Skip to main content
HomePrivacy

Privacy Policy

Last updated: May 2026

1. Who We Are

PipSync ("we", "us", "our") operates the pipsync.io platform, a cloud-based trading signal automation service. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website and services.

The identity and contact details of the controller (including registered address and identifiers once available) are published in our Imprint / Impressum. If you read this policy without visiting the Impressum, please use that page to confirm the current legal entity and postal address.

2. Data We Collect

We collect the following categories of data:

  • Account data: Email address, name, and authentication credentials when you register.
  • Broker credentials: MT5/cTrader login details required to execute trades on your behalf. These are stored through app-managed credential encryption when storage is required and are not exposed via API responses or logs.
  • Trading data: Signal history, trade execution logs, and performance metrics generated through your use of the platform.
  • Usage data: Browser type, IP address, pages visited, and interaction patterns collected via standard web analytics.
  • Payment data: Billing information processed by our payment provider (Stripe). We do not store full card numbers.

3. How We Use Your Data

  • Provide and maintain the service (including executing trades and delivering analytics) — Art. 6(1)(b) GDPR.
  • Authenticate and secure your account — Art. 6(1)(b) GDPR.
  • Process payments and subscriptions — Art. 6(1)(b) GDPR.
  • Service-related notifications (e.g. trade alerts, drawdown warnings) — Art. 6(1)(b) GDPR.
  • Improve the platform (aggregated, anonymised usage) — Art. 6(1)(f) GDPR; balancing test on file.
  • Comply with legal obligations — Art. 6(1)(c) GDPR.

A consolidated mapping of purposes to legal bases (including Art. 13(1)(d) legitimate interests where applicable) is in Section 10 below.

4. Data Storage & Security

All data is transmitted over TLS (HTTPS). Broker credentials are encrypted at rest with app-managed AES-GCM encryption and are not exposed via API responses or logs. PipSync is designed for EU-hosted deployment, strict access controls, and audit logging. Independent SOC 2/vendor evidence, external penetration-test records, and formal legal review are tracked as production-readiness items before any compliance claim is made.

5. Data Sharing

We do not sell your personal data. We share data only with:

  • Your broker: Credentials and trade instructions necessary to execute orders.
  • Payment processors: Stripe, for subscription billing.
  • Infrastructure providers: Cloud hosting and monitoring services, under strict data processing agreements.
  • Legal authorities: When required by law or to protect our rights.

6. International Data Transfers (Art. 13(1)(f) GDPR)

Some of our subprocessors are located outside the European Union / European Economic Area or may access personal data from third countries (in particular the United States). Where the European Commission has not issued an adequacy decision, we use appropriate safeguards under Chapter V GDPR — typically the EU Standard Contractual Clauses(Commission Implementing Decision 2021/914) together with the vendor's data processing agreement. Stripe may additionally rely on the EU–US Data Privacy Framework as described in Stripe's documentation for certain transfers.

An up-to-date list of subprocessors, locations, and a short summary of safeguards is published at /legal/subprocessors. Further contractual context is in our legal centre under DPA & subprocessors.

7. Your Rights

Under GDPR and applicable data protection laws, you have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your data ("right to be forgotten").
  • Export your data in a portable format.
  • Withdraw consent for optional data processing at any time.
  • Lodge a complaint with your local data protection authority.

To exercise any of these rights, contact us at [email protected].

8. Cookies

We use essential cookies for authentication and session management. We use analytics cookies only with your consent. You can manage cookie preferences in your browser settings.

9. Automated Decision-Making & Profiling (Art. 22 GDPR)

PipSync uses machine-learning (ML) models to generate and execute trading signals on your behalf. This constitutes automated processing that produces decisions with a legal or similarly significant financial effect within the meaning of Art. 22 GDPR.

What systems are involved?

