PRIVACY POLICY
LAST UPDATED: APRIL 2026DRAFT — To be reviewed by qualified legal counsel, particularly for GDPR (EU), CCPA (California), and PIPEDA (Canada) compliance.
1. What We Collect
- Account data: Email address, hashed password, referral code.
- Trading data: Position data, equity snapshots, EA planning values — sent via encrypted webhook from the EA running on your VPS. We store this to power your dashboard.
- Technical data: IP address (for region detection), browser type, page views.
- Compliance data: Country of residence (declared and IP-detected), Paddle billing/card country at checkout — used to apply correct regional configuration and meet our regulatory obligations.
We do not collect: MT5 passwords (you enter these directly on your VPS), bank details (payments processed by Paddle as Merchant of Record), or personal identification documents.
2. How We Use Your Data
- Provide and operate the Service (dashboard, trade monitoring, alerts)
- Validate your subscription status
- Send service notifications (trial reminders, EA offline alerts)
- Detect your region to show appropriate content and apply regulatory constraints
- Improve the platform based on aggregate usage patterns
We do not sell, rent, or share your personal data with third parties for marketing purposes.
3. Data Storage and Security
Data is stored on servers in the EU (Hetzner, Germany). All connections are encrypted via TLS/HTTPS. Passwords are hashed with bcrypt. Webhook secrets are unique per account and can be regenerated at any time.
4. Third-Party Services
- Paddle: Merchant of Record for subscription billing. We do not store card details. Subject to Paddle's privacy policy.
- VPS Provider: Hosts your MT5 terminal and EA. Subject to the VPS provider's terms.
- IP Geolocation: We use ipapi.co / api.country.is for region detection. Only your IP is shared; no personal data.
5. Your Rights (GDPR / CCPA)
Depending on your jurisdiction, you may have the right to:
- Access: Request a copy of all data we hold about you.
- Rectification: Correct inaccurate data.
- Deletion: Request deletion of your account and associated data.
- Portability: Receive your data in a structured, machine-readable format.
- Objection: Object to processing based on legitimate interests.
To exercise any of these rights, contact us at privacy@atlassync.io.
6. Data Retention
Account data is retained while your account is active. Trading data (positions, equity snapshots, trade events) is retained for up to 24 months after account closure for performance analysis. You may request earlier deletion.
7. Cookies
We use localStorage (not cookies) for session management and region preferences. No third-party tracking cookies are used. Analytics, if implemented, will use privacy-respecting solutions.
8. Changes
We may update this policy. Material changes will be communicated via email. The "last updated" date at the top reflects the most recent revision.