Raxx · internal docs

internal · gated

Article 30 Records of Processing Activities (RoPA) — Raxx

Status: draft template. This document does NOT constitute legal advice. Maintain this as a living document; update when processing activities change. Required under GDPR Article 30 for any controller processing EU personal data. Last updated: 2026-05-11 UTC.

Authority: GDPR Article 30 full text at https://gdpr-info.eu/art-30-gdpr/ ICO guidance: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/accountability-and-governance/documentation/how-do-we-document-our-processing-activities/

Mandatory fields per Art. 30(1): (a) controller identity, (b) purposes, (c) categories of data subjects and personal data, (d) recipient categories, (e) third-country transfers, (f) retention periods, (g) security measures.

Part A — Controller Identity

Field Value
Controller name [COMPANY LEGAL NAME]
Controller address [REGISTERED ADDRESS]
Controller email support@raxx.app
Controller's EU representative (Art. 27) [EU REPRESENTATIVE NAME, ADDRESS, EMAIL — to be designated]
Data Protection Officer Not appointed (not required — see analysis in diy-privacy-compliance-path-2026-05-11.md Section 3.4)
Record owner [OPERATOR NAME / TITLE]
Last review date 2026-05-11 UTC

Part B — Processing Activities

Each row below represents a distinct processing purpose.

Activity 1: User Account Management

Field Value
Activity name User Account Management
Purpose Creating and managing user accounts; authentication; account communication
Legal basis (GDPR Art. 6) Art. 6(1)(b) — performance of contract
Categories of data subjects Registered users of the Raxx platform
Categories of personal data Name, email address, hashed password, account creation date, last login date
Source of data Directly from the data subject at signup
Recipients Heroku (infrastructure/hosting); Postmark (transactional email delivery)
Third-country transfers US: Heroku (Salesforce) and Postmark — covered by SCCs
Retention period Duration of active account + [30/60/90] days post-deletion request
Security measures Encryption in transit (TLS), encryption at rest, access controls, audit logging

Activity 2: Subscription Billing and Payment Processing

Field Value
Activity name Subscription Billing
Purpose Processing subscription payments; generating invoices; tracking subscription status
Legal basis (GDPR Art. 6) Art. 6(1)(b) — performance of contract; Art. 6(1)(c) — compliance with legal obligation (tax record retention)
Categories of data subjects Paying subscribers
Categories of personal data Billing name, billing email, billing address, last 4 digits and brand of payment card, Stripe customer ID, subscription plan, payment event count (successful/failed), invoice history
Source of data From data subject at signup/payment; payment event data from Stripe webhook
Recipients Stripe, Inc. (payment processor — primary); Heroku (data storage)
Third-country transfers US: Stripe (covered by Stripe DPA with SCCs at stripe.com/legal/dpa); Heroku (SCCs)
Retention period Billing records: 7 years from transaction date (tax obligation); payment event counts: active subscription + 12 months
Security measures Stripe tokenization — Raxx never processes or stores raw card numbers; DB encryption at rest; access controls
Note on payment_event_count Raw count only; not shared with third parties; not used for credit decisions; FCRA first-party transaction exclusion applies — see fcra-out-posture.md

Activity 3: Trading Strategy Configuration and Execution

Field Value
Activity name Trading Strategy Configuration and Execution
Purpose Storing and executing user-defined algorithmic trading strategies; backtesting historical strategy performance
Legal basis (GDPR Art. 6) Art. 6(1)(b) — performance of contract
Categories of data subjects Registered users
Categories of personal data Strategy rules and parameters entered by the user; backtesting configuration; historical trade execution records
Source of data Directly from the data subject via the platform
Recipients Heroku (infrastructure/hosting); user's broker (Alpaca-default — governed by the user's own broker agreement; Raxx acts as an authorized intermediary)
Third-country transfers US: Heroku (SCCs)
Retention period Active subscription + [30/60/90] days post-cancellation
Security measures Encryption in transit and at rest; role-based access; audit logging via Sentry

