⚜ XAUUSD DESK
Terms Home

Privacy Policy

Last updated: [DATE]
Template — not yet legal advice. This draft describes the data XAUUSD Desk actually collects and the processors it actually uses, so a solicitor or privacy specialist has an accurate starting point. It has not been legally reviewed and is not a compliant policy as-is. Complete the bracketed [PLACEHOLDERS] and have it reviewed before relying on it, especially for UK GDPR / EU GDPR obligations.

1. Who is responsible for your data

The data controller is [COMPANY LEGAL NAME], contactable at [CONTACT EMAIL], at [REGISTERED ADDRESS]. [If you appoint a Data Protection Officer or UK/EU representative, name them here.]

2. What data we collect

  • Account data: your email address and a securely hashed password (handled by our authentication provider — we never see your password in plain text).
  • Subscription data: your plan (free/pro) and, for paying users, a Stripe customer identifier. Card details are handled by Stripe and are not stored by us.
  • Preferences: whether you have opted in to the daily brief email.
  • Telegram data (optional, Pro): if you connect Telegram, we store your Telegram chat identifier so we can send alerts, and any custom price-alert levels you set.
  • Technical data: your browser stores a session token and cached market data locally (see “Cookies and local storage” below). Our infrastructure providers may process standard technical information such as IP addresses and request logs.

We do not collect special-category personal data, and we do not knowingly collect data from anyone under [18].

3. Why we use it, and our legal basis

  • To provide the Service (accounts, plan gating, dashboard) — legal basis: performance of our contract with you.
  • To take payment and manage subscriptions — performance of contract.
  • To send the daily brief email — your consent, which you can withdraw at any time from your Account page.
  • To send Telegram alerts — performance of contract for Pro users who choose to connect Telegram.
  • To keep the Service secure and working — our legitimate interests in operating and protecting the Service.

4. Who processes your data (sub-processors)

We share data only with the service providers needed to run XAUUSD Desk:

  • Supabase — authentication and database (email, plan, preferences, Telegram id, alerts).
  • Cloudflare — website hosting, serverless functions, and stored application data.
  • Stripe — payment processing and subscription billing.
  • Resend — sending the daily brief email.
  • Telegram — delivering alerts to users who connect it.

We do not sell your personal data. Some of these providers are based in, or process data in, the United States or other countries outside the UK/EEA; where that happens, transfers are intended to rely on appropriate safeguards such as Standard Contractual Clauses. [Confirm each provider’s transfer mechanism with a specialist.]

5. How long we keep it

We keep your account data for as long as your account is active. If you delete your account, we delete or anonymise your personal data within [a reasonable period, e.g. 30 days], except where we must retain certain records (for example, payment and tax records held by Stripe or required by law). [Confirm retention periods with a solicitor/accountant.]

6. Your rights

Subject to applicable law, you have the right to:

  • access the personal data we hold about you;
  • ask us to correct inaccurate data;
  • ask us to delete your data (“right to erasure”);
  • object to or restrict certain processing;
  • withdraw consent (for example, unsubscribe from the daily brief) at any time;
  • request a portable copy of data you provided to us.

To exercise any of these, contact [CONTACT EMAIL]. You also have the right to complain to a supervisory authority — in the UK, the Information Commissioner’s Office (ICO) at ico.org.uk.

7. Cookies and local storage

We do not use third-party advertising or tracking cookies. The Service uses your browser’s local storage to keep you signed in (your authentication session) and to cache market data so the dashboard loads quickly. This information stays in your browser; clearing your browser storage removes it and signs you out. [If you later add analytics or any non-essential cookies, add a cookie banner and update this section.]

8. Security

Passwords are hashed by our authentication provider, sensitive keys are held as server-side secrets and never exposed to the browser, and access to change your plan is restricted to our backend. No system is perfectly secure, but we take reasonable measures to protect your data.

9. Changes to this policy

We may update this policy from time to time. Material changes will be notified by email or on the Service, with an updated “Last updated” date above.

10. Contact

Questions or data requests: [CONTACT EMAIL].

← Back to XAUUSD Desk · Terms of Service