  • MegaBot / ML Pipeline (v10–v15): LightGBM and XGBoost ensemble models trained on multi-timeframe OHLCV market data. Outputs a directional signal (long / short / flat) and a conviction score used to size positions.
  • SNIPER (v13): Three-stage filter (primary gate → meta-labeler → execution quality). Clusters symbols into CORE / SATELLITE / VENTURE tiers. Applies drawdown-protection circuit breakers at both cluster and portfolio level.
  • RL Trader: Reinforcement-learning agents (PPO / TD3) trained via walk-forward simulation. Produces a continuous action signal in [-1, 1] that is translated into a position size.

Which data does the system use?

  • Historical and live market price data (OHLCV candles, tick data) — not personal data.
  • Your connected broker account credentials, used solely to submit, modify, or close orders.
  • Your risk parameters (lot size, max drawdown, account balance) as configured by you in the platform.

Logic and safeguards (high-level)

Models generate a signal and a confidence score. Position sizing applies Kelly-fraction caps and per-cluster drawdown multipliers. Circuit breakers halt trading automatically when daily loss or consecutive-loss thresholds are reached. No model has access to your identity, health, race, religion, or any GDPR special-category data. All training data is market data only.

Legal basis

Automated trading decisions are necessary for the performance of the contract between you and PipSync (Art. 22(2)(a) GDPR in conjunction with Art. 6(1)(b) GDPR). You subscribed to an automated signal-execution service; manual review of every signal by PipSync staff before execution would make the service technically impossible.

Your right to object & opt-out

You have the right to object to automated processing at any time. You may also request that a human at PipSync review any specific decision (Art. 22(3) GDPR). To exercise this right, contact [email protected].

Practical effect of opt-out: Because automated signal execution is the core function of PipSync, opting out of all automated decision-making means the platform will no longer be able to execute trades on your behalf. Your account data will be retained in accordance with Section 11 below, and you may cancel your subscription at any time without penalty.

10. Legal Basis for Processing (Art. 13(1)(c)+(d) GDPR)

The table below specifies the legal basis for each processing purpose as required by Art. 13(1)(c) GDPR, and where applicable the legitimate interests pursued (Art. 13(1)(d) GDPR).

Processing purposeLegal basisArt. 6 GDPR
Account registration & authenticationPerformance of contractArt. 6(1)(b)
Automated trade execution (ML signals)Performance of contract · Art. 22(2)(a)Art. 6(1)(b)
Broker credential storage & usePerformance of contractArt. 6(1)(b)
Payment & subscription billing (via Stripe)Performance of contractArt. 6(1)(b)
Service notifications (trade alerts, drawdown warnings)Performance of contractArt. 6(1)(b)
Platform analytics & performance improvement (anonymised)Legitimate interests — improving service reliabilityArt. 6(1)(f)
Security monitoring & fraud preventionLegitimate interests — protecting users & platformArt. 6(1)(f)
Optional analytics cookies (non-essential)ConsentArt. 6(1)(a)
Retention of trading data post-closure (24 months)Compliance with legal obligationArt. 6(1)(c)
Disclosure to legal authoritiesCompliance with legal obligationArt. 6(1)(c)

Where processing is based on legitimate interests (Art. 6(1)(f)), we have conducted a balancing test and concluded that our interests are not overridden by your fundamental rights, given the limited nature of the data processed and the security measures applied.

11. Data Retention

We retain your account data for the duration of your account. Trading data is retained for up to 24 months after account closure for compliance purposes. You may request earlier deletion by contacting us.

12. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email or an in-app notification. Continued use of PipSync after changes constitutes acceptance.

13. Contact & Data Protection Officer

For privacy-related inquiries, contact us at [email protected]. Controller identity and postal contact: Imprint / Impressum.

Data Protection Officer (DPO): PipSync has not appointed a statutory Data Protection Officer under Art. 37 GDPR. We are not currently carrying out processing that mandatorily requires a DPO at the scale described in Art. 37; data protection questions are handled by the management team at [email protected]. If a DPO is appointed in the future, this section will be updated with their contact details.