API Keys

When you connect a cryptocurrency exchange using an API key, Treapy handles that key with the following safeguards:

  • Encrypted at rest using AES-256 encryption
  • Never logged in any system log, application log, or error report
  • Never shared with any third party
  • Used exclusively to read your portfolio data; we will never use API keys to place trades, initiate withdrawals, or take any financial action on your behalf
You must use read-only API keys when connecting exchanges to Treapy. See our Terms of Service for details.

7.2 Cryptocurrency Wallet Addresses

Cryptocurrency wallet addresses are public identifiers inherent to how blockchain networks operate. When you connect a self-custody wallet via WalletConnect v2:

  • Your wallet address is stored in plaintext, which is standard practice as wallet addresses are public information on the blockchain
  • Only the wallet addresses you explicitly connect to Treapy are stored
  • Treapy never requests, stores, or transmits private keys or seed phrases under any circumstances
  • Treapy has no ability to sign transactions or move funds from your wallet

8. Data Retention

Account data

Deleted within 30 days of account deletion

Financial sync data (bank, brokerage, exchange)

Deleted immediately upon disconnecting the linked account

Push notification tokens

Deleted upon account deletion or when you disable notifications in app settings

Support communications

Retained for 3 years from the date of the last communication

Audit logs

Retained for 7 years to meet legal and regulatory obligations

After account deletion, fully anonymised and non-identifiable aggregate data (for example, aggregate usage statistics) may be retained indefinitely for internal analytics.

9. Your Rights

Under UK GDPR, you have the following rights in relation to your personal data:

Right of access

Request a copy of the personal data we hold about you (Art 15).

Right to rectification

Request correction of inaccurate or incomplete personal data (Art 16).

Right to erasure

Request deletion of your personal data, subject to our legal retention obligations (Art 17).

Right to restriction

Request that we limit how we process your data in certain circumstances (Art 18).

Right to portability

Receive your personal data in a structured, machine-readable format (Art 20).

Right to object

Object to processing based on legitimate interests at any time (Art 21).

To exercise any of these rights, email us at support@treapy.co. We will respond within one calendar month. If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

10. Children

Treapy is not intended for use by anyone under 18 years of age. We do not knowingly collect personal data from children under 18. If you believe a child has provided us with personal data, please contact support@treapy.co and we will delete it promptly.

11. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These include:

  • Encryption in transit using TLS 1.2 and above for all data
  • AES-256 encryption at rest for sensitive credentials (exchange API keys)
  • Role-based access controls limiting internal access to personal data
  • Regular security reviews
  • Supabase Row-Level Security enforcing that users can only access their own data

No method of data transmission or storage is 100% secure. If you have reason to believe your Treapy account has been compromised, contact support@treapy.co immediately.

12. No Advertising or Data Sales

Treapy operates on a subscription model. We have no advertising business and no incentive to monetise your data beyond your subscription. As a result:

  • We do not sell your personal data to any third party, ever
  • We do not use your data for advertising or marketing profiling
  • We do not use advertising networks, tracking pixels, retargeting scripts, or ad exchanges
  • We do not share your data with data brokers
  • We do not use behavioural analytics platforms beyond what is described in Section 6

13. AI (Tripp) and Anthropic

The Tripp AI assistant is powered by Anthropic's Claude API. When you interact with Tripp, the following applies:

  • Your portfolio context (composition, asset classes, general metrics) may be sent to Anthropic's API to generate contextually relevant responses
  • The text of messages you type in the Tripp chat interface is sent to Anthropic
  • We do not include your name, email address, or linked account identifiers in prompts sent to Anthropic unless you type them yourself
  • Anthropic's API data policy confirms that data submitted via the API is not used to train Anthropic's AI models
  • Tripp does not have access to your linked account credentials, encryption keys, or your full transaction history
Tripp is an informational tool only. Its responses do not constitute financial advice. Please read our Terms of Service.

14. International Data Transfers

Treapy's primary database is hosted on Supabase within the European Union. Some of our third-party processors, including Anthropic, RevenueCat, Sentry, and Expo, are based in the United States.

Where we transfer personal data to countries outside the UK that are not covered by an adequacy decision, we rely on Standard Contractual Clauses (SCCs) in the form approved by the UK Information Commissioner's Office (the International Data Transfer Addendum, IDTA) to ensure an adequate level of protection for your data.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. If we make material changes, we will notify you by email at least 30 days before the changes take effect, and we will update the "Last updated" date at the top of this page.

Your continued use of Treapy after any changes take effect constitutes acceptance of the revised policy. If you do not accept the revised policy, you should stop using Treapy and may delete your account.

16. Contact Us

For any questions about this Privacy Policy, or to exercise your data subject rights, please contact us:

Treapy Ltd

Email: support@treapy.co

ICO Registration Number: To be completed

You also have the right to contact the Information Commissioner's Office directly if you have a complaint about how we handle your personal data: ico.org.uk or 0303 123 1113.