For educational and research purposes only — not investment advice.
Trading Agents Lab
Download
security & privacy

We don't know you're here.

Trading Agents Lab is built around a single privacy assumption: if we don't need the data, we don't collect it. Because the product has no business model that requires user data, we have built no machinery to capture, store, or transmit it.

What we don't do.

  • ×No analytics SDKs (no Google Analytics, no Plausible, no Fathom, no Cloudflare Web Analytics — even though we host on Cloudflare Pages)
  • ×No telemetry beacons or remote error reporting
  • ×No accounts, no email collection, no sign-up flow at all
  • ×No install ping, no update ping, no usage tracking
  • ×No cookies (the marketing site uses zero; the desktop app uses local storage on disk for preferences only)
  • ×No third-party scripts on this marketing site (only Google Fonts, served via Next.js's self-hosted font pipeline so the request stays on this domain)

What we do — and where it stays.

The desktop app makes outbound network calls — but only to providers you have explicitly configured. Every call goes directly from your machine to the provider; we have no servers in between, because we have no servers at all.

Your configured LLM provider

OpenAI · Anthropic · OpenRouter · Google Gemini · or your local Ollama / LM Studio. API key lives in your OS keychain via Electron safeStorage. Never transits any server we control.

Your configured data provider

Yahoo Finance (default, no key needed) or Alpaca (your key, locked to data + paper endpoints only).

Outbound webhooks you configured

If you set up Telegram, Slack, Discord, or a custom JSON receiver, the debate result is POSTed to that endpoint. URLs treated as secrets — never logged, never echoed into the persisted History.

OpenRouter courtesy headers

If you use OpenRouter, our adapter sends two HTTP headers (HTTP-Referer + X-Title) so they can attribute traffic. Their telemetry, our courtesy. Disabling this is a one-line change you can make in your fork.

Local storage.

All persistent state lives on your machine:

  • secrets.json — encrypted via OS-native primitives (macOS Keychain, Windows DPAPI, Linux libsecret). Holds your LLM keys, Alpaca keys, webhook URLs.
  • sessions.db — SQLite database of your previous Diligence runs. Lives under your user data directory. Delete it at any time and the app re-creates an empty one.
  • Local preferences (window size, theme mode, last-used provider) via standard localStorage.

Settings → About inside the desktop app shows the absolute path to each of these files, so you can back them up, inspect them, or move them between machines. Read the full storage doc →

Source is the spec.

AGPL-3.0 means the entire codebase is open to inspection. You don't need to trust our copy on this page — read the source.

Open the repositoryRead AGPL-3.0