Privacy Policy

1. Introduction

1.1 Data Controller

The data controller responsible for your personal data is:

1.2 Scope

This Privacy Policy applies to all personal data we collect through:

• Our website at xchangesuite.com
• The Xchange Suite US ETF Pairs software platform
• Xchange Daily newsletter
• Customer support communications
• Marketing and promotional activities

1.3 Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by:

• Posting a notice on our website
• Sending an email to your registered email address
• Displaying a notice within the software

Your continued use of our services after such notice constitutes acceptance of the updated Privacy Policy.

2. Information We Collect

2.1 Personal Information

We collect the following categories of personal data:

Account Information

• Identity Data: Full name, username, date of birth
• Contact Data: Email address, mailing address, phone number
• Authentication Data: Password (encrypted), two-factor authentication settings
• Billing Data: Billing address, payment method information (processed by Paddle)

Trading-Related Information

• Brokerage API Credentials: API keys for third-party brokers (e.g., Alpaca Markets) - encrypted and stored securely
• Trading Activity: Trading strategies, preferences, configurations, watchlists
• Transaction Records: Logs of trades executed through the platform (for compliance purposes)
• Performance Data: Account performance metrics, profit/loss data

Usage Data

• Technical Data: IP address, browser type and version, device type, operating system
• Usage Data: Pages visited, features used, time spent on platform, click patterns
• AI Interactions: Queries submitted to AI features, AI-generated responses
• Communication Data: Customer support messages, feedback, survey responses

2.2 Automatically Collected Information

We automatically collect certain information when you use our services:

• Cookies and Tracking Technologies: See Section 9 for details
• Log Data: Server logs recording access times, pages viewed, errors encountered
• Analytics Data: Aggregated usage statistics and platform performance metrics

2.3 Information from Third Parties

We may receive information about you from:

• Third-Party Brokers: Account verification, trading permissions (from Alpaca Markets)
• Payment Processors: Payment confirmation, billing information (from Paddle)
• Alpaca Markets: Trading activity verification (Secure Bridge architecture)

3. How We Use Your Information

3.1 Purposes of Processing

We process your personal data for the following purposes:

Service Provision (Legal Basis: Contract Performance)

• Create and manage your account
• Provide access to the Xchange Suite US ETF Pairs platform
• Execute trading-related functions through third-party APIs
• Process subscription payments and billing
• Deliver Xchange Daily newsletter content
• Provide customer support and respond to inquiries

Legal Compliance (Legal Basis: Legal Obligation)

• Comply with financial regulatory requirements (SEC, FINRA, Belgian FSMA)
• Maintain audit trails and transaction records for 6 years
• Prevent fraud, market manipulation, and money laundering
• Respond to legal requests from authorities
• Enforce our Terms of Service

Legitimate Interests (Legal Basis: Legitimate Interest)

• Improve and optimize our software and services
• Conduct data analysis and machine learning model training
• Monitor platform security and prevent unauthorized access
• Send service updates and important notifications
• Conduct internal research and development

Marketing (Legal Basis: Consent or Legitimate Interest)

• Send promotional emails about new features (with your consent)
• Provide personalized recommendations
• Conduct surveys and gather feedback

You may opt out of marketing communications at any time by clicking "unsubscribe" in our emails or updating your preferences in your account settings.

3.2 Automated Decision-Making

We use AI-powered tools (including OpenAI GPT-4) to:

• Generate market analysis and trading insights
• Detect unusual trading patterns for fraud prevention
• Personalize content recommendations

Important: These AI systems assist users but do not make binding trading decisions on your behalf. You retain full control over all trading activities.

4. How We Share Your Information

4.1 Third-Party Service Providers

We share your personal data with the following categories of third-party service providers:

Infrastructure Providers

• Vercel Inc. (United States): Website hosting and application deployment
• Neon Tech Inc. (United States): Database hosting and management

These providers are subject to EU Standard Contractual Clauses (SCCs) to ensure GDPR-compliant data transfers.

Trading and Market Data Providers

• Alpaca Markets: SEC-registered broker-dealer for ETF trade execution (Secure Bridge architecture - your API keys stay on your local machine)

We share only the minimum necessary data (API keys, trade instructions) required for these services to function.

