Privacy Policy

Stackorithm LLC ("Stackorithm," "we," "us," or "our"), a company incorporated in Saint Vincent and the Grenadines, operates a B2B SaaS platform providing AI-powered behavioral detection and risk-scoring analytics for trading businesses, including proprietary trading firms, forex brokerages, and CRM platforms. This Privacy Policy, which incorporates our Data Processing Agreement terms, describes how we collect, use, store, and protect information in connection with your use of our platform, dashboard, and API services (collectively, the "Service").

This Policy applies to all users of the Service, including Client administrators, authorized personnel, and API integration partners. It governs the processing of personal data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the California Consumer Privacy Act ("CCPA"), and other applicable data protection laws.

Stackorithm processes trade data submitted by business clients ("Clients"), including orders, deal records, volumes, and timestamps. Our platform is designed to operate on anonymized or pseudonymized trade data and does not require personally identifiable information ("PII") from individual traders. The analytical outputs we produce are behavioral confidence scores and risk flags derived from the data provided by Clients.

By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you are accessing the Service on behalf of a business entity, you represent that you have the authority to bind that entity to this Policy.

This Privacy Policy is governed by the laws of England and Wales, without regard to conflict of law principles.

We collect information in three categories: (1) account and business information, (2) trade data, and (3) technical data.

Account and Business Information When registering for and managing the Service, Clients provide account information including names and email addresses of authorized personnel, company name and registration details, billing and payment information, API credentials and access tokens, and records of communications with our support team. This information is necessary to provision, maintain, and support the Service.

Trade Data Trade data submitted for analysis may include order records and deal identifiers, trade volumes and instrument types, timestamps and execution details, account-level identifiers, and other structured trading activity data. This data is processed at the account or behavioral-pattern level. Clients are responsible for ensuring that any data they submit has been appropriately anonymized or pseudonymized in accordance with their own data governance obligations.

Technical Data We automatically collect technical and usage data when you interact with the Service, including IP addresses and geolocation data, browser type, device information, and API client identifiers, session duration and feature usage patterns, error logs and diagnostic information, and authentication and access timestamps. This information supports platform security, performance monitoring, and service improvement.

In accordance with GDPR Article 6, we process personal data based on the following legal grounds:

Contractual Necessity (Article 6(1)(b)) We process account information and trade data as necessary to perform our contractual obligations to Clients. This includes account provisioning, service delivery, billing, and customer support.

Legitimate Interests (Article 6(1)(f)) We process technical data for platform security, fraud prevention, service optimization, and improving our analytical capabilities. We have conducted legitimate interest assessments to balance our interests against the rights and freedoms of data subjects.

Legal Obligation (Article 6(1)(c)) We process data as required to comply with applicable laws, including financial services regulations, tax obligations, and lawful requests from governmental authorities.

Consent (Article 6(1)(a)) Where we use Client-specific trade data to train or improve machine learning models, we do so only with the Client's explicit opt-in consent. Clients may withdraw this consent at any time by contacting [email protected].

We do not process special categories of personal data (Article 9) or personal data relating to criminal convictions and offenses (Article 10).

Account and Business Information We use account information to create and manage Client accounts, authenticate users and API integrations, process billing and subscription management, provide customer support, communicate service updates and policy changes, and comply with legal and regulatory requirements.

Trade Data Trade data submitted to the platform is used exclusively to generate the analytical outputs contracted by the Client, specifically behavioral confidence scores, risk flags, and pattern detection reports. We do not use submitted trade data to provide financial advice, make trading recommendations, or generate outputs for individual traders. All analytical outputs are delivered to the Client for their internal use.

Model Training We may use aggregated, de-identified, and statistically anonymized data to improve our machine learning models and develop new features. Such aggregated data cannot reasonably identify any individual trader or Client. We will not use Client-specific trade data to train models without explicit opt-in consent from the Client.

Technical Data We use technical data to monitor platform health and availability, investigate and respond to security incidents, diagnose performance issues, optimize the user experience, and maintain audit trails for compliance purposes.

Marketing Communications We may use contact information to send product announcements and feature updates. Recipients may opt out at any time via the unsubscribe mechanism in such communications or by contacting [email protected].

This section constitutes the Data Processing Agreement ("DPA") between Stackorithm and the Client, as integrated into this Privacy Policy. These terms apply where Stackorithm processes personal data on behalf of a Client.

Roles and Responsibilities For personal data submitted by Clients through the Service, the Client acts as the Data Controller, determining the purposes and means of processing. Stackorithm acts as the Data Processor, processing personal data only on documented instructions from the Client. Where Stackorithm determines the purposes and means of processing (such as for account management), Stackorithm acts as the Data Controller.