Activity 4: Product Analytics and Acquisition Source Tracking

Field Value
Activity name Product Analytics
Purpose Understanding how users find and use the platform; measuring product performance; improving user experience
Legal basis (GDPR Art. 6) Art. 6(1)(f) — legitimate interest (product improvement); Art. 6(1)(a) — consent where analytics cookies are used
Categories of data subjects All platform visitors and users
Categories of personal data acquisition_source (e.g., "organic", "referral", "search"); customer_segment label; pages visited; feature interactions; session duration; IP address (anonymized after 30 days); browser/device metadata
Source of data Collected automatically from platform use; operator-assigned for customer_segment
Recipients Heroku (storage); [analytics tool if any, e.g., internal only]
Third-country transfers US: Heroku (SCCs)
Retention period Anonymized analytics: indefinite. Identifiable session data: 90 days
Security measures IP anonymization after 30 days; access controls; no third-party behavioral advertising
Legitimate interest balancing note LI assessment: operator has a legitimate interest in understanding product usage; impact on users is low (standard usage analytics, not behavioral advertising or profiling); users retain right to object under Art. 21.

Activity 5: Error Monitoring and Security Logging

Field Value
Activity name Error Monitoring and Security Logging
Purpose Detecting and debugging software errors; security incident detection and response
Legal basis (GDPR Art. 6) Art. 6(1)(f) — legitimate interest (platform security and reliability)
Categories of data subjects All platform users
Categories of personal data User ID (may appear in error logs), IP address, error stack traces (may contain user-generated content fragments), request metadata
Source of data Automatically captured from platform events
Recipients Sentry.io (error monitoring)
Third-country transfers US: Sentry (covered by Sentry DPA at sentry.io/legal/dpa/ with SCCs)
Retention period Error logs: 90 days in Sentry; internal security logs: [90 days / 1 year]
Security measures Sentry data scrubbing for PII in stack traces (configure via Sentry Data Scrubbing settings); access controls on Sentry project
Action item Confirm Sentry Data Scrubbing rules are configured to mask email/name fields in error payloads.

Activity 6: Transactional Email Communications

Field Value
Activity name Transactional Email
Purpose Sending transactional emails: account confirmation, password reset, billing receipts, system notifications
Legal basis (GDPR Art. 6) Art. 6(1)(b) — contract performance; Art. 6(1)(f) — legitimate interest (account security, billing notifications)
Categories of data subjects Registered users
Categories of personal data Email address, first name (for personalization), notification content
Source of data From data subject at signup; triggered by platform events
Recipients Postmark (ActiveCampaign)
Third-country transfers US: Postmark (SCCs — confirm DPA execution with Postmark)
Retention period Email delivery logs: 45 days (Postmark default); Raxx-side notification records: [90 days]
Security measures DKIM authentication (per project_postmark_approved.md); TLS email delivery; access controls on Postmark account

Part C — Third-Party Processors (Consolidated)

Processor Role Data processed DPA executed? SCC mechanism?
Stripe, Inc. Payment processor Billing data, payment card data (raw PAN never shared) [To execute: stripe.com/legal/dpa] Yes — Stripe DPA includes SCCs
Heroku (Salesforce, Inc.) Cloud infrastructure / hosting All platform data [To execute: salesforce.com/company/privacy/full_privacy.jsp] Yes — Salesforce DPA includes SCCs
Sentry.io Error monitoring Error logs, user IDs, stack traces [To execute: sentry.io/legal/dpa/] Yes — Sentry DPA includes SCCs
Postmark (ActiveCampaign) Transactional email Email addresses, notification content [To execute: postmarkapp.com/eu-privacy/] Confirm SCC inclusion

Action required before first EU customer: Execute DPAs with all four processors listed above. Each vendor provides a standard DPA form at the URLs listed. Time estimate: 2–4 hours total.

Part D — Version History

Date Change Changed by
2026-05-11 UTC Initial RoPA created BLR agent / operator