Privacy Policy — Raxx
Status: DRAFT — not yet published. This document is staged for publication at
getraxx.com/privacyon or before the v1 launch date (2026-05-23 UTC). Publication requires operator action (CF Access gate removal). DO NOT distribute externally until operator confirms publication.This document does NOT constitute legal advice. Attorney review is deferred to Tier B (first enterprise deal or $500K ARR) per operator decision 2026-05-11 UTC and BLR DIY privacy memo PR #1646.
Refs: BLR skeleton
docs/legal/artifacts/privacy-policy-skeleton.md, BLR DIY memo PR #1646, billing-customer-scoring-ethics-2026-05-11.md, ADR-0076, issues #1640 (this card), #1686 (DSR SOP), #1687 (retention policy).
Version: 1.0.0 Effective Date: 2026-05-XX (operator completes on publication day) Last Updated: 2026-05-11 UTC
Changelog: see docs/legal/policies/privacy-policy-v1-history.md
1. Who We Are
Raxx ("we," "us," or "our") operates the Raxx platform, a SaaS service for algorithmic trading strategy automation, accessible at app.raxx.app and getraxx.com.
Contact:
- Email: support@raxx.app
- Mailing address: [REGISTERED LEGAL ADDRESS — operator to complete before publication]
EU/EEA Representative (GDPR Article 27):
We have not yet designated an EU representative. Designation is in progress under issue #1648.
Until designation is complete, EU residents may contact us at support@raxx.app. This placeholder must be replaced with a named representative before Raxx actively markets to EU users.
2. What Personal Data We Collect and Why
We collect personal data you provide directly to us and data generated by your use of the platform.
2.1 Data Categories, Purposes, and Legal Bases
| Data category | Specific data collected | Purpose | Legal basis (GDPR Art. 6) |
|---|---|---|---|
| Identity and contact | First name, last name, email address | Account creation, service delivery, communications | Contract performance (Art. 6(1)(b)) |
| Billing and payment | Billing name, billing address (street, city, state/region, postal code, country), last 4 digits of payment card, card brand, payment status, Stripe customer ID | Subscription billing, invoice generation, subscription management | Contract performance (Art. 6(1)(b)) |
| Payment event history | Count of successful payments, failed charge attempts, and chargebacks associated with your account | Internal billing management, fraud prevention, platform financial integrity — displayed to our operations team only; not shared with third parties or used for credit decisions | Legitimate interest — subscription integrity and fraud prevention (Art. 6(1)(f)) |
| Acquisition source | How you first found Raxx — for example, via a referral link, search engine, direct visit, or partner introduction (UTM-derived) | Product analytics, growth measurement, marketing effectiveness assessment | Legitimate interest — business analytics (Art. 6(1)(f)) |
| Customer segment | An operator-assigned label categorizing your account (e.g., by onboarding cohort or plan type) | Service configuration, platform access control, internal analytics | Contract performance (Art. 6(1)(b)) |
| Strategy configuration | Trading strategy rules, parameters, and backtesting configurations you enter into the platform | Service delivery — storing and executing your trading strategies | Contract performance (Art. 6(1)(b)) |
| Usage data | Pages visited, features used, timestamps, session duration, in-app actions | Product improvement, security monitoring, debugging | Legitimate interest — platform operations and security (Art. 6(1)(f)) |
| Technical and device data | IP address (used to derive approximate country; not stored as full IP after 30 days), browser type, device type, operating system | Security, fraud prevention, log analysis | Legitimate interest — security (Art. 6(1)(f)) |
| Cookies and session tokens | Session cookies, preference cookies, analytics cookies | Platform functionality, user preferences, usage analytics | Contract performance for essential cookies; consent (Art. 6(1)(a)) for non-essential analytics cookies |
What we do not collect: Social Security numbers, government-issued identification numbers, biometric data, health data, racial or ethnic origin, religious beliefs, sexual orientation, or precise real-time geolocation.
What we do not do with payment event data: We do not sell payment event history, share it with credit bureaus or any third party for credit reporting purposes, or use it as an input to any automated credit or eligibility decision. For detailed legal analysis, see docs/legal/artifacts/fcra-out-posture.md.
Payment card note: Payment card numbers are processed directly by Stripe, Inc. Raxx never receives or stores raw card numbers. Stripe's privacy policy governs Stripe's data handling:
https://stripe.com/privacy
2.2 Sources of Data
| Source | What we collect |
|---|---|
| You, directly at signup | Name, email, billing address, card details (via Stripe) |
| You, through platform use | Strategy configuration, backtesting inputs, in-app actions |
| Stripe (payment processor) | Payment status, payment event counts, card metadata |
| Your broker (via your authorization) | Trade history and account data you connect — governed by your broker agreement |
| Automatically from your device | IP address, browser/device metadata, session data, cookies |
| Referral and UTM parameters on our URLs | Acquisition source attribution |
3. Automated Decision-Making
Raxx does not use automated decision-making or profiling to determine your subscription eligibility, pricing, or access to features.
