1. Introduction
This Privacy Policy explains what personal data Tasilab collects when you use our service, why we collect it, how we store and protect it, and the rights you have over your data. We try to keep this document short and plain — no boilerplate that nobody reads.
This policy is governed by the laws of the Kingdom of Saudi Arabia, including the Personal Data Protection Law (PDPL) and its implementing regulations.
2. Who we are
"Tasilab," "we," "us," or "our" refers to the Tasilab service operating at tasilab.com and api.tasilab.com. Tasilab is operated as an independent personal project; there is no incorporated legal entity at this time. For any privacy inquiry, write to contact-us@tasilab.com.
3. What personal data we collect
We deliberately collect as little as possible:
- Account data — your email address and a bcrypt hash of your password. We never store passwords in plain text.
- API key — a randomly generated UUID issued to your account, used to authenticate your API and SDK requests.
- Trading-simulation data — orders you place, positions you hold, fills, P&L, and any experiments or backtests you create. This data exists to make the service work.
- Telegram link data (optional) — only if you opt in to Telegram notifications: your Telegram chat ID and a short-lived linking code.
- Newsletter email (optional) — if you sign up for the launch list, we store the email and the locale (en/ar) you signed up from.
- Server logs — IP address, request path, response status, and timestamps. Used for debugging, security, and capacity planning. Logs are not used for advertising.
We do not collect your real name, your phone number, your real-money trading data, your bank account, your national ID, or any payment information. Tasilab is currently free; there is no payment processor involved.
4. How we use your data
- To authenticate you and protect your account.
- To run the simulated trading service: validate orders, compute fills, persist positions and trade history.
- To send transactional emails — currently password-reset links only. We do not send marketing emails.
- To send Telegram notifications about order fills, only if you have opted in.
- To diagnose bugs, monitor uptime, and improve performance.
- To detect and respond to abuse or unauthorized access.
5. When we disclose personal data
We do not sell your personal data. We do not share it with advertisers. We disclose it only:
- To service providers we depend on, strictly for operating the service. Today these are: Railway (application and database hosting); Cloudflare (CDN, DNS, and static-asset hosting); Postmark (transactional email delivery); Telegram (when a user opts in to notifications); Anthropic and OpenRouter (only when you use the AI-explanation feature — the run parameters and results you ask about are sent to the selected model provider so it can generate the explanation); Sahmk (Saudi market-data provider — the ticker symbols you query are forwarded so we can fetch quotes and historical data on your behalf). Each provider has access only to the data needed for its function.
- If required by Saudi law or by an order from a competent authority.
- To protect the safety of Tasilab, our users, or the public — for example, in response to a security incident.
6. Legal basis for processing
Under PDPL, we process your data on one or more of the following bases:
- Performance of a contract — running the simulated trading service you signed up for.
- Your consent — for optional features like the newsletter or Telegram notifications.
- Legitimate interests — security, fraud prevention, and improving the service.
- Compliance with a legal obligation.
7. How we store and protect your data
Application data is stored in a managed PostgreSQL database hosted on Railway in the Amsterdam (europe-west4) region. Connections to the database are encrypted in transit. Passwords are hashed with bcrypt; we never store or log them in plain text. API keys are stored as UUIDs and are revocable from your account at any time.
Marketing-page assets (the public website you are reading right now) are served from Cloudflare's edge network. Marketing pages do not require sign-in and do not access your account data.
8. How long we keep your data
We keep account, simulation, and experiment data for as long as your account is active. If you ask us to delete your account, we erase your records within 30 days, except where we are required by law to retain something for longer (for example, security logs may be retained briefly for incident response).
Newsletter subscribers can be unsubscribed on request; we then retain only the unsubscribe record so we don't email you again.
9. Your rights under PDPL
You have the following rights regarding your personal data:
- Right to be informed about how your data is collected and used (this document).
- Right of access to the personal data we hold about you.
- Right to correct any inaccurate data.
- Right to delete your data, subject to any legal retention requirement.
- Right to withdraw consent for any optional processing (newsletter, Telegram notifications) at any time.
To exercise any of these rights, email contact-us@tasilab.com. We will respond within 30 days of receiving your request.
10. Cookies, local storage, and tracking
We use the browser's localStorage to remember your sign-in (your API key, email, and user ID) so you don't have to sign in on every visit. This is functional, not tracking; nothing in localStorage is sent to third parties. We do not use third-party analytics, advertising trackers, or session replay tools at this time. If we ever add analytics, we will update this policy first.
11. Children's data
Tasilab is not intended for users under 18 years of age. We do not knowingly collect personal data from children. If you believe a child has signed up, contact us and we will delete the account.
12. International transfers
Our hosting provider (Railway) operates from the Netherlands (europe-west4). When you use Tasilab, your data is transmitted to and stored in the Netherlands. By using the service, you consent to this transfer. The provider's terms include data-protection commitments at least equivalent to those in PDPL.
13. Changes to this policy
If we update this policy, we will change the "Last updated" date at the top. Material changes will be communicated to active users by email before they take effect. Continued use of the service after a change constitutes acceptance of the updated policy.
14. How to contact us
For any privacy inquiry, or anything else, write to contact-us@tasilab.com.