Privacy Policy

Effective Date: 25 April 2026
Last Updated: 25 April 2026
Version: 1.0

This Privacy Policy explains how GoldStrait Technologies, LLC collects, uses, and protects your personal data. It complies with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and applicable national data protection laws.

1. Data Controller

GoldStrait Technologies, LLC ("we", "us", "Provider")
1021 E Lincolnway, 10245, Cheyenne, WY 82001, Laramie County, USA
Email (privacy): privacy@goldstrait.com
EU Service Address: (EU service address pending — will be designated)
Manager: Patrick Windolph
EIN: (EIN pending — will be added once issued by the IRS)

For all questions regarding the processing of your personal data, please contact us at privacy@goldstrait.com.

2. What Personal Data We Collect

We collect only the data needed to provide and improve the Service.

2.1 Account Data (provided by you)

Name (first and last)
Email address
Country of residence
Password (stored hashed using bcrypt; we never see it in plain text)
Optional: Telegram chat ID (for notifications)
Optional: USDT wallet address (for affiliate payouts)

2.2 Service Configuration Data

MetaTrader 5 broker login (encrypted at rest with Fernet AES-128, retained only 3 hours then auto-deleted)
MT5 server name (e.g., JMFinancial-Server)
Bot configuration (risk per trade, sessions, strategy preferences)
Subscription plan and payment status

2.3 Usage Data (collected automatically)

IP address and approximate location (city, country) at login
Browser and device information (user-agent string)
Login timestamps and session activity
Trade execution logs (when, what, P&L) — these belong to you and are stored to provide your dashboard
Pages viewed within the dashboard

2.4 Cookies

See our Cookie Policy below (Section 9). Essential cookies are always set; analytics and marketing cookies are set only with your consent.

2.5 Data We Do NOT Collect

We do not collect credit card numbers (handled by payment processors)
We do not collect MT5 account balances directly — we read live balance via MetaApi when you open the dashboard, but we do not warehouse this
We do not collect biometric or special-category data

3. How We Use Your Data — Purposes and Legal Basis

We process your data on the following legal bases under Article 6 GDPR:

Purpose	Legal Basis	Retention
Provide and operate the Service (account, dashboard, bot execution)	Contract performance (Art. 6(1)(b) GDPR)	Duration of subscription + 3 years after last activity
Process payments and prevent fraud	Contract + Legitimate Interest (Art. 6(1)(b) and (f))	10 years (tax law requirements)
Send transactional emails (login alerts, payment confirmations, security notifications)	Contract performance (Art. 6(1)(b) GDPR)	Duration of subscription
Send marketing emails (newsletters, product updates)	Consent (Art. 6(1)(a) GDPR), revocable any time	Until consent revoked
Provide customer support	Contract + Legitimate Interest	3 years after ticket closure
Adaptive login security (risk scoring, suspicious-login detection, trusted device management)	Legitimate Interest (Art. 6(1)(f)) — protecting user accounts	Login events: 12 months. Trusted devices: 30 days from last use.
Comply with legal obligations (tax records, AML/sanctions screening)	Legal obligation (Art. 6(1)(c) GDPR)	Per applicable law (typically 10 years for financial records)
Improve the Service (anonymized usage analytics)	Consent for analytics cookies / Legitimate Interest for aggregated metrics	25 months (Google Analytics default)

4. Third-Party Service Providers (Sub-processors)

We engage carefully selected service providers to deliver the Service. Each is bound by data processing agreements ensuring GDPR-equivalent protection.

Provider	Purpose	Location	Transfer Mechanism
Vultr Holdings, LLC	Cloud hosting (server infrastructure)	Frankfurt, Germany (EU)	EU Data Center
Sendinblue (Brevo) SAS	Transactional and marketing email delivery	France (EU)	EU-based
MetaApi Cloud (MetaApi LLC)	Broker API gateway for trade execution	Various (London, NY, Singapore)	EU Standard Contractual Clauses (SCCs) for non-EU regions
Telegram FZ-LLC	Optional notification delivery (only if you enable Telegram alerts)	United Arab Emirates / Distributed	SCCs / your consent
Mercury Technologies, Inc.	Business banking (no end-user PII transmitted)	USA	SCCs
Stripe, Inc. (if applicable)	Card payment processing	USA / Ireland	SCCs + Stripe DPA
Google LLC (Tag Manager / Analytics)	Anonymized usage analytics — only with consent	USA	SCCs + IP-Anonymization

4.1 Cross-Border Transfers. Some of our sub-processors are located outside the EU. We rely on European Commission-approved Standard Contractual Clauses (Decision (EU) 2021/914) and additional safeguards such as encryption in transit and at rest. You may request a copy of the SCCs for any transfer by emailing privacy@goldstrait.com.

