Who places the trades?

You do. You build and arm the agent yourself, and it runs on your own broker account through your own connection, so every order is yours. Before each order is sent, a firm-aware risk engine checks it against your rules and blocks anything that would breach. You can pause or disarm any agent at any time.

Is this only for prop-firm traders?

Prop-firm traders are the core audience, but the same platform works on any account you connect. Build a strategy, backtest it, run it, and watch the live account. You do not need a challenge to use the tool.

What does "AI" mean here?

It means the platform can host user-authored automation that may use AI or machine-learning logic. We do not promise alpha, prediction, or guaranteed outcomes.

Can I start with a simple rule?

Yes. The simplest path is the quick-rule flow: describe the trade, test it, then deploy it without building a full code project.

What is the marketplace rev share?

When authors sell strategies through the marketplace, Glitch Executor takes 30% and the author keeps 70%.

Which brokers and firm contexts are supported?

cTrader, TradeLocker, DXtrade, and MT4/MT5 via MetaApi for brokers; FundingPips Zero, FTMO Phase 1, MFF, Apex, The5ers, and GetLeveraged Turbo in Firm Mode.

Privacy Policy, Glitch Executor

Glitch Executor is an AI software tool operated by Nuraveda, a sole proprietorship owned by Tejas Karan Agrawal at 77 Huntley St, Toronto, ON M4Y 2P3, Canada. This policy covers personal data collected through glitchexecutor.com and the services we operate under paid subscription.

1. Data controller & contact

Nuraveda is the data controller for the personal data described below. For any data-related request, access, copy, correction, deletion, portability, restriction, or objection, contact [email protected]. We acknowledge requests within 7 days and respond substantively within 30 days (or the period required by your applicable law).

2. What we collect

Contact & trial form submissions, name, email, phone (when provided), and the message you send us. Stored in encrypted Postgres.
Account identifiers, account credentials, Telegram user ID where you use that surface, and the commands you send our tools, for access control and billing.
Exchange API keys, encrypted with AES-256, trade-only scope (no withdrawal permissions). You can revoke at any time.
Broker connection tokens, the OAuth access token (for example cTrader) or credential-exchange token (for example TradeLocker, or MT4/MT5 via MetaApi) for any account you connect, encrypted at rest. The token is used only to read your account and, if you arm an agent, to place the orders your strategy generates. It never carries withdrawal permission, and you can revoke the connection at any time.
Account & trading data, the account balance, equity, positions, and the closed-deal history we mirror from your connected broker, plus the strategies, agents, and orders you create on the platform, used to power the dashboard, backtests, and the pre-trade safety gate.
Server-side execution audit trail, for every strategy you arm: the candidate order, the pre-trade gate decision, the broker order id we receive back, and the fill price/time. Stored in our Postgres for as long as the row remains in orders (see §5 retention). This is the audit log that lets you prove what we did on your behalf.
Coach / AI-feature inputs, when you ask the in-app Coach a question or generate a written summary (equity narrative, review enhancement), we send the relevant rows from your account — account label, balance, equity, strategy names, recent deal summary — to the LLM provider we route the request to (see §6 Sub-processors and §7 AI & LLM processing). We do not send your email, broker credentials, or contact-form content to any LLM.
Billing data, handled by Stripe (see §6 Sub-processors). We receive only customer ID, email, amount, last-4 of card, and plan. We never see full card numbers.
Analytics, page views, referrers, device type, and approximate (city-level) location. When Google Analytics 4 is enabled on a site, it sets first-party cookies (_ga, _ga_<ID>) and sends pseudonymous event data to Google (acting as our processor). No device fingerprinting, no cross-site ad retargeting.
Turnstile challenge data, processed by Cloudflare under their privacy terms. We receive only pass/fail.
Server logs, IP address, request timestamp, and path, retained for up to 30 days for security and abuse prevention.

