StrategyBoxفارسیSign in
// LEGAL

Privacy Policy

What data we collect, why, and your rights over it.

This summary reflects our current policies. See the panel for the full, binding versions you accept when you sign up.

Privacy Policy

Effective date: [PLACEHOLDER: effective date] Last updated: [PLACEHOLDER: last-updated date] Requirements: R118, R120

This Privacy Policy explains how [PLACEHOLDER: legal entity name] ("StrategyBox", "we", "us") collects, uses, shares, and protects personal data when you use the StrategyBox platform (the "Service"). It includes information required under the EU/UK General Data Protection Regulation (GDPR). See the companion Data Processing & GDPR document for the full data map, sub-processor list, and Data Subject Access Request (DSAR) procedure.


1. Data Controller

The data controller responsible for your personal data is:

[PLACEHOLDER: legal entity name] [PLACEHOLDER: registered address] Contact / DPO: [PLACEHOLDER: privacy/DPO email]

If you are in the EU/UK, our EU/UK representative (where applicable) is: [PLACEHOLDER: representative, if required under GDPR Art. 27].

2. Data We Collect

CategoryExamples
Account & identityEmail, hashed password, display name, role, 2FA status, account preferences.
Trading account credentialsBroker/exchange API keys, MT5 login/server, secrets. Stored encrypted at rest using envelope encryption (AES-256-GCM per-account data key, wrapped by a Key-Encryption-Key held outside the database). Never stored or returned in plaintext.
Trading & equity dataDeployments, orders/fills, positions, equity curve, profit/loss, drawdown, and related metering (balance-days).
Billing dataSubscription plan, invoices, performance-fee records (with high-water mark), crypto payment references from our payment provider. We do not store card numbers.
Technical logsIP address, device/browser metadata, request logs, audit logs (credential-access and admin actions), error logs. Secrets/PII are scrubbed from operational logs.
CommunicationsNotification preferences, emails/Telegram messages we send you, support correspondence.

We collect this data directly from you, automatically as you use the Service, and from our sub-processors (e.g., payment confirmations).

3. How We Use Your Data

  • Provide, operate, and secure the Service and your account.
  • Connect to your broker/exchange and execute and manage trades on your Trading Account at your instruction.
  • Calculate and collect fees (subscription and performance fees), issue invoices, and meter usage.
  • Monitor performance, detect abuse/fraud, enforce limits, and operate safety controls (kill-switch/circuit breaker).
  • Send transactional notifications (trade, margin, drawdown, billing, security, and admin alerts).
  • Maintain audit trails and comply with legal and regulatory obligations.
  • Improve reliability and performance of the Service.

4. Legal Bases (GDPR Art. 6)

PurposeLegal basis
Providing the Service and executing trades you requestPerformance of a contract — Art. 6(1)(b)
Billing, invoicing, fee collectionPerformance of a contract — Art. 6(1)(b)
Security, fraud prevention, abuse detection, audit loggingLegitimate interests — Art. 6(1)(f)
Legal/regulatory compliance (e.g., record-keeping, sanctions)Legal obligation — Art. 6(1)(c)
Transactional notificationsPerformance of a contract / legitimate interests
Marketing communications (if any)Consent — Art. 6(1)(a)

Where we rely on legitimate interests, you may object as described in Section 9.

5. Data Sharing (Sub-processors & Recipients)

We share data only as necessary to operate the Service, with:

  • MetaApi — connectivity and order execution for MetaTrader 5 accounts.
  • Cryptocurrency exchanges (Binance, Bybit) — order execution on your connected exchange accounts.
  • NowPayments — cryptocurrency payment processing and confirmations.
  • Infrastructure providers — hosting/VPS, database, and monitoring providers [PLACEHOLDER: provider names].
  • Communication providers — email/SMTP and Telegram for notifications.

We do not sell your personal data. A current sub-processor list is maintained in Data Processing & GDPR. We may also disclose data where required by law or to protect our rights and users' safety.

6. International Transfers

Some sub-processors may process data outside your country/region, including outside the EEA/UK. Where required, such transfers are protected by appropriate safeguards (e.g., EU Standard Contractual Clauses or an adequacy decision). [PLACEHOLDER: primary hosting region(s)].

7. Data Retention

  • Audit logs (credential-access, admin actions): retained online for 18 months, then moved to cold/archival storage.
  • Operational logs (request/error logs): retained for 30–90 days.
  • Account, trading, and billing records: retained for the life of the account and as required for legal, tax, and accounting obligations, then deleted or anonymized.
  • Encrypted credentials: deleted when you disconnect a Trading Account or close your account (subject to short backup rotation windows).

See Data Processing & GDPR for the full retention table and the erasure/audit-retention exception.

8. Security

We apply technical and organizational measures including:

  • Envelope encryption of trading-account credentials: a unique 256-bit data-encryption key (DEK) per account encrypts credentials with AES-256-GCM; the DEK is wrapped by a Key-Encryption-Key (KEK).
  • KEK held outside the database (never stored in SQL Server) and reachable only on trading servers under least privilege.
  • TLS everywhere and encrypted database connections.
  • Audit logging of every credential access and sensitive admin action (tamper-evident, append-only).
  • Secret redaction so credentials and PII do not appear in logs.
  • Authentication hardening (JWT, 2FA, rate limiting/brute-force protection) and role-based access control (RBAC).

See Key Management and the Threat Model.

9. Your Rights

Subject to applicable law (including GDPR), you have the right to:

  • Access the personal data we hold about you.
  • Rectification of inaccurate or incomplete data.
  • Erasure ("right to be forgotten"), subject to legal retention obligations. Note: entries in our tamper-evident audit log are retained for legal/security reasons even after account erasure; they are minimized and access-controlled.
  • Data portability — receive your data in a structured, machine-readable format.
  • Objection to processing based on legitimate interests, and restriction of processing.
  • Withdraw consent at any time (where processing is based on consent).
  • Lodge a complaint with your supervisory authority.

To exercise your rights, contact [PLACEHOLDER: privacy/DPO email]. We handle Data Subject Access Requests per the DSAR procedure in Data Processing & GDPR, including identity verification and a response SLA.

10. Cookies

We use strictly necessary cookies for authentication and session management, and, where applicable, functional/analytics cookies. Non-essential cookies are used only with your consent where required. [PLACEHOLDER: link to cookie settings/details].

11. Children

The Service is not directed to persons under 18, and we do not knowingly collect personal data from children. If we learn we have collected such data, we will delete it.

12. Changes to This Policy

We may update this Policy. We will post the updated version with a new "Last updated" date and, for material changes, provide reasonable notice.

13. Contact / DPO

Privacy questions or requests: [PLACEHOLDER: privacy/DPO email]. Data Protection Officer (if appointed): [PLACEHOLDER: DPO name/contact]. Postal: [PLACEHOLDER: registered address].