Privacy Policy

This Privacy Policy describes how Tradeforge s.r.o. (“Tradeforge”, “we”, “us” or “our”) collects, uses, shares and protects personal data when you use our platform at www.tradeforge.app and our mobile applications (the “Platform”). It also explains your rights under applicable data‑protection laws, including the General Data Protection Regulation (“GDPR”), the UK GDPR and relevant US state privacy laws.

In this Privacy Policy we set out the purposes for which personal data is processed, the corresponding legal basis, our practices regarding international transfers and retention, and your rights. We have taken into account the recommendations of our legal counsel to improve transparency and compliance.

By using the Platform you agree to this Privacy Policy and our Terms of Service.

1. Who we are and how to contact us

1.1 Data Controller

The data controller responsible for your personal data is:

Tradeforge s.r.o. (ID No. 216 66 717) Registered seat: Lidická 700/19, Veveří, 602 00 Brno, Czech Republic Registered in the Commercial Register maintained by the District Court in Brno, File No.: C 139649 Represented by its statutory representative

These full corporate details are provided in accordance with Article 13 GDPR. They reflect the information contained in our Terms of Service and ensure that users can clearly identify the data controller.

1.2 Contact for privacy matters

If you have any questions or requests regarding this Privacy Policy, or wish to exercise your data‑protection rights, you can contact us at:

E‑mail: legal@tradeforge.app

Data Protection Officer (DPO): We have appointed a Data Protection Officer to handle privacy matters. You may reach the DPO at dpo@tradeforge.app.

Postal address: Tradeforge s.r.o., Lidická 700/19, Veveří, 602 00 Brno, Czech Republic

We will respond to requests without undue delay and normally within 30 days. In addition, you can withdraw consent and manage certain settings directly in the Platform’s account and privacy settings.

2. Scope of this Privacy Policy

2.1 This Privacy Policy applies to all users of the Platform, including visitors browsing our website, registered investors, traders and followers, Expert Investors and beta testers. It covers data collected directly from you, automatically when you use the Platform and from third parties we integrate with (e.g. app stores, analytics and hosting providers).

2.2 We process only the personal data necessary for the purposes described below. Categories of data collected may include:

2.2.1 Identification and account data

• Username, e‑mail address and user ID.
• Information you choose to provide in your profile or when communicating with us or with other users on the Platform.

2.2.2 Usage and technical data

Collected automatically when you use the Platform, including:

• IP address and device identifiers (e.g. Universally Unique Identifier or advertising identifiers).
• Device information (device model, operating system, browser type).
• Usage data (pages/screens visited, features used, session length, clickstream).
• App interaction information (buttons clicked, navigation events).

2.2.3 Location data

We do not collect precise GPS location. Approximate location may be derived from your IP address (country, region, city or postal code) to localise content and detect fraud.

2.2.4 Crash and performance data

To maintain stability and improve performance, we collect crash logs and diagnostic data about how the app performs on your device.

2.2.5 Device and app permissions

Depending on your device, the app may request access to certain device features. We do not access your phone calls or contacts by default. Access to the following is requested only if it is essential for a particular feature you choose to use (for example, inviting contacts or verifying phone state) and can be revoked at any time in your device settings:

• Phone / call state: read‑only access to phone state (e.g. network information). We do not access call logs or record calls.
• Contacts: access to contacts on your device if you choose to invite contacts or use a feature that requires it.

If you deny or revoke these permissions, some features may not function but your account remains active.

2.2.6 Tracking technologies

We use cookies and similar tracking technologies (collectively “Trackers”) to provide core features, remember your preferences and perform analytics and diagnostics. For more information, please refer to our Cookie Policy.

2.2.7 Data you communicate

We process any information you submit via forms, feedback, support requests or when posting content on the Platform. You are responsible for any personal data of third parties you share with us.

3. Purposes of processing and legal bases

We process personal data only when we have a valid legal basis under applicable law. For each purpose listed below, we identify the legal basis(es) relied upon.

3.1 Providing and operating the Platform

Purpose: To create and manage your account, provide core functionalities (portfolios, content, social features, subscriptions, notifications) and authenticate your sessions.

Legal basis: Performance of a contract with you (our Terms of Service) and steps taken at your request before entering into a contract (Art. 6(1)(b) GDPR). If certain processing (e.g. optional social features) is not strictly necessary, it may rely on our legitimate interests (Art. 6(1)(f) GDPR) or, where required, your consent (Art. 6(1)(a) GDPR).