AI and Analytics Providers

• OpenAI, LLC (United States): AI-powered market analysis and content generation (optional integration)

We anonymize data where possible when using AI services. No personally identifiable financial advice is provided by AI.

Payment Processing

• Paddle.com Market Limited (United Kingdom): Subscription billing and payment processing as Merchant of Record

Paddle is PCI-DSS compliant and acts as the Merchant of Record, handling all payment processing, tax compliance, and invoicing. We do not store credit card information on our servers.

Communication Services

• Resend (United States): Transactional email delivery

4.2 Legal and Regulatory Disclosures

We may disclose your personal data to:

• Regulatory Authorities: Belgian FSMA, U.S. SEC, FINRA, or other financial regulators
• Law Enforcement: When required by law or to respond to legal process
• Courts: In connection with legal proceedings or arbitration
• Government Agencies: To comply with tax, anti-money laundering, or sanctions obligations

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to the acquiring entity, subject to the same privacy protections outlined in this policy.

4.4 No Sale of Personal Data

We do NOT sell, rent, or trade your personal data to third parties for their marketing purposes.

5. International Data Transfers

5.1 Transfers Outside the EU

As a Belgian company, we operate within the European Economic Area (EEA). However, some of our service providers are located in the United States, which means your personal data may be transferred outside the EEA.

5.2 Safeguards for Data Transfers

We ensure that all international data transfers comply with GDPR by implementing the following safeguards:

• EU Standard Contractual Clauses (SCCs): We use the European Commission's approved SCCs with all U.S.-based service providers (Vercel, Neon, OpenAI, and Alpaca Markets)
• EU-U.S. Data Privacy Framework: Where applicable, we verify that providers participate in the EU-U.S. Data Privacy Framework
• Transfer Impact Assessments (TIAs): We conduct assessments to ensure adequate protection of your data when transferred to third countries

5.3 Your Rights Regarding Data Transfers

You have the right to:

• Request information about the safeguards in place for data transfers
• Obtain a copy of the SCCs we use
• Object to data transfers in certain circumstances

6. Your Data Protection Rights (GDPR)

Under the EU General Data Protection Regulation (GDPR), you have the following rights regarding your personal data:

6.1 Right of Access (Article 15)

You have the right to request a copy of the personal data we hold about you. We will provide this information in a structured, commonly used, and machine-readable format.

6.2 Right to Rectification (Article 16)

You have the right to correct any inaccurate or incomplete personal data we hold about you. You can update most information directly in your account settings.

6.3 Right to Erasure / "Right to be Forgotten" (Article 17)

You have the right to request deletion of your personal data in certain circumstances:

• The data is no longer necessary for the purposes for which it was collected
• You withdraw consent (where consent was the legal basis)
• You object to processing and there are no overriding legitimate grounds
• The data was unlawfully processed

Note: We may be required to retain certain data for legal compliance (e.g., 6-year retention for financial records under SEC/FINRA rules).

6.4 Right to Restriction of Processing (Article 18)

You have the right to request that we limit how we use your personal data in certain situations, such as when you contest the accuracy of the data or object to our processing.

6.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, machine-readable format and to transmit it to another service provider, where technically feasible.

6.6 Right to Object (Article 21)

You have the right to object to processing of your personal data where:

• We process data based on legitimate interests
• We use your data for direct marketing purposes
• We use your data for scientific or historical research

6.7 Right to Withdraw Consent (Article 7(3))

Where we process your data based on consent, you have the right to withdraw that consent at any time. This does not affect the lawfulness of processing before withdrawal.

6.8 Right to Lodge a Complaint

If you believe we have not handled your personal data properly, you have the right to lodge a complaint with the Belgian Data Protection Authority:

6.9 How to Exercise Your Rights

To exercise any of these rights, please contact us at:

• Email: privacy@xchangesuite.com
• Subject line: "GDPR Data Subject Request"

We will respond to your request within 30 days (extendable to 60 days for complex requests). We may request additional information to verify your identity before processing your request.