3. Legal basis for processing

Depending on which privacy regime applies to you, we rely on one or more of the following legal bases:

Contract performance, to deliver tool access and process subscriptions you signed up for (Canada PIPEDA, implied consent; EU/UK GDPR Art. 6(1)(b); DIFC DPL §10(1)(b); ADGM DPR §5(1)(b); UAE PDPL Art. 5(1)(c); India DPDPA §7(a)).
Legitimate interests, to secure the Service against abuse, debug errors, and improve product quality.
Legal obligation, to comply with applicable Canadian, tax, accounting, and sanctions-screening laws.
Consent, for any optional communications such as marketing newsletters. You may withdraw consent at any time without affecting the lawfulness of prior processing.

4. What we don't do

No advertising cookies beyond the Google Analytics cookies noted in §2. No remarketing pixels, no cross-site ad tracking, no Meta / TikTok / LinkedIn / Criteo ad-tech pixels.
No selling or licensing of personal data to third parties.
No enrichment of your form submission against third-party data brokers or lookup services.
No profiling or automated decision-making that produces legal effects on you.
No data collection from anyone we know to be under 18 years of age. If you believe a minor has submitted personal data, contact us and we will delete it.

5. Data retention

Account & tool telemetry, for the life of your subscription plus 24 months (to support dispute resolution and tax records), then deleted or anonymised.
Server-side execution audit trail (the orders ledger), retained indefinitely while your account is open so we — and you — can demonstrate what the agent did on your behalf. We do not prune historical orders even after a strategy is disarmed. On account deletion, the audit trail is retained for the longer of (a) 24 months or (b) the period required by applicable financial-conduct and AML record-keeping laws (Canada FINTRAC: 5 years), then deleted.
Contact-form submissions, 24 months, or sooner on your deletion request.
Server logs, up to 30 days.
Billing records, retained as long as required by applicable Canadian tax, accounting, and AML laws (typically 6–7 years per the Canada Revenue Agency).
LLM provider logs, governed by the provider's own retention policy (typically 30 days at Anthropic, with training opt-out enabled on our API keys; see §7). We do not retain LLM raw responses past the in-app message they produced.

6. Sub-processors

We rely on the following third-party processors. Each is bound by a data-processing agreement and their own published privacy terms:

Cloudflare, Inc., site delivery, WAF, Turnstile bot mitigation, Pages hosting.
Stripe, Inc., subscription billing, checkout, payment card processing.
Google Ireland Limited / Google LLC, Google Analytics 4 (GA4) pageview and event telemetry. Data is processed in Google's US and EU infrastructure under their Google Ads Data Processing Terms.
Telegram Messenger Inc., where used as a tool surface. Your Telegram messages are processed under Telegram's own privacy terms before reaching our servers.
Primary database hosting, Postgres-compatible, encrypted at rest, located in Iowa, United States. Backups encrypted and retained per §5.
MetaApi (Agiliumtrade FZE), broker-bridge for MT4 / MT5 accounts. When you connect an MT4 or MT5 account, your broker login is stored inside MetaApi's cloud (we never see the password) and MetaApi exposes a token we use to read your account and route arming orders. Used only for accounts you explicitly connect.
Spotware Systems Ltd, operator of the cTrader Open API. When you connect a cTrader account, the OAuth refresh token is exchanged with Spotware's servers; we use it to read your account and route arming orders.
Anthropic, PBC, large-language-model provider for Coach answers and written summaries. Inputs are limited to the data described in §2 ("Coach / AI-feature inputs") and §7. Our API keys carry training opt-out so your data is not used to train Anthropic models.
Google AI Studio / Google LLC, Gemini language model used as the lower-cost router target for narrative-style features. Same opt-out + scope as Anthropic.
OpenRouter, Inc., an LLM proxy used as a fallback router when our preferred providers are unavailable. When OpenRouter routes a request, it forwards to one of its named upstream providers; we configure our key for a no-training, no-logging routing profile where the upstream provider supports it.
Your exchange / prop firm, via API keys or OAuth tokens you provide. Trade-only scope; see Terms §6. Your trade requests reach the broker directly from our servers; the broker is independent of us and processes your data under its own privacy terms.