3.2 Analytics and usage measurement

Purpose: To understand how users use the Platform, improve features and performance, and detect technical issues (using analytics tools such as App Center Analytics, Firebase or similar).

Legal basis: Our legitimate interests in improving and securing the Platform (Art. 6(1)(f) GDPR). Where required by law (e.g. for optional analytics cookies), we rely on your consent (Art. 6(1)(a) GDPR).

3.3 Beta testing and feature development

Purpose: To allow selected beta testers to test new features via services such as Apple TestFlight, Google Play Beta or Crashlytics, and to collect usage and crash data for improvement.

Legal basis: Our legitimate interests in developing and maintaining the Platform (Art. 6(1)(f) GDPR). Where participation is optional, we rely on your consent.

3.4 Infrastructure monitoring and security

Purpose: To ensure the secure and reliable operation of our infrastructure, detect malicious or fraudulent activity and optimise traffic distribution. We use monitoring and diagnostics tools (e.g. Crashlytics, App Center Diagnostics, Firebase Performance, Amazon CloudFront metrics). Personal data collected may include IP address, device information and usage patterns.

Legal basis: Our legitimate interests in maintaining a secure and reliable service (Art. 6(1)(f) GDPR) and compliance with legal obligations (Art. 6(1)(c) GDPR) where applicable.

3.5 Registration and authentication via third parties

Purpose: If you register or log in via Google or similar providers, we receive certain information (e.g. name, e‑mail, profile ID) from those services to identify you and create/maintain your account.

Legal basis: Performance of a contract (Art. 6(1)(b) GDPR) and, where required, your consent via the third‑party provider (Art. 6(1)(a)).

3.6 Social features and public profiles

Purpose: To enable the Platform’s social investing community, including publishing portfolios or content you choose to make public. Other users may see your public profile and information you share.

Legal basis: Performance of a contract (providing the Platform’s social features) and our legitimate interests in operating a social community (Art. 6(1)(f) GDPR).

3.7 Communications and notifications

Purpose: To send service‑related communications and in‑app or push notifications (e.g. account updates, activity on your account). You can opt out of non‑essential notifications in your device settings.

Legal basis: Performance of a contract where strictly necessary (Art. 6(1)(b) GDPR) and, for optional communications (such as marketing), your consent (Art. 6(1)(a)).

3.8 Legal compliance and protection of rights

Purpose: To comply with legal obligations (tax, accounting, regulatory), respond to requests from authorities or courts, enforce our Terms of Service and protect our rights and the rights of users.

Legal basis: Compliance with legal obligations (Art. 6(1)(c) GDPR) and our legitimate interests in protecting our rights and defending claims (Art. 6(1)(f) GDPR).

4. Sharing your personal data

We do not sell personal data for monetary consideration or share it for cross‑context behavioural advertising. We may share your data with:

• Service providers (processors): Trusted third‑party providers who support the operation of the Platform, such as cloud hosting providers (e.g. AWS and Amazon CloudFront), analytics and diagnostics providers (e.g. Google LLC, Microsoft Corporation), payment processors and app distribution platforms. We have concluded Data Processing Agreements with all processors as required by Article 28 GDPR. These agreements ensure that processors act only on our instructions and provide adequate guarantees regarding data protection.
• Third‑party authentication providers: If you choose to register or log in via Google or other identity providers, the relevant data is exchanged to enable authentication.
• Public authorities and legal obligations: We may disclose personal data where required by law, regulation or court order, or to protect our rights, your rights or the rights of third parties.
• Corporate transactions: In the event of a merger, acquisition or reorganisation, your data may be transferred as part of the business assets subject to appropriate safeguards.

5. International data transfers

Your data may be processed outside your country of residence, including outside the European Union and the United Kingdom. Many of our service providers operate globally (e.g. in the United States). When transferring personal data across borders, we comply with applicable data‑transfer rules:

• Adequacy decisions: Where the European Commission or UK authorities have determined that a third country ensures an adequate level of protection, we may transfer data under that decision.
• EU–U.S. Data Privacy Framework: For transfers to the United States, we may rely on the EU–U.S. Data Privacy Framework where the recipient is certified.
• Standard Contractual Clauses (SCCs): Where no adequacy decision applies, we use the European Commission’s standard contractual clauses to ensure that recipients commit to process personal data in accordance with EU data‑protection standards. For UK transfers, we use the UK International Data Transfer Addendum or equivalent clauses.
• Supplementary measures and Transfer Impact Assessments: We conduct Transfer Impact Assessments and implement technical and organisational measures (such as encryption, pseudonymisation and access controls) to ensure that the level of protection guaranteed by EU and UK data‑protection laws is not undermined.