All decisions about account access or pricing are made by our team based on your account status and subscription terms. Our execution layer is deterministic and rule-based — your strategies run according to the rules you set, not algorithmic recommendations generated by us.
This means: - GDPR Article 22 (automated individual decision-making) is not engaged by our platform. - CPRA ADMT (Automated Decision-Making Technology) obligations are not triggered. - Payment event history (failed charges, chargebacks) is visible to our operations team as raw counts only. No computed score exists. No automated tier or pricing gate uses these counts.
If this architecture changes, we will update this policy and assess GDPR Art. 22 / CPRA ADMT obligations before any such feature ships.
4. How We Share Your Data
We do not sell, rent, or trade your personal information. We share data only with the following categories of recipients:
| Recipient | Data shared | Purpose | Location | Transfer safeguards |
|---|---|---|---|---|
| Stripe, Inc. | Billing name, email, billing address, payment data | Payment processing | United States | Standard Contractual Clauses (SCCs); Stripe DPA at https://stripe.com/legal/dpa |
| Heroku (Salesforce, Inc.) | All platform data stored in our databases | Cloud infrastructure and hosting | United States | Standard Contractual Clauses (SCCs); Salesforce DPA |
| Sentry.io | Error logs and stack traces (may contain user IDs) | Error monitoring and debugging | United States | Standard Contractual Clauses (SCCs); Sentry DPA at https://sentry.io/legal/dpa/ |
| Postmark (ActiveCampaign) | Email address, name | Transactional email delivery (account confirmations, billing receipts, security notifications) | United States | Standard Contractual Clauses (SCCs); Postmark DPA |
| AWS (Amazon Web Services) | Configuration and backup data | Infrastructure services | United States | Standard Contractual Clauses (SCCs); AWS DPA |
| Cloudflare, Inc. | Network traffic metadata | DNS, CDN, security (DDoS protection, access control) | United States and global CDN | Standard Contractual Clauses (SCCs); Cloudflare DPA |
| Google Workspace (Google LLC) | Operator internal communications | Internal business operations (not customer data processing) | United States | Standard Contractual Clauses (SCCs); Google Workspace DPA |
| Legal and government authorities | Data required by law | Compliance with applicable legal obligations | As required by jurisdiction | Legal obligation (Art. 6(1)(c)) |
| Business successors | All platform data, in the event of merger, acquisition, or asset sale | Corporate transaction | As applicable | Users notified in advance; data subject to this policy or equivalent |
International transfers: Your personal data may be transferred to and processed in the United States. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the transfer mechanism for EU/EEA personal data. You may request a copy of applicable SCCs by contacting support@raxx.app.
5. Data Retention
Data retention. We retain personal information for the duration of your account plus 7 years after account closure, in order to comply with tax and financial regulatory record-keeping requirements. After this period, your billing email, address, and personal name are anonymized; invoice and transaction records are retained as required for tax compliance. You may request earlier anonymization via the Data Subject Request process described in Section 8 of this policy.
| Data category | Retention period | Rationale |
|---|---|---|
| Customer PII (email, name, billing address) | Account active + 7 years post-close | Tax and financial regulatory record-keeping (IRS Publication 583; state equivalents); GDPR Art. 5(1)(e) storage limitation |
| Invoice and transaction records | 7 years post-transaction | Tax compliance — never deleted; anonymized from PII linkage after 7 years |
| Payment event history (failed charges, chargebacks) | Account active + 7 years post-close | Aligned with billing record retention; dispute resolution; fraud prevention |
| Strategy configuration data | Account active + 90 days post-cancellation | User export window; service delivery |
| Acquisition source and customer segment | Account active + 2 years post-close | Business analytics; proportionate to purpose |
| Usage and session data | 90 days | Security monitoring; debugging; proportionate to purpose |
| DSR request records | 7 years from request date | Compliance evidence; GDPR accountability |
| Error monitoring logs (Sentry) | 90 days (Sentry default) | Debugging; proportionate to purpose |
For more detail, see the internal data retention policy at docs/ops/policies/data-retention.md.
6. Cookies and Tracking
| Type | Purpose | Can you opt out? |
|---|---|---|
| Essential | Login sessions, security tokens, CSRF protection | No — required for platform function |
| Analytics | Usage statistics (pages viewed, session duration, feature interactions) | Yes — via consent banner |
| Preference | Saved settings (e.g., display preferences) | Yes — via consent banner |
For EU/EEA users, we obtain consent before setting non-essential cookies. You can manage your cookie preferences via the consent banner or by contacting us at support@raxx.app.
