Trust & Security

How we protect your account and data

This page is maintained by the TradeWin team to answer common security and privacy questions about TradeWin. It describes the controls we have enabled today. It is editable project content and is not an independent certification or audit.

Access & authentication

Email/password and Google sign-in are supported. Passwords are hashed by our authentication provider — we never store them in plain text.

Sensitive actions (withdrawals, account changes) require an additional one-time code sent by email.

Administrative roles are stored in a dedicated, server-validated role table — they cannot be granted from the browser.

Platform & hosting

TradeWin runs on Lovable Cloud, which provides managed Postgres, authentication, file storage, and serverless server functions.

All traffic is served over HTTPS. Server-only secrets (API keys, service role keys, payment credentials) are stored in the platform's encrypted secret store and are never shipped to the browser.

Data we collect & how we use it

We collect what's needed to run your account: name, email, country, subscription/plan status, signals you interact with, wallet activity, and support messages you send us.

Payment card details are handled by our payment processor — TradeWin never sees or stores full card numbers.

See the Privacy Policy for the full breakdown, retention details, and your rights.

Database access controls

Every user-owned table in our database has row-level security enabled. Policies restrict reads and writes so signed-in users only see their own records (profiles, wallets, tickets, journal trades, copy-trade subscriptions, etc.).

Private file storage (deposit proofs, chart uploads, premium indicator images) is served through short-lived signed URLs created server-side — direct public links are not used.

Subprocessors & integrations

We rely on a small set of trusted services to operate TradeWin: Lovable Cloud (hosting, database, auth, storage), our email-sending infrastructure (transactional and auth emails from notifications.mytradewin.com), and our payment provider.

Optional integrations like Telegram channel broadcasts are server-validated and use bot tokens kept in the encrypted secret store.

Reporting a security issue

If you believe you've found a vulnerability, please email support@mytradewin.com with steps to reproduce. Please do not publicly disclose the issue until we've had a chance to investigate and respond.

For account-related help (lost access, suspicious activity), contact the same address and we'll prioritize the request.

Shared responsibility: TradeWin is responsible for the application controls described above. Lovable Cloud is responsible for the underlying platform. You are responsible for keeping your login credentials safe and using a strong, unique password.