RegimeTrader
← Dashboard

Trust & Transparency

Security & Privacy

How broker credentials, dashboard data, and local bot secrets are handled in the current app.

Broker Credentials

Does the bot need my MT5 login details?

Yes. The bot needs your MT5 login number, password, and server name to connect to the MT5 terminal and place trades through your broker account.

In the current app, users enter those details through the dashboard Setup Wizard or the Local MT5 Login form on the Accounts page. They are then saved locally on the machine running the bot.

Where are those credentials stored?

They are no longer meant to live in the trackedsettings.jsonfile. The bot stores them in a local runtime secrets file on the bot machine instead.

In development that path is~/.regimetrader/device_secrets.json. On a Windows machine, that is the equivalent user profile runtime folder for the account running the bot.

Is my broker password stored securely?

It is stored locally on the bot machine rather than in the shared repo config or dashboard database, which is an improvement. But it is still local secret material and should be treated carefully.

  • Protect the Windows PC or VPS with a strong password
  • Do not share the extracted bot folder or runtime secret files
  • Use a dedicated trading account where possible
  • Change the MT5 password immediately if you think the machine was compromised

Can the bot withdraw funds?

No. The bot trades through MT5. It can place, manage, and close trades, but withdrawals and account funding actions still belong to your broker portal and broker authentication flow.

Dashboard Data

What does the dashboard store?

  • Your dashboard account details such as name and email
  • Subscription status and license key
  • Saved bot settings such as pairs, strategy mode, and risk limits
  • Trade history and equity snapshots pushed or synced by the bot flow

The dashboard is not supposed to be the long-term home for your MT5 trading password.

How is the app authenticated?

Dashboard users authenticate with the web app login system. The bot itself validates the license key for trading access. The local dashboard-to-bot bridge also uses a shared bot API secret for protected requests.

What happens if the local bot API is offline?

Pages that depend on the local bot machine, such as Setup and some account sync actions, cannot complete until the bot runner is started again. That is why users may see temporary connection errors even while the dashboard website itself is up.

Note: The safest setup is still a dedicated MT5 account on a dedicated Windows machine or VPS, with conservative risk limits and a small demo or low-balance live account until behavior is fully validated.

Tip: A future upgrade path for even stronger local secret handling would be Windows Credential Manager or DPAPI, but today the biggest practical protection is controlling access to the machine that runs the bot.