As we told you before, our exchange is in the test phase. Some things have not been checked yet or implemented. The fact is that you could see your own private key but only in your own browser - in your session. You were just faster than we were. Now we implemented encryption.
That's a lie. The page was sending a POST request with the private-key and its password in plain-text to your server.
If you saved the private-key or not, that's something we can not confirm since it was handled by your server, and we do not have access to it. But saving it was as simple as taking the body data from the request and saving them anywhere you wanted. So it was definitely possible. Do not lie saying this data was handled in the client, on his own browser, because it was NOT.
We will explain it once more now. In our test phase we sent the private key to the backend to check it (through web3.js) if is valid or not. And because we had no encryption at the time, this event occurred. We presented everything transparently and above all we changed all what you wanted.