7. Data Security

7.1 Security Measures

We implement industry-standard technical and organizational measures to protect your personal data, including:

Technical Safeguards

• Encryption: All data in transit is protected using TLS/SSL encryption. Sensitive data at rest (e.g., API keys, passwords) is encrypted using AES-256.
• Access Controls: Role-based access control (RBAC) limits employee access to personal data on a need-to-know basis.
• Authentication: Multi-factor authentication (MFA) available for all user accounts.
• Monitoring: Continuous monitoring for suspicious activities, unauthorized access attempts, and security threats.
• Secure APIs: API communications with third parties use OAuth 2.0 and encrypted API keys.

Organizational Safeguards

• Employee Training: Regular security and data protection training for all staff
• Data Minimization: We collect only the data necessary for our services
• Regular Audits: Periodic security assessments and penetration testing
• Incident Response Plan: Documented procedures for handling data breaches

7.2 Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the Belgian Data Protection Authority within 72 hours of becoming aware of the breach (GDPR Article 33)
• Notify affected users within 30 days of discovering the breach (in accordance with U.S. SEC Regulation S-P)
• Provide details about the nature of the breach, data affected, and steps being taken
• Recommend actions you can take to protect yourself

7.3 Your Responsibilities

You are responsible for:

• Maintaining the confidentiality of your account credentials
• Using strong, unique passwords
• Enabling two-factor authentication
• Notifying us immediately if you suspect unauthorized access

8. Data Retention

8.1 Retention Periods

We retain your personal data for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required by law.

8.2 Deletion After Retention Period

After the applicable retention period, we will:

• Permanently delete your personal data from our active systems
• Anonymize data used for analytics and research
• Securely destroy backup copies containing your data

8.3 Legal Holds

We may retain data beyond the standard retention period if required by:

• Pending legal proceedings or investigations
• Regulatory inquiries or audits
• Legitimate legal claims or disputes

9. Cookies and Tracking Technologies

9.1 What Are Cookies?

Cookies are small text files stored on your device when you visit our website. They help us provide and improve our services.

9.2 Types of Cookies We Use

Essential Cookies (Always Active)

These cookies are necessary for the website to function and cannot be disabled:

• Session management and authentication
• Security and fraud prevention
• Load balancing and performance optimization

Functional Cookies (Optional)

These cookies enhance your experience:

• Remembering your preferences (language, theme)
• Saving your trading configurations
• Providing personalized content

Analytics Cookies (Optional)

These cookies help us understand how users interact with our platform:

• Usage statistics (pages visited, features used)
• Performance monitoring
• Error tracking and debugging

9.3 Managing Cookies

You can control cookies through:

• Our Cookie Consent Banner: Displayed on your first visit, allowing you to accept or reject non-essential cookies
• Browser Settings: Most browsers allow you to block or delete cookies. Refer to your browser's help documentation.
• Account Preferences: Manage cookie preferences in your account settings

Note: Blocking essential cookies may prevent you from using certain features of our platform.

9.4 Third-Party Cookies

Some third-party services may set their own cookies:

• Paddle: Payment processing and fraud prevention
• Vercel: Performance and security analytics

These third-party cookies are subject to the respective privacy policies of these companies.

10. Children's Privacy

Our services are not intended for individuals under the age of 21 years. We do not knowingly collect personal data from children.

If we become aware that we have inadvertently collected personal data from a person under 21, we will take steps to delete that information as soon as possible.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@xchangesuite.com.

11. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: Request disclosure of categories and specific pieces of personal information we collect
• Right to Delete: Request deletion of your personal information (subject to legal exceptions)
• Right to Opt-Out: We do not sell personal information, so no opt-out is necessary
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

To exercise these rights, contact us at privacy@xchangesuite.com with "CCPA Request" in the subject line.

12. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Data Protection Inquiries

General Support

Email: support@xchangesuite.com

Data Protection Officer (DPO)

For specific GDPR-related inquiries:

Email: dpo@xchangesuite.com

13. Updates to This Privacy Policy

We may update this Privacy Policy periodically to reflect:

• Changes in our data practices
• New features or services
• Legal or regulatory requirements
• User feedback and best practices

We will notify you of material changes by:

• Posting a prominent notice on our website
• Sending an email notification to your registered address
• Displaying an in-app notification

The "Last Updated" date at the top of this policy indicates when it was most recently revised.

Last Updated: January 11, 2025

Version 1.0