Back to home

Privacy Policy

Last updated:

This Privacy Policy explains what personal data we collect when you use Nexus Trade Studio, why we collect it, who we share it with, and the rights you have over it. We take privacy seriously — the policy is written to be specific and verifiable, not vague. If anything is unclear, contact us at privacy@nexustradestudio.com.

Summary. We collect the minimum data needed to run the Service: your account details, the trading accounts you choose to monitor, and technical logs for security and debugging. We never sell personal data. We use well-known sub-processors (Stripe, Supabase, Hostinger, Cloudflare, Vercel, Sentry, Resend). You can access, export or delete your data at any time.

1. Who we are (Data Controller)

The data controller is [PLACEHOLDER: Legal entity name — e.g. Nexus Trade SAS], registered at [PLACEHOLDER: Street, ZIP, City, Country], registration number [PLACEHOLDER: SIREN/SIRET]. You can contact us about anything privacy-related at privacy@nexustradestudio.com.

Data Protection Officer (DPO): [PLACEHOLDER: DPO name and email, or indicate "not appointed — below the legal threshold under Art. 37 GDPR"].

2. What data we collect

2.1 Data you provide directly

  • Account information: email address, password (hashed), optional display name and profile photo. If you sign in with Google, we receive your email address, name, and Google account ID from Google.
  • Billing information: handled by Stripe (we never store full card numbers). We store your Stripe customer ID, subscription status, billing address (if provided for VAT purposes), and invoice history metadata.
  • Trading account metadata: broker name, prop firm name, account number (login), account currency, account type (demo/live), challenge configuration (initial balance, targets, drawdown rules).
  • Developer profile (optional): if you apply to publish EAs on the marketplace, we collect additional information: name, country, tax status, bank details through Stripe Connect, and any identity documents required by Stripe for Connect onboarding.
  • Content you submit: EA listings (title, description, images, version notes), reviews, support requests, bug reports.

2.2 Data generated by your use of the Service

  • Trading telemetry: trades opened and closed on the trading accounts you connect (symbol, volume, entry/exit price, profit/loss, timestamps), equity snapshots, and balance changes. This is read through the MetaTrader 5 Expert Advisor you install — we never receive your broker password or MT5 investor credentials. The EA only reads what MT5 exposes to it.
  • Computed metrics: drawdown, win rate, profit factor, expectancy and other derivatives of the raw trade data.
  • Notifications: alerts we generate on your behalf (drawdown threshold, disconnect, etc.) with delivery status.
  • Technical logs: IP address, user agent, timestamps, API endpoints called. Used for security (rate limiting, fraud detection) and debugging. Retained for 90 days.
  • Error reports: if you have opted in via our cookie consent banner, Sentry collects JavaScript errors and stack traces. We strip auth tokens, cookies and user identifiers before transmission.

2.3 Cookies

Detailed inventory in our Cookie Policy. Summary: authentication and security cookies (essential, no consent required), and optional error-tracking (Sentry) behind explicit consent.

3. Why we collect it and legal basis

Under Article 6 of the GDPR we need a legal basis for each purpose. Here is the mapping for Nexus Trade:

  • To provide the Service you signed up for — account creation, authentication, trade monitoring, metrics computation, notifications. Legal basis: contract (Art. 6(1)(b)).
  • To process payments and payouts — charging subscriptions, paying developers. Legal basis: contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)) for tax and accounting records.
  • To keep the Service secure — rate limiting, abuse detection, incident investigation. Legal basis: legitimate interest (Art. 6(1)(f)).
  • To improve the Service — aggregated usage analysis, error tracking (opt-in). Legal basis: consent (Art. 6(1)(a)) for non-essential tracking; legitimate interest for aggregated internal metrics that do not identify you.
  • To comply with legal obligations — tax records, responses to court orders. Legal basis: legal obligation (Art. 6(1)(c)).
  • To communicate with you — transactional emails (receipts, password resets, alerts). Legal basis: contract (Art. 6(1)(b)). Marketing emails are only sent with your explicit consent and always include a one-click unsubscribe.

