The fine print.

Terms of service

These terms govern your use of PipSync ("we", "us"). The current contracting-entity status and contact details are listed in the Impressum. By creating an account you accept these terms.

1. What PipSync does

PipSync is a signal-to-execution routing platform. We receive signals from sources you configure, optionally transform them, and submit orders to brokers on your behalf. We do not provide investment advice. We are not a broker-dealer. We do not hold client funds.

2. Your responsibilities

• You are solely responsible for the trading decisions executed through PipSync, including any rules, sources, and signal providers you connect.
• You must comply with the terms of service of every broker and signal source you connect.
• You must keep your account credentials secure. Enable 2FA.

3. Fees & cancellation

Subscriptions are billed monthly or annually in advance. You may cancel any time — access continues until the end of the current billing period. Consumer withdrawal and refund requests follow our refunds policy, including the rule that withdrawal rights may expire once you activate signal-copy.

4. Suspension & termination

We may suspend accounts that demonstrably violate broker TOS, engage in market abuse, or attempt to reverse-engineer the platform. We'll notify you before any suspension except in cases of ongoing abuse.

5. Liability

PipSync is provided "as-is". To the maximum extent permitted by law, our aggregate liability is capped at the fees you paid in the preceding 12 months. We are not liable for broker-side outages, slippage, or your own rule configurations.

6. Governing law

These terms are governed by the laws of the Republic of Cyprus. Exclusive jurisdiction: Limassol. Consumers retain their statutory rights regardless.

Privacy policy

We collect only what we need to run the service. Namely:

• Account data: email, name, billing address.
• Broker credentials: API keys and tokens — stored through app-managed credential-encryption helpers when storage is required and never shown back in plaintext.
• Signal & order data: the things you route through us. Retained 12 months (Ultra: 3 years) for audit.
• Product analytics: page views, feature usage — pseudonymised, no third-party trackers.

We do not sell or share your data with advertisers. We do not profile you for marketing. Subprocessors are listed in the DPA.

You can request data export or deletion from Account settings where available, or by emailing [email protected].

Risk disclosure

PipSync is a technical routing tool. We do not assess whether any signal, source, or trade is suitable for you. We do not recommend specific trades, sources, or brokers. Connecting a third-party signal source means you accept its risks — including the possibility that the source is wrong, inconsistent, or malicious.

Server-side risk controls (DD caps, position sizing, news blockers) exist to help you manage risk, not eliminate it. In extreme market conditions, slippage, gaps, and broker-side suspensions can produce fills outside your configured limits.

Cookies

We use a small number of strictly-necessary cookies to authenticate your session and remember UI preferences (dark mode, time-zone, etc.). We do not use any cookies for advertising, retargeting, or cross-site tracking.

Optional analytics cookies (self-hosted, aggregated, no fingerprinting) require your consent on first visit and can be disabled from the cookie prompt, Account settings where available, or by contacting privacy support.

Technical and organisational measures (TOMs)

High-level summary of measures we apply to protect personal data (Art. 32 GDPR). This is descriptive, not an exhaustive security specification.

• Access control: role-based access, least-privilege service accounts, and administrative actions protected with strong authentication (including 2FA for admin operations where enforced).
• Encryption: TLS for data in transit; broker credentials and other sensitive fields encrypted at rest with app-managed encryption where stored.
• Logging and audit: security-relevant events and administrative actions logged with append-only patterns where implemented; operational logs designed to avoid unnecessary personal data.
• Backups and availability:infrastructure-level redundancy and backups according to our hosting provider's practices; restore testing is an operational responsibility.
• Incident response: security contact published below; suspected incidents should be reported to [email protected].
• Subprocessors: review before onboarding, written arrangements where required, and the public register at /legal/subprocessors.

DPA & subprocessors

A draft Data Processing Addendum and subprocessor list are available to customers on request for legal review. Email [email protected].

The canonical public subprocessor register (table) lives at /legal/subprocessors and is versioned together with this page.

Primary subprocessors (summary):

• Hetzner Online GmbH: Cloud hosting, database, object storage — EU / EEA processing; Art. 28 DPA on request
• Stripe Payments Europe Ltd. / Stripe, Inc.: Subscription billing and payment processing — third-country safeguards: EU Standard Contractual Clauses (Commission Implementing Decision 2021/914) and Stripe data processing agreement; where applicable the EU–US Data Privacy Framework self-certification
• Resend, Inc.: Transactional email delivery — third-country safeguards: Vendor DPA + SCCs as offered by Resend; contact [email protected] for the current transfer mechanism summary
• Grafana Labs: Metrics and logs (PII-stripped operational telemetry) — third-country safeguards: Vendor DPA and SCCs as per Grafana Cloud terms; configuration targets EU region
• OpenAI, LLC: LLM-based signal/message parsing (content minimised; no marketing profiling) — third-country safeguards: EU Standard Contractual Clauses (2021/914) and OpenAI DPA / enterprise terms as applicable
• Anthropic, PBC: LLM-based signal/message parsing (content minimised; no marketing profiling) — third-country safeguards: EU Standard Contractual Clauses (2021/914) and Anthropic commercial DPA as applicable

We give customers 30 days' notice before adding or changing any subprocessor that handles personal data.

Auftragsverarbeitung / Art. 28 GDPR (AVV)

For business customers in Germany and the wider EU/EEA, processing on documented instructions under Art. 28 GDPR is reflected in our Data Processing Addendum (DPA). German customers often refer to this as an AVV (Auftragsverarbeitungsvertrag). Executed copies are provided after legal review — contact [email protected].

International transfers and Standard Contractual Clauses (SCCs)

Some subprocessors are established outside the EU/EEA or may access personal data from the United States or other third countries. Where no adequacy decision applies, we rely on appropriate safeguards recognised under Chapter V GDPR — in practice the EU Standard Contractual Clauses(Commission Implementing Decision 2021/914) together with vendor DPAs, and where applicable supplementary measures described by the vendor. Stripe may additionally rely on the EU–US Data Privacy Framework certification for certain transfers, as described in Stripe's documentation.

A per-vendor summary (including whether a third-country transfer applies) is in the table at /legal/subprocessors. PipSync does not sell personal data and does not use subprocessors for behavioural advertising.

Contact a human

Legal questions: [email protected] · Privacy: [email protected] · Security: [email protected]

Postal address and registration identifiers are published in the Impressum. They remain pending during public beta and will be finalized before paid card checkout is enabled.