Processing Instructions Stackorithm shall process personal data only in accordance with the Client's documented instructions, as set forth in the service agreement and this Privacy Policy, unless required to do so by applicable law. In such case, Stackorithm shall inform the Client of that legal requirement before processing, unless prohibited by law.

Confidentiality Stackorithm ensures that all personnel authorized to process personal data have committed to confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

Security Measures Stackorithm implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption of personal data in transit and at rest, measures to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems, procedures for regular testing and evaluation of security measures, and access controls limiting personnel access to personal data.

Data Subject Rights Assistance Stackorithm shall assist the Client in fulfilling its obligation to respond to data subject requests, including requests for access, rectification, erasure, restriction, data portability, and objection. Upon receiving a data subject request, Stackorithm shall promptly notify the Client and shall not respond directly unless authorized by the Client or required by law.

Breach Notification Assistance Stackorithm shall notify the Client without undue delay upon becoming aware of a personal data breach affecting Client data, and shall assist the Client in complying with its breach notification obligations under applicable law.

Data Protection Impact Assessments Stackorithm shall provide reasonable assistance to the Client in conducting data protection impact assessments and prior consultations with supervisory authorities, where required under GDPR Articles 35 and 36.

Audit Rights Upon reasonable notice and subject to appropriate confidentiality undertakings, Stackorithm shall make available to the Client information necessary to demonstrate compliance with these data processing terms and shall allow for and contribute to audits conducted by the Client or an auditor mandated by the Client.

Return and Deletion Upon termination of the service agreement, Stackorithm shall, at the Client's election, return or delete all personal data processed on behalf of the Client, unless retention is required by applicable law.

Stackorithm does not currently engage any sub-processors for the processing of Client personal data. All data processing is performed in-house by Stackorithm personnel.

Should Stackorithm engage sub-processors in the future, we shall maintain an up-to-date list of sub-processors and notify Clients of any intended changes. Clients shall have the opportunity to object to new sub-processors on reasonable grounds related to data protection. Any sub-processor engaged shall be bound by data protection obligations no less protective than those in this Privacy Policy.

Clients may request the current sub-processor list at any time by contacting [email protected].

Stackorithm does not sell, rent, or trade Client data or trade data to third parties. We do not share Client data with advertising networks, data brokers, or any party for commercial purposes unrelated to the delivery of the Service.

Service Providers We may share information with third-party service providers who assist in operating the platform, including cloud infrastructure providers, payment processors, and customer support tools. These providers are contractually bound to process data only as directed by Stackorithm and in accordance with appropriate confidentiality and security obligations equivalent to those in this Policy.

Legal Requirements We may disclose information if required by applicable law, regulation, court order, or governmental authority, or if we believe in good faith that such disclosure is necessary to protect the rights, property, or safety of Stackorithm, our Clients, or others. We shall notify the affected Client to the extent permitted by law before making such disclosure.

Business Transfers In the event of a merger, acquisition, asset sale, or corporate restructuring, Client data may be transferred to the successor entity, subject to equivalent privacy protections. We will provide notice of any such transfer that materially affects the handling of Client data.

No Sale of Personal Information For purposes of the CCPA, Stackorithm does not "sell" or "share" personal information as those terms are defined in the CCPA. We have not sold or shared personal information in the preceding twelve months.

Stackorithm implements technical and organizational security measures appropriate to the risk, designed to protect data against unauthorized access, disclosure, alteration, or destruction.

Technical Measures Our security measures include encryption of data in transit using TLS 1.2 or higher, encryption of data at rest using industry-standard algorithms, API authentication via secure token mechanisms with rate limiting, intrusion detection and prevention systems, regular vulnerability assessments and penetration testing, and secure software development practices.

Organizational Measures We maintain access controls and role-based permissions limiting personnel access to data, confidentiality agreements with all personnel, security awareness training for employees, documented incident response procedures, and regular review and testing of security policies.

Infrastructure Client data is stored on cloud infrastructure located in the EU region. We maintain logical separation between Client data environments to prevent cross-Client data exposure.

Client Responsibilities Clients are responsible for maintaining the security of their API credentials, dashboard login credentials, and any data they transmit to or from the platform. Clients should use strong, unique passwords, enable multi-factor authentication where available, and promptly notify us at [email protected] if they suspect unauthorized access.

Limitations No security system is impenetrable. While we take reasonable steps to protect data, we cannot guarantee absolute security.

In the event of a personal data breach affecting Client data, Stackorithm shall notify the affected Client without undue delay and in any event within 72 hours after becoming aware of the breach.

Notification Contents Our breach notification shall include a description of the nature of the breach, including where possible the categories and approximate number of data subjects and records concerned, the name and contact details of our data protection contact, a description of the likely consequences of the breach, and a description of the measures taken or proposed to address the breach and mitigate its effects.