7. Data Security
We implement technical and organizational measures to protect your personal data, including:
- Encryption in transit (TLS 1.2+)
- Encryption at rest for database data
- Role-based access controls; MFA for administrative accounts
- Audit logging for data access events
- Security monitoring via Sentry
- Regular security assessments
No system is 100% secure. If you become aware of a security vulnerability in our platform, please notify us at support@raxx.app.
CCPA note (California residents): Under Cal. Civ. Code § 1798.150, California residents may bring a private right of action for actual or statutory damages ($100–$750 per consumer per incident) in the event of a data breach resulting from our failure to implement reasonable security measures.
8. Data Subject Requests
Data Subject Requests. You may request access to, correction of, or deletion of your personal information by emailing support@raxx.app. We respond to all requests within 30 days. During Raxx's initial launch period, requests are processed manually by our team; automated self-service tooling for these requests is being deployed in 2026-Q3.
For information about how we handle DSR requests operationally, see docs/ops/runbooks/manual-dsr-handling.md.
9. Your Rights
9.1 All Users
You may request at any time:
- Access: A copy of the personal data we hold about you.
- Correction: Correction of inaccurate personal data.
- Deletion: Deletion of your personal data, subject to legal retention obligations (see Section 5).
- Data portability: Your data in a machine-readable format (CSV or JSON).
Contact support@raxx.app. We respond within 30 days.
9.2 California Residents — CCPA/CPRA Rights
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):
Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of that information, our business purposes for collecting it, and the categories of third parties with whom we share it.
Right to Delete: You may request deletion of personal information we have collected, subject to certain exceptions (including our legal retention obligations described in Section 5).
Right to Correct: You may request correction of inaccurate personal information.
Right to Opt Out of Sale or Sharing: We do not sell your personal information or share it for cross-context behavioral advertising. If this changes, we will update this policy and provide a "Do Not Sell or Share" link.
Right to Limit Sensitive Personal Information: We do not process sensitive personal information beyond what is necessary to provide our services.
Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.
How to submit a CCPA/CPRA request: Use the designated online form at:
https://raxx.app/privacy/data-request
Alternatively, email support@raxx.app with the subject line "California Privacy Request." We will respond within 45 days (extendable by an additional 45 days with advance notice). Identity verification is performed manually by our support team for v1.
Note on GLBA: If and when Raxx becomes subject to the Gramm-Leach-Bliley Act as a financial institution, certain data may be governed by GLBA's Regulation P rather than CCPA. We will update this policy accordingly.
9.3 EEA and UK Residents — GDPR Rights
If you are located in the European Economic Area (EEA) or United Kingdom, you have the following rights under the GDPR/UK GDPR:
- Right of access (Article 15) — request a copy of your personal data
- Right to rectification (Article 16) — correct inaccurate data
- Right to erasure (Article 17) — request deletion, subject to legal retention obligations
- Right to restriction of processing (Article 18) — limit how we use your data in certain circumstances
- Right to data portability (Article 20) — receive your data in a structured, machine-readable format
- Right to object (Article 21) — object to processing based on legitimate interests
- Right to withdraw consent — where processing is based on your consent; withdrawal does not affect the lawfulness of prior processing
- Right to lodge a complaint — with your national supervisory authority
To exercise any GDPR right, contact support@raxx.app. We respond within 30 days.
To lodge a complaint with an EU supervisory authority, visit:
https://edpb.europa.eu/about-edpb/about-edpb/members_en
10. Children's Privacy
Our services are not directed to individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe we have inadvertently collected data from a minor, please contact us at support@raxx.app and we will delete it promptly.
We similarly do not direct our services at children under the age of 16 for the purposes of the EU GDPR.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users of material changes by email and/or by a prominent notice on the platform at least 30 days before those changes take effect. The "Last Updated" date at the top of this policy indicates when it was last revised.
The version history for this policy is maintained at docs/legal/policies/privacy-policy-v1-history.md.
12. Contact Us
For privacy inquiries, data subject requests, or complaints:
Email: support@raxx.app
Mailing address: [COMPANY LEGAL NAME] [REGISTERED ADDRESS — operator to complete before publication]
EU/EEA Representative (GDPR Article 27): [To be designated — see issue #1648]
If we cannot resolve your privacy concern, EU/EEA residents have the right to lodge a complaint with their national data protection authority (see Section 9.3).
This policy covers data collection and processing by the Raxx platform. It does not cover third-party websites or services linked from our platform.
Before this policy is published, the operator must: (1) complete all [BRACKETED] fields, (2) confirm EU Art. 27 representative designation (#1648), (3) execute vendor DPAs with Stripe, Heroku, Sentry, Postmark (described in docs/legal/artifacts/ropa-template.md), (4) remove CF Access gate from getraxx.com/privacy.