7. AI & LLM processing

Some Glitch Executor features call large-language-model (LLM) providers to generate text on your behalf: the in-app Coach answers, the equity-curve narrative, the consistency narrative, and the optional review-enhance writeups. Strategy authoring, the pre-trade breach gate, order routing, and the breach / gate-block alert engine do not call any LLM — those run on deterministic Python and SQL only.

What we send. For each LLM call we send only the minimum data required to answer the request: your account label and the relevant slice of account telemetry (balance, equity, drawdown distance, recent strategy names, deal summaries). We do not send your email, broker credentials, contact-form content, billing data, or other accounts' data to any LLM.

Routing & opt-out. Requests route to Anthropic(Claude), Google AI Studio (Gemini), or OpenRouter(proxied to an upstream provider) per our LLM policy. Our API keys with each provider are configured to opt out of training on your data wherever the provider supports it. Provider raw-prompt retention is governed by each provider's own published policy and is typically 30 days for safety review. We do not retain the raw LLM response past the in-app message it produced.

No automated legal decisions. LLM-generated text is shown to you as guidance; it does not auto-arm strategies, place orders, or move money. The pre-trade breach gate that does control execution is fully rules-based and runs in our backend without any LLM call.

8. International transfers

Our primary database is located in Iowa, United States. Because the controller (Nuraveda) is based in Province of Ontario, Canada, most personal data is therefore transferred from Canada to the United States and may be subject to U.S. law, including lawful-access regimes that differ from Canadian law. Separately, when Google Analytics 4 is enabled, pageview and event data flow directly from visitors' browsers to Google servers in the US and EU under Google's own transfer mechanisms (Google's SCCs + Supplementary Measures).

Where required for users in other regions, transfers rely on mechanisms such as the EU Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, adequacy decisions, or equivalent safeguards under the UAE PDPL (Art. 22 cross-border transfer provisions) and India DPDPA 2023 (§16 notified-country framework). For Canadian residents we comply with PIPEDA's accountability principle, we remain responsible for personal data transferred to a processor regardless of where it is processed.

9. Security

We apply administrative, technical, and physical safeguards that are reasonable for a service of this scale: AES-256 at-rest encryption for API keys, TLS 1.2+ in transit, least-privilege access for staff, audit logging on sensitive tables, and periodic credential rotation. No system is perfectly secure, if you believe your credentials have been compromised, contact us immediately at [email protected].

10. Your rights

Depending on where you live, you may have some or all of the following rights regarding your personal data:

Access, obtain a copy of the personal data we hold about you (PIPEDA Principle 9).
Rectification, correct inaccurate or incomplete data.
Erasure, request deletion, subject to legal retention obligations.
Restriction, limit how we process your data pending resolution of a dispute.
Portability, receive a machine-readable copy of data you provided, where technically feasible.
Objection, object to processing based on our legitimate interests.
Withdraw consent, at any time, for any processing based on consent.
Complain to a regulator, your local data-protection authority, such as the Office of the Privacy Commissioner of Canada (priv.gc.ca), the Information and Privacy Commissioner of Ontario, the UK ICO, your EU DPA, the UAE Data Office, the India Data Protection Board, or the California Attorney General.

Submit requests to [email protected]. We verify identity before actioning requests to protect your data from unauthorised access.

11. Data breach notification

In the event of a personal-data breach of security safeguards that poses a real risk of significant harm to affected individuals, we will notify the Office of the Privacy Commissioner of Canada and affected individuals as soon as feasible in accordance with PIPEDA and its Breach of Security Safeguards Regulations. We will also notify relevant supervisory authorities in other jurisdictions within their statutory timelines (including the 72-hour window under GDPR Art. 33 where applicable).

12. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes we will post the revised version on this page and update the "Last updated" date. For changes that materially expand how we use personal data, we will provide advance notice.

13. Contact

Data Protection contact: [email protected].

Nuraveda
Attention: Tejas Karan Agrawal
77 Huntley St, Toronto, ON M4Y 2P3, Canada
Tel: +1 437 539 7958