Client Notification Obligations Upon receiving breach notification from Stackorithm, the Client, as Data Controller, is responsible for determining whether notification to supervisory authorities and affected data subjects is required under applicable law, including GDPR Article 33 (notification to supervisory authority within 72 hours) and GDPR Article 34 (notification to data subjects where the breach is likely to result in high risk).

Cooperation Stackorithm shall cooperate with the Client in investigating the breach, implementing remedial measures, and fulfilling the Client's notification obligations. We shall document all breaches, including their effects and the remedial actions taken.

Contact To report a suspected breach or security incident, contact [email protected] immediately.

Account Information We retain account and business information for as long as a Client account remains active and for a period of six years thereafter, to fulfill legal, contractual, and operational obligations, including tax requirements, dispute resolution, and agreement enforcement.

Trade Data Trade data submitted for analysis is retained for the period necessary to deliver the contracted analytical outputs and to support audit, dispute resolution, or support requests. The default retention period is specified in the service agreement. Clients may request deletion of submitted trade data at any time by contacting [email protected], subject to any retention obligations imposed by applicable law.

Technical Data Technical logs and usage data are retained for up to 24 months for security monitoring and service improvement purposes, after which they are deleted or anonymized.

Aggregated Data Aggregated and de-identified analytical data, which cannot be used to reconstruct Client-specific trade data or identify individuals, may be retained indefinitely for model improvement and platform development.

Post-Termination Upon termination of a Client's subscription, we shall retain account data for 90 days to facilitate transition or data export requests. Thereafter, data shall be securely deleted or anonymized in accordance with our data lifecycle procedures, except where retention is required by law.

Deletion Requests To request data deletion, contact [email protected]. We shall confirm deletion within 30 days.

For individuals located in the European Economic Area, United Kingdom, or Switzerland, the following rights apply under GDPR:

Right of Access (Article 15) You have the right to obtain confirmation of whether we process your personal data, access to that data, and information about our processing activities.

Right to Rectification (Article 16) You have the right to have inaccurate personal data corrected and incomplete data completed.

Right to Erasure (Article 17) You have the right to have your personal data deleted where it is no longer necessary for the purposes for which it was collected, you withdraw consent, you object to processing and there are no overriding legitimate grounds, the data was unlawfully processed, or erasure is required by law.

Right to Restriction (Article 18) You have the right to restrict processing where you contest the accuracy of the data, the processing is unlawful but you oppose erasure, we no longer need the data but you require it for legal claims, or you have objected to processing pending verification of legitimate grounds.

Right to Data Portability (Article 20) You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit that data to another controller.

Right to Object (Article 21) You have the right to object to processing based on legitimate interests. We shall cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

Rights Related to Automated Decision-Making (Article 22) See the Automated Decision-Making section below.

Exercising Your Rights To exercise these rights, contact [email protected]. We shall respond within one month, extendable by two months for complex requests. We may request verification of your identity before processing your request.

Complaints You have the right to lodge a complaint with a supervisory authority. For Clients in the EEA, you may contact your local data protection authority.

For California residents, the following additional rights apply under the California Consumer Privacy Act:

Right to Know You have the right to request that we disclose the categories of personal information collected, the sources from which it was collected, our business purpose for collecting it, the categories of third parties with whom we share it, and the specific pieces of personal information we have collected about you.

Right to Delete You have the right to request deletion of personal information we have collected, subject to certain exceptions including where retention is necessary to complete a transaction, detect security incidents, comply with legal obligations, or exercise free speech rights.

Right to Correct You have the right to request correction of inaccurate personal information.

Right to Opt-Out of Sale or Sharing Stackorithm does not sell or share personal information as defined under the CCPA. No opt-out is necessary.

Right to Non-Discrimination We will not discriminate against you for exercising your CCPA rights. We will not deny goods or services, charge different prices, provide different quality, or suggest different treatment based on your exercise of privacy rights.

Authorized Agents You may designate an authorized agent to submit requests on your behalf. We may require verification of the agent's authority and your identity.

Exercising Your Rights To exercise these rights, contact [email protected] with the subject line "CCPA Request." We shall respond within 45 days, extendable by an additional 45 days for complex requests.

Categories of Information In the preceding twelve months, we have collected: identifiers (name, email, IP address), commercial information (transaction records), internet activity information (usage logs), and professional information (company name, role).

Infrastructure Location Stackorithm's data infrastructure is located in the European Union region. Client data is stored and processed within the EU.

Transfers Outside the EEA Where personal data is transferred outside the European Economic Area, we implement appropriate safeguards to ensure an adequate level of protection:

Standard Contractual Clauses: We use the European Commission's Standard Contractual Clauses (SCCs) for transfers to countries without an adequacy decision.

