Privacy Policy Skeleton — Raxx
Status: draft skeleton. This document does NOT constitute legal advice. Before publishing, run through Termly Pro+ generator and have output reviewed by a privacy attorney licensed in California and familiar with GDPR. Last updated: 2026-05-11 UTC.
INSTRUCTIONS FOR USE: 1. Use this skeleton to configure a Termly Pro+ policy OR as a standalone draft. 2. Every [BRACKETED] item requires operator input before publishing. 3. Every "GDPR NOTE" is EU-specific — required if you have EU users. 4. Do not publish without: (a) running through Termly Pro+ or similar generator, (b) executing vendor DPAs with Stripe/Heroku/Sentry/Postmark, (c) designating an EU Art. 27 representative.
Privacy Policy
Effective Date: [DATE] Last Updated: [DATE]
1. Who We Are
[COMPANY LEGAL NAME] ("Raxx", "we", "us", or "our") operates the Raxx platform, a SaaS service for algorithmic trading strategy automation, accessible at [DOMAIN].
Contact: - Email: support@raxx.app - Mailing address: [REGISTERED ADDRESS]
GDPR NOTE — EU Representative (Art. 27): For individuals located in the European Economic Area (EEA), our EU representative is: [EU REPRESENTATIVE NAME — e.g., VeraSafe or DataRep] [EU REPRESENTATIVE ADDRESS AND EMAIL]
2. What Personal Data We Collect and Why
We collect personal data you provide to us and data generated by your use of the platform.
2.1 Data Categories and Purposes
| Data category | Specific data collected | Purpose | Legal basis (GDPR) |
|---|---|---|---|
| Identity / contact | First name, last name, email address | Account creation, service delivery, communications | Contract performance (Art. 6(1)(b)) |
| Billing / payment | Billing name, billing address, last 4 digits of payment card, card brand, payment status | Subscription billing, invoice generation, subscription management | Contract performance (Art. 6(1)(b)) |
| Payment event metadata | Count of successful/failed payment events | Internal subscription management; operator console display | Legitimate interest — subscription integrity (Art. 6(1)(f)) |
| Acquisition source | How you first found Raxx (e.g., referral, search, direct) | Product analytics, growth measurement | Legitimate interest — business analytics (Art. 6(1)(f)); consent for analytics cookies |
| Customer segment | Operator-assigned category label (e.g., plan tier) | Service configuration, access control | Contract performance (Art. 6(1)(b)) |
| Strategy configuration | Trading strategy rules, parameters, backtesting configurations you enter | Service delivery — executing your trading strategies | Contract performance (Art. 6(1)(b)) |
| Usage data | Pages visited, features used, timestamps, session duration | Product improvement, security, debugging | Legitimate interest (Art. 6(1)(f)); consent for analytics cookies |
| Technical / device data | IP address, browser type, device type, operating system | Security, fraud prevention, logging | Legitimate interest — security (Art. 6(1)(f)) |
| Cookies and tracking | Session cookies, preference cookies, analytics cookies | Platform functionality, analytics | Consent (Art. 6(1)(a)) for non-essential cookies; contract performance for essential cookies |
We do not collect: Social Security numbers, government IDs, biometric data, health data, racial or ethnic origin, religious beliefs, sexual orientation, or precise geolocation.
We do not sell your personal information to third parties. (See California Rights section for formal CCPA "Do Not Sell" disclosure.)
Payment note: Payment card numbers are processed directly by Stripe, Inc. Raxx never receives or stores raw card numbers. Stripe's privacy policy governs Stripe's data handling: https://stripe.com/privacy
3. How We Share Your Data
We do not sell, rent, or trade your personal information. We share data only as follows:
| Recipient | Data shared | Purpose | Location | Safeguards |
|---|---|---|---|---|
| Stripe, Inc. | Billing name, email, billing address, payment data | Payment processing | United States | Standard Contractual Clauses (GDPR); Stripe DPA at stripe.com/legal/dpa |
| Heroku (Salesforce, Inc.) | All platform data stored in our databases | Cloud infrastructure / hosting | United States | Standard Contractual Clauses (GDPR); Salesforce DPA |
| Sentry.io | Error logs, stack traces (may contain user IDs) | Error monitoring, debugging | United States | Standard Contractual Clauses (GDPR); Sentry DPA at sentry.io/legal/dpa/ |
| Postmark (ActiveCampaign) | Email address, name | Transactional email delivery | United States | Standard Contractual Clauses (GDPR); Postmark DPA |
| Legal and government authorities | As required | Compliance with legal obligations | As applicable | Legal obligation (Art. 6(1)(c)) |
| Business transfers | All data in the event of merger or acquisition | Corporate transaction | As applicable | Notify users before transfer; data subject to this policy |
GDPR NOTE — International data transfers: Your personal data may be transferred to and processed in the United States, which the European Commission has not recognized as providing an adequate level of data protection. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the transfer mechanism. You may obtain a copy of the applicable SCCs by contacting us at support@raxx.app.