4. How long we keep your data

  • Active accounts: for the duration of your account plus a reasonable period needed for backups and disputes.
  • Deleted accounts: personal data is removed from production within 30 days of deletion, and purged from backups within 90 days. Some records may be retained longer where required by law (for example invoices: 10 years in France under Article L.123-22 of the Code de commerce).
  • Technical logs: 90 days.
  • Support and billing correspondence: up to 3 years after the last interaction.
  • Sentry error reports: 30 days by default.

5. Who we share data with (sub-processors)

We do not sell personal data and we do not share it with advertisers. We rely on the following processors to operate the Service. Each is bound by a Data Processing Agreement and processes data only on our instructions.

We may update this list as we add or replace infrastructure. Material changes are notified by email to active users at least 30 days before taking effect, so you have an opportunity to object.

6. International transfers

Some sub-processors are located outside the European Economic Area, notably in the United States. Where this is the case, transfers are protected by:

  • The European Commission's Standard Contractual Clauses (2021/914/EU), signed with each relevant sub-processor, or
  • The EU-US Data Privacy Framework, for processors certified under it (Stripe, Google, Cloudflare, Vercel — verify each at dataprivacyframework.gov).

We keep backup records of these transfer mechanisms. You can request copies at privacy@nexustradestudio.com.

7. Security measures

We apply industry-standard safeguards to protect your data:

  • Encryption in transit (HTTPS/TLS 1.2+ everywhere, WSS for realtime).
  • Encryption at rest for databases and backups.
  • Passwords are hashed using bcrypt via Supabase — we never store or transmit plaintext passwords.
  • API access uses short-lived JWTs with refresh tokens.
  • Role-based access control: our staff only accesses production data on a need-to-know basis, with audit logs.
  • Automated daily database backups with encrypted off-site retention.
  • Error monitoring and rate limiting to detect abnormal behaviour.

No system is perfectly secure. If you believe you have discovered a vulnerability, please report it responsibly to security@nexustradestudio.com.

8. Your rights under the GDPR

Whatever your country of residence, if we process your personal data you have the following rights under EU law (and equivalent rights in many other jurisdictions):

  • Right of access — request a copy of the personal data we hold about you.
  • Right to rectification — ask us to correct inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten") — ask us to delete your data, subject to exceptions where we have a legal duty to keep it (e.g. tax records).
  • Right to restriction of processing — ask us to freeze processing in defined circumstances.
  • Right to data portability — receive your data in a machine-readable format, or ask us to transfer it to another controller where technically feasible.
  • Right to object — object to processing based on legitimate interest.
  • Right to withdraw consent — at any time, for any processing based on consent, without affecting prior processing.
  • Right to lodge a complaint — with your local data protection authority. In France, this is the CNIL (cnil.fr).

9. How to exercise your rights

You can exercise most rights directly from your account:

  • Access and export: settings → data export (self-serve JSON export of your data).
  • Rectification: settings → profile.
  • Account deletion: settings → delete account.
  • Cookie consent: accessible anytime from the cookie banner or settings.

For anything else, email privacy@nexustradestudio.com with enough information to identify your account. We respond within 30 days; this may be extended by 2 months for complex requests, in which case we will let you know. We do not charge a fee unless your request is manifestly unfounded or repetitive.

10. Children

The Service is not intended for users under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has provided data to us, contact privacy@nexustradestudio.com and we will delete the account promptly.

11. Automated decision-making

We do not use personal data to make automated decisions that produce legal effects or significantly affect you (as defined by Art. 22 GDPR). Some parts of the Service use machine-learning models to compute analytics (e.g. AI reports on trading patterns) — these do not make binding decisions about you.

12. Changes to this policy

We may update this Privacy Policy over time. Material changes are notified by email to active users at least 30 days before taking effect. The "Last updated" date at the top of this page always reflects the latest revision. Archived versions are kept on request.

13. Contact

For any privacy-related question, request or complaint:

If you are unsatisfied with our response, you may lodge a complaint with the supervisory authority in your country of residence. In France, this is the CNIL — cnil.fr/en/plaintes.

Questions about this document? Reach us at legal@nexustradestudio.com.