If you would like more information about international transfers, please contact our DPO at dpo@tradeforge.app.

6. Data retention

We keep personal data only as long as necessary for the purposes described in this Privacy Policy or as required by law. Unless specified otherwise, data is processed and stored for as long as required by the purpose for which it was collected and may be retained longer due to applicable legal obligations or based on users’ consent. We have defined retention periods for specific categories of data. For example:

• Account data and transactional records: retained for the duration of the contractual relationship and for the applicable limitation periods (typically 3 to 10 years) for legal and accounting purposes.
• Analytics data: retained for 24 months, after which it is aggregated or anonymised.
• Marketing data: retained until you withdraw your consent or object to processing.
• Crash and diagnostic logs: retained for 12 months to improve app stability.
• Legal and accounting documents: retained for 10 years as required by tax and accounting laws.

We maintain an internal retention schedule and regularly review our storage periods. Once the applicable retention period expires, we delete, anonymise or securely archive the data.

7. Your rights

If you are located in the EU/EEA, the UK or another jurisdiction with similar data‑protection laws, you have the following rights under the GDPR (subject to conditions and exceptions):

1. Right of access: to obtain confirmation whether we process your personal data and to receive a copy of the data.

2. Right to rectification: to request correction of inaccurate or incomplete data.

3. Right to erasure: to request deletion of your data (“right to be forgotten”).

4. Right to restriction: to request restriction of processing in specific situations.

5. Right to data portability: to receive certain data in a structured, commonly used, machine‑readable format and to transmit it to another controller.

6. Right to object:

• to processing based on our legitimate interests, on grounds relating to your particular situation;
• at any time, to processing for direct marketing.

7. Right to withdraw consent: where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing. You can withdraw consent directly in the Platform’s settings or by contacting us.

8. Right to lodge a complaint: to bring a claim before your local data‑protection authority.

If you are a resident of certain US states (including California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Nevada, Delaware, Iowa, New Hampshire, New Jersey, Nebraska, Tennessee, Minnesota and Montana), you may have additional rights regarding your “personal information,” such as the right to know/access, correction, deletion, portability, opt‑out of sale or sharing, opt‑out of targeted advertising or certain profiling, and the right to non‑discrimination. We do not sell your personal information, nor share it for cross‑context behavioural advertising.

How to exercise your rights

To exercise any of these rights, please send a request to dpo@tradeforge.app or use the self‑service functions in your account settings. Please describe your request clearly and provide sufficient information to verify your identity. We will respond to your request within one month (which may be extended by two further months where necessary, taking into account the complexity and number of requests). We will inform you if we need additional time or cannot fulfil your request for legal reasons. If you are not satisfied with our response, you may lodge a complaint with your supervisory authority.

8. Security measures

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure or destruction. Measures include secure infrastructure and access controls, encryption in transit and at rest, and limitation of access to authorised personnel and processors. We use monitoring and diagnostics tools to detect errors and malicious activity. No system is completely secure; we encourage you to choose strong passwords, enable two‑factor authentication and keep your login credentials confidential.

9. Logs, legal requests and misuse of the Platform

We may use system logs and other technical data (including IP addresses) for operation and maintenance of the Platform, security monitoring and investigating misuse or suspected illegal activity. Personal data may be used in legal proceedings or when responding to requests from public authorities if required by law.

10. Links and integrations with third parties

The Platform may contain links to third‑party websites or services and may integrate with third‑party applications (e.g. Apple, Google or social media services). If you access such services through our Platform, the collection and use of your data by those third parties is governed by their own privacy policies, not this Privacy Policy. We encourage you to read their privacy notices.

11. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our services, technologies or legal requirements. We will notify you of material changes at least 30 days before the changes take effect (for example, by posting the updated Privacy Policy on the Platform, providing in‑app notice or sending an e‑mail). If the changes materially affect your rights or our processing based on your consent, we will seek your renewed consent where required.

Please review this Privacy Policy periodically and note the “Last updated” date above. If you continue to use the Platform after the effective date of an updated policy, your continued use will constitute acceptance of the revised terms.

12. Further information and internal policies

We maintain internal policies for data retention, access control and security, and we conduct Transfer Impact Assessments for all cross‑border data transfers. We have appointed a Data Protection Officer and have concluded Data Processing Agreements with all processors. A simplified privacy notice is available for users who prefer a shorter overview of our privacy practices.

If you have any questions or concerns about this Privacy Policy or our data‑protection practices, please contact our DPO at dpo@tradeforge.app.