4. How Long We Retain Your Data
| Data category | Retention period | Rationale |
|---|---|---|
| Account data (name, email) | Active subscription + [30/60/90] days post-cancellation | Service delivery; account recovery window |
| Billing records | 7 years from transaction date | Tax and accounting legal obligation |
| Payment event metadata | Active subscription + 12 months post-cancellation | Subscription integrity; audit |
| Strategy configuration data | Active subscription + [30/60/90] days post-cancellation | Service delivery; user export window |
| Usage and log data | 90 days | Security, debugging |
| Cookies | Session cookies expire at session end; persistent cookies up to [12 months] | See cookie policy |
We delete or anonymize personal data when retention periods expire, or sooner upon verified erasure request.
5. Cookies and Tracking
We use the following types of cookies:
| Type | Purpose | Can you opt out? |
|---|---|---|
| Essential | Login sessions, security tokens, CSRF protection | No — required for platform function |
| Analytics | Usage statistics (e.g., pages viewed, session duration) | Yes — via consent banner |
| Preference | Saved settings (e.g., theme, display preferences) | Yes — via consent banner |
GDPR NOTE: We obtain consent before setting non-essential cookies for users in the EEA. You can manage your cookie preferences via the consent banner or by contacting us.
6. Your Rights
6.1 For All Users
You may request at any time: - Access: A copy of the personal data we hold about you. - Correction: Correction of inaccurate personal data. - Deletion: Deletion of your personal data, subject to legal retention obligations. - Data portability: Your data in a machine-readable format.
To exercise any of these rights, contact support@raxx.app. We will respond within [30/45] days.
6.2 California Residents — CCPA/CPRA Rights
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
Right to Know: You may request disclosure of: - The categories of personal information we have collected about you - The specific pieces of personal information we have collected about you - The categories of sources from which we collected your personal information - The business purpose for collecting your personal information - The categories of third parties with whom we share your personal information
Right to Delete: You may request deletion of personal information we have collected, subject to certain exceptions.
Right to Correct: You may request correction of inaccurate personal information.
Right to Opt Out of Sale/Sharing: We do not sell or share your personal information for cross-context behavioral advertising. [If this changes, we will update this policy and provide a "Do Not Sell or Share" link.]
Right to Limit Sensitive Personal Information: We do not process sensitive personal information beyond what is necessary to provide our services.
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
How to submit a CCPA request: Email support@raxx.app with subject line "California Privacy Request." We will verify your identity and respond within 45 days (extendable by an additional 45 days with notice).
Note on financial data and GLBA: If and when Raxx becomes subject to the Gramm-Leach-Bliley Act (GLBA) as a financial institution, certain data may be governed by GLBA's Regulation P rather than the CCPA. We will update this policy accordingly.
6.3 EEA/UK Residents — GDPR Rights
If you are located in the European Economic Area or United Kingdom, you have the following rights under the GDPR / UK GDPR:
- Right of access (Article 15)
- Right to rectification (Article 16)
- Right to erasure ("right to be forgotten") (Article 17)
- Right to restriction of processing (Article 18)
- Right to data portability (Article 20)
- Right to object to processing (Article 21)
- Right to withdraw consent (where processing is based on consent; withdrawal does not affect lawfulness of prior processing)
- Right to lodge a complaint with your local supervisory authority
To lodge a complaint with a supervisory authority, contact the DPA in your EU member state. A list of EU DPAs is available at: https://edpb.europa.eu/about-edpb/about-edpb/members_en
7. Data Security
We implement technical and organizational measures to protect your personal data, including: - Encryption in transit (TLS 1.2+) - Encryption at rest for database data - Access controls: role-based access, MFA for administrative accounts - Audit logging for data access - Regular security monitoring via [Sentry]
No system is 100% secure. If you become aware of a security vulnerability in our platform, please notify us immediately at [security contact email].
CCPA note: Under Cal. Civ. Code § 1798.150, California residents may bring a private right of action for actual or statutory damages ($100–$750 per consumer per incident) in the event of a data breach resulting from our failure to implement reasonable security measures.
8. Children's Privacy
Our services are not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, please contact us at support@raxx.app and we will delete it promptly.
9. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email to registered users and/or by a prominent notice on our platform at least [30] days before they take effect. The "Last Updated" date at the top of this policy indicates when it was last revised.
10. Contact Us
For privacy inquiries, rights requests, or complaints:
Email: support@raxx.app Mailing: [COMPANY NAME], [ADDRESS]
EU Representative (GDPR Art. 27): [EU REPRESENTATIVE NAME, ADDRESS, EMAIL]
GDPR Note: If you are in the EEA and we cannot resolve your concern, you have the right to lodge a complaint with your national data protection authority.
Before publishing this policy, ensure: (1) all bracketed fields are completed, (2) vendor DPAs are executed, (3) EU Art. 27 representative is designated and named above, (4) Termly Pro+ or equivalent generator review is complete.