Legal

Privacy Policy

Last updated: 28 February 2026

This Privacy Policy explains what personal data Webtraditor collects, why we collect it, how we use it, who we share it with, and the rights you have over it. It applies to the Advanced Academy of Digital Trade, Trade Auditor, Trade Conduit, AI Trade Advisor and Trade Regula™.

1. Who we are

Webtraditor (the "Service", "we", "us") is a Digital Trade Ecosystem comprising the Advanced Academy of Digital Trade, the Trade Auditor, the Trade Conduit, the AI Trade Advisor and the Trade Regula™ intelligence terminal. The Service is operated by [LEGAL ENTITY NAME], a company registered in [JURISDICTION], with its registered office at [REGISTERED ADDRESS]. For any privacy enquiry contact [CONTACT EMAIL].

2. Data we collect

Account data: name, email, and (for email/password sign-ups) a bcrypt-hashed password. We do not store your plain-text password.

Document data: the trade-finance documents you upload (LC applications, invoices, bills of lading, demand-guarantee drafts, etc.), extracted fields, and reports we generate from them.

Learning data: your Academy progress, module completions, watched videos, chat sessions with the AI Trade Advisor, and any bookmarks you save on Trade Regula.

Billing data: name, billing email, VAT/GST identifier and card fingerprint (never the full PAN — that is held only by our PCI-compliant payment processors, Stripe and, where enabled, Razorpay).

Activity data: a chronological audit log of every automated pipeline step and every manual edit or approval you make.

Technical data: IP address, browser user-agent, device type, and basic request logs for security, debugging and fraud prevention.

3. How we use your data

To run the document examination, TBML screening, workability checks, guarantee vetting, Academy learning delivery, AI Trade Advisor answers, and Trade Regula intelligence that you request.

To authenticate you, gate content by subscription tier, and prevent abuse (brute-force protection, spam-domain blocklist, anti-scraping controls).

To improve extraction accuracy: when you correct a field, we may store the anonymised correction in a self-learning store to feed future few-shot prompts. You can request its deletion at any time.

To email you transactional notifications (password resets, admin approval confirmations, billing receipts, security alerts). We do not send marketing emails without your explicit opt-in.

To comply with legal, regulatory and audit obligations applicable to us and to our regulated banking customers.

4. Legal basis for processing (GDPR, DPDPA)

Contractual necessity — to deliver the paid or free tier of the Service you have requested.

Legitimate interests — to run analytics, prevent fraud and abuse, and to keep an audit trail.

Legal obligation — to keep records required under Indian, EU or other applicable law.

Consent — for optional cookies, marketing communications and voluntary data uploads beyond what is strictly needed. You may withdraw consent at any time.

5. Who we share data with

Sub-processors strictly necessary to deliver the Service:

• LLM providers (OpenAI, Anthropic, Google) — for document OCR, field extraction, compliance reasoning, Advisor answers, and Academy content generation. Each is bound by an enterprise Data Processing Addendum with "no training on customer data" clauses.

• Stripe (global) and Razorpay (India) — for payment processing, invoicing and taxation.

• Resend — for transactional email delivery.

• MongoDB Atlas / cloud storage — for hosting your data.

• CloudFlare / CDN provider — for DDoS protection and edge caching.

We do NOT sell your data. We do NOT share the trade-finance documents you upload with any party other than the sub-processors above and only for the purpose of delivering the Service. A live sub-processor list is available on request from [CONTACT EMAIL].

6. Where your data is stored

Documents and Academy learning data are stored in cloud clusters in [PRIMARY REGION — e.g. Singapore / Frankfurt / Mumbai]. Enterprise customers may request a specific region under contract. We do not transfer personal data outside the contractual region without an appropriate transfer mechanism (Standard Contractual Clauses under GDPR, or your explicit consent).

7. How long we keep it

Uploaded documents and reports: 90 days from upload (free tier) or as agreed in your contract (paid / enterprise tier). After that they are permanently deleted from primary storage and rotated out of backups within a further 30 days.

Academy learning progress: retained while your account is active so you can pick up where you left off.

Audit trail and financial records: retained for 7 years to meet typical bank audit and tax obligations.

Account data: retained while your account is active; deleted within 30 days of an account-deletion request, subject to any legal-hold obligations.

8. Your rights

Depending on your jurisdiction (GDPR, UK GDPR, CCPA/CPRA, DPDPA 2023, PDPA) you may request: a copy of all personal data we hold about you (access); correction of any inaccurate field (rectification); permanent deletion of your account and associated documents (erasure / right to be forgotten); portability of your data in a machine-readable JSON export; restriction or objection to processing; withdrawal of consent to any processing based on consent. Email [CONTACT EMAIL] with your request — we respond within 30 days (15 days under DPDPA where applicable).

You also have the right to lodge a complaint with your local data-protection authority (Data Protection Board of India, ICO in the UK, your local supervisory authority in the EU, etc.).

9. Cookies

See our separate Cookies Policy at /cookies for the full list. In short we use strictly-necessary cookies for authentication and tenant isolation, and (with your consent) analytics cookies to understand aggregate usage.

10. Security

All traffic uses TLS 1.2+. Passwords are bcrypt-hashed with a per-account salt. We enforce brute-force lockouts, spam-domain blocking, anonymous-session isolation, and tier-gated API responses (no client-side paywall — the gate is enforced server-side). Encryption at rest is applied to all uploaded documents. Access to production is restricted to a small on-call team via SSO with hardware-key MFA. See our Trust page at /trust for the full posture.

11. Children's data

The Service is intended for trade-finance professionals and is not designed for children under the age of 16 (or the equivalent age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact [CONTACT EMAIL] and we will delete it.

12. Automated decision-making

The Service uses AI/ML to examine documents, classify discrepancies, and generate risk scores. These outputs are decision-support signals, not final decisions. Every material decision (issuing, advising, honouring, refusing, reporting) rests with the bank or party operating your account. You may request a human review of any AI-generated output relating to your account.

13. Changes to this policy

If we change this policy materially we will notify all active account holders by email at least 14 days before the change takes effect. Continued use of the Service after the change indicates acceptance. The current version and the last-updated date always appear at the top of this page.

Template notice. This policy is a good-faith template drafted by the Webtraditor team. It is not legal advice. You must review and adapt it with qualified counsel in your jurisdiction (India, Singapore, EU, US, UK, GCC, etc.) before relying on it for a paid or regulated launch. Placeholders in square brackets — [LEGAL ENTITY NAME], [REGISTERED ADDRESS], [JURISDICTION], [CONTACT EMAIL] — must be replaced with your registered particulars.

Made with Emergent