Adequacy Decisions: Where transfers are to countries with an EU adequacy decision (such as the United Kingdom under the EU-UK Trade and Cooperation Agreement), we rely on that decision.

Supplementary Measures: Where required, we implement supplementary technical and organizational measures, including encryption and access controls, to address specific risks in the destination country.

UK Transfers For transfers of personal data from the United Kingdom, we comply with the UK GDPR and the Data Protection Act 2018, using the UK International Data Transfer Agreement or UK Addendum to the EU SCCs as appropriate.

Swiss Transfers For transfers from Switzerland, we comply with the Swiss Federal Act on Data Protection and implement the Swiss-specific Standard Contractual Clauses where required.

Client Assessment Clients transferring personal data to Stackorithm from jurisdictions with transfer restrictions are responsible for ensuring that their transfers comply with applicable law. Stackorithm shall provide reasonable assistance in conducting transfer impact assessments upon request.

Data Transfer Inquiries For questions about international data transfers, contact [email protected].

Nature of Processing Stackorithm's Service uses automated processing, including machine learning algorithms, to analyze trade data and generate behavioral confidence scores, risk flags, and pattern detection outputs. This processing is integral to the analytical services we provide.

No Solely Automated Decisions Stackorithm's analytical outputs are provided to Clients as decision-support tools. The outputs do not constitute decisions that produce legal effects concerning individuals or similarly significantly affect them. Clients, as Data Controllers, make any final decisions regarding their traders or customers based on these outputs.

Client Responsibilities Where a Client uses Stackorithm's outputs to make decisions that produce legal effects or similarly significantly affect individuals (such as account suspension or termination), the Client is responsible for ensuring human review of such decisions, providing meaningful information about the logic involved, and enabling data subjects to contest the decision and obtain human intervention.

Transparency Our analytical models assess patterns in trade data, including order timing, volume patterns, instrument correlations, and behavioral sequences. The models identify patterns associated with specific trading behaviors based on historical data analysis.

Model Training We train our models on aggregated, anonymized datasets. Client-specific data is used for model training only with explicit opt-in consent. Clients may withdraw this consent at any time.

Logic Disclosure Upon request, we can provide Clients with general information about the logic involved in our automated processing, the significance of the processing, and the envisaged consequences for data subjects whose data is analyzed. Such requests should be directed to [email protected].

The Stackorithm dashboard uses cookies and similar technologies to provide a functional and secure experience.

Essential Cookies Session cookies are necessary for dashboard operation, maintaining authentication state and security. These cookies are deleted when you close your browser.

Functional Cookies Persistent cookies or local storage may be used to remember user preferences, such as display settings or dashboard configurations. These cookies do not track individual traders or collect trade data.

Analytics We may use analytics tools to collect aggregated, anonymized data about dashboard usage, such as feature access patterns and error occurrences. This data supports product improvement and does not include trade data or PII about individual traders.

Managing Cookies You can manage cookie preferences through your browser settings. Disabling certain cookies may affect dashboard functionality.

API Our API does not use cookies. API interactions are authenticated via secure tokens.

Do Not Track Our systems do not currently respond to browser "Do Not Track" signals. However, you may manage cookies as described above.

Stackorithm's Service is a B2B platform intended for use by business entities and their authorized personnel. The Service is not directed to individuals under the age of 18, and we do not knowingly collect personal information from children.

If you are a parent or guardian and believe that a child has provided us with personal information, please contact [email protected]. If we become aware that we have collected personal information from a child without verification of parental consent, we will take steps to delete that information.

We may update this Privacy Policy to reflect changes in our practices, the Service, or applicable legal requirements.

Notification of Changes When we make material changes, we will notify Clients via email to the address associated with their account and through a prominent notice within the dashboard at least 30 days before the changes take effect. We will update the "Last Updated" date at the top of this Policy.

Material Changes Material changes include modifications to the categories of data collected, the purposes of processing, data sharing practices, data subject rights, or security measures.

Continued Use Your continued use of the Service following the effective date of changes constitutes your acceptance of the updated Policy. If you do not agree with the changes, you should discontinue use of the Service and contact us to discuss your options.

Review We encourage Clients to review this Policy periodically. Prior versions of this Policy are available upon request.

For questions, concerns, or requests regarding this Privacy Policy or our data handling practices:

Stackorithm LLC Incorporated in Saint Vincent and the Grenadines

Legal Contact Email: [email protected] Website: stackorithm.co

Response Times We aim to respond to all privacy-related inquiries within 30 days. Complex requests may require additional time, and we will notify you if an extension is necessary.

Data Protection Inquiries For data protection matters, including data subject requests, breach reports, or DPA inquiries, contact [email protected].

Governing Law This Privacy Policy is governed by the laws of England and Wales. Any disputes arising from this Policy shall be subject to the exclusive jurisdiction of the courts of England and Wales.