4.2 No Sale of Data. We do not sell, rent, or trade your personal data to third parties.

5. Your Rights Under GDPR

If you are in the EU, EEA, UK, or Switzerland, you have the following rights regarding your personal data:

Article 15 — Right of Access. Request a copy of the personal data we hold about you.
Article 16 — Right to Rectification. Request correction of inaccurate or incomplete data.
Article 17 — Right to Erasure ("Right to be Forgotten"). Request deletion of your data, subject to legal retention obligations.
Article 18 — Right to Restriction of Processing. Request that we stop processing your data while a dispute is pending.
Article 20 — Right to Data Portability. Receive your data in a structured, machine-readable format.
Article 21 — Right to Object. Object to processing based on legitimate interest, including direct marketing.
Article 22 — Right Not to Be Subject to Automated Decision-Making. No fully automated decisions producing legal or similarly significant effects are made about you.
Article 7(3) — Right to Withdraw Consent. Where processing is based on consent, you may withdraw consent at any time without affecting prior lawfulness.
Article 77 — Right to Lodge a Complaint. File a complaint with the supervisory authority of your country of residence.

To exercise any right, email privacy@goldstrait.com. We respond within 30 days (extendable by 60 days for complex requests, with notification).

6. CCPA Rights (California Residents)

California residents have the additional rights under the California Consumer Privacy Act:

Right to know what personal information is collected, used, shared, or sold
Right to delete personal information held by us
Right to opt-out of the sale of personal information (not applicable — we do not sell data)
Right to non-discrimination for exercising CCPA rights

Note: The Service is not offered to U.S. Persons (see ToS Section 3.2). California residents who nevertheless interact with our website are still afforded these rights for any data we hold.

7. Data Security

We implement industry-standard technical and organizational measures to protect your data:

Encryption in transit: all communication via HTTPS/TLS 1.3
Encryption at rest: sensitive credentials encrypted with Fernet AES-128 + ephemeral storage (3-hour TTL for MT5 passwords)
Password hashing: bcrypt with appropriate work factor
Two-factor authentication: available for all accounts (TOTP)
Adaptive authentication: risk-based login analysis, email-OTP step-up for suspicious logins, trusted device management
Network protection: firewall (UFW), brute-force protection (Fail2ban), DDoS mitigation
Access controls: least-privilege model, audit logs of all administrative actions
Backups: encrypted daily database backups, retained 7 days + 4 weekly
Incident response: documented breach notification process

In the unlikely event of a personal data breach involving high risk to your rights and freedoms, we will notify you and the competent supervisory authority within 72 hours of awareness, in accordance with Articles 33-34 GDPR.

8. Data Retention

We retain personal data only as long as necessary for the purposes set out above:

Active subscriber data: for the duration of your subscription plus 3 years
Financial records (payments, invoices): 10 years (German Commercial Code, equivalent in other jurisdictions)
Login security logs: 12 months
Trusted device tokens: 30 days from last use
Marketing consent records: until consent revoked
Backups: 7 daily + 4 weekly, then deleted

9. Cookie Policy

We use cookies and similar technologies to operate the Service.

9.1 Essential Cookies (always set, no consent required)

session — your login session (Flask session cookie)
csrf_token — protection against cross-site request forgery
gsd_trust — trusted device token (30 days)
cc_choice — your cookie consent preference

9.2 Analytics Cookies (only with your consent)

Google Tag Manager / Google Analytics 4 — anonymized usage statistics, IP anonymization enabled

You may withdraw or change your cookie consent at any time using the cookie banner (re-displayed yearly) or by clearing your browser's localStorage for goldstrait.com.

10. Minors

The Service is not directed at persons under 18 years of age. We do not knowingly collect personal data from minors. If you become aware that a minor has provided us data, please contact us at privacy@goldstrait.com so we can delete it.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email and posted on this page with an updated "Last Updated" date. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

12. Contact and Complaints

For privacy questions: privacy@goldstrait.com
For general inquiries: support@goldstrait.com
Postal mail: 1021 E Lincolnway, 10245, Cheyenne, WY 82001, Laramie County, USA
EU service address: (EU service address pending — will be designated)

EU/EEA residents may lodge a complaint with their local supervisory authority. A list is available at edpb.europa.eu.