Raxx · internal docs

internal · gated

Privacy Policy — Raxx

Status: DRAFT — pending attorney sign-off. This document is NOT legally operative. This document does NOT constitute legal or tax advice. Before publishing, consult a privacy attorney (US multi-state + GDPR specialist) licensed in Pennsylvania and familiar with CCPA/CPRA, GDPR Article 13, and CAN-SPAM. See the Open Questions appendix for items that must be resolved before publication. Last updated: 2026-05-14 UTC. Sources cited inline — verify freshness before publication. Legal entity: MooseQuest LLC, doing business as Raxx.

Version: 1.0 DRAFT Effective Date: [OPERATOR COMPLETES ON PUBLICATION DAY] Last Updated: 2026-05-14 UTC

1. Who We Are

MooseQuest LLC, doing business as Raxx ("Raxx," "we," "us," or "our"), operates the Raxx platform, a SaaS service for algorithmic trading strategy automation. Raxx is accessible at getraxx.com and app.raxx.app.

Contact us:

support@raxx.app
MooseQuest LLC dba Raxx
[REGISTERED ADDRESS — operator to complete before publication]

EU/EEA Representative (GDPR Article 27): [OPERATOR TO COMPLETE — see docs/architecture/adr/0100-eu-art-27-rep-posture.md]

If Raxx accepts EU/EEA customers (Option B per ADR-0100), replace this block with:

In accordance with Article 27 of the General Data Protection Regulation (GDPR),
MooseQuest LLC dba Raxx has designated the following representative in the European Union:

[REPRESENTATIVE LEGAL NAME]
[REPRESENTATIVE ADDRESS — street, city, country]
[REPRESENTATIVE EMAIL ADDRESS]

EU/EEA data subjects and supervisory authorities may contact our representative directly
for GDPR-related inquiries. Correspondence may also be directed to us at support@raxx.app.

If EU/EEA is geo-blocked at signup (Option A per ADR-0100), replace this block with:

Raxx is currently available to customers located in the United States only.
We do not currently offer our services to individuals located in the European Economic Area.

Do not publish this draft with this placeholder text in place.

2. What Personal Data We Collect and Why

We collect personal data you provide directly and data generated by your use of the platform.

Data category Specific data collected Purpose Legal basis (GDPR Art. 6)
Identity and contact First name, last name, email address Account creation, service delivery, communications Contract performance (Art. 6(1)(b))
Billing and payment Billing name, billing address, last 4 digits of payment card, card brand, payment status Subscription billing, invoice generation, subscription management Contract performance (Art. 6(1)(b))
Payment event history Count of successful payments, failed charge attempts, and chargebacks Internal billing management, fraud prevention — displayed to our operations team only; not shared with third parties; not used for credit decisions Legitimate interest — subscription integrity and fraud prevention (Art. 6(1)(f))
Broker connection metadata Connection status indicator, connection timestamp, connection error status Displaying your broker connection health within the platform Contract performance (Art. 6(1)(b))
Strategy configuration Trading strategy rules, parameters, and backtesting configurations you enter Service delivery — executing and backtesting your trading strategies Contract performance (Art. 6(1)(b))
Trading performance data Historical performance metrics derived from your own strategy configurations and your own historical data Service delivery — backtesting results, performance display Contract performance (Art. 6(1)(b))
Acquisition source How you first found Raxx (e.g., referral, direct, search) — if you choose to provide it Product analytics, growth measurement Legitimate interest — business analytics (Art. 6(1)(f))
Usage and log data Pages visited, features used, session duration, timestamps, error events Security, debugging, product improvement Legitimate interest — security and service improvement (Art. 6(1)(f)); consent for analytics cookies
Technical and device data IP address, browser type, device type, operating system Security, fraud prevention, rate limiting, abuse detection Legitimate interest — security (Art. 6(1)(f))
Support interactions Email content, support request details Resolving your support requests Contract performance (Art. 6(1)(b)); legitimate interest — customer service (Art. 6(1)(f))
Cookies and session tokens Session cookies, preference cookies, analytics cookies Platform functionality, analytics Consent (Art. 6(1)(a)) for non-essential cookies; contract performance for essential security and session cookies
Waitlist email Email address submitted via the waitlist signup form Notifying you when Raxx becomes available Consent (Art. 6(1)(a)) / legitimate interest — pre-launch communications (Art. 6(1)(f))

We do not collect: Social Security numbers, government-issued identification numbers, biometric data, health data, racial or ethnic origin, religious beliefs, sexual orientation, or precise geolocation.

We do not sell your personal information to third parties.

Broker credentials: Raxx does not collect, store, or access your brokerage account credentials. Any broker connection is managed directly between you and your broker. Raxx receives only connection metadata (status indicators), not credentials or account balances.

Payment card numbers: Payment card numbers are processed directly by our payment processor. Raxx never receives or stores raw card numbers.

3. How We Share Your Data

We do not sell, rent, or trade your personal information. We share data only as described below.

3.1 Service Providers (Processors)

We engage service providers who process personal data on our behalf under written agreements. We do not name specific vendors in customer-facing copy, as our vendor relationships may change; the categories below describe the types of providers and the data they may access.

Provider category Data shared Purpose Location Transfer safeguard
Payment processor Billing name, email, billing address, payment data Payment processing and subscription billing United States Standard Contractual Clauses (GDPR); provider DPA on file
Cloud infrastructure / hosting All platform data stored in our databases and application servers Hosting and infrastructure United States Standard Contractual Clauses (GDPR); provider DPA on file
Error and performance monitoring Error logs, stack traces, may contain user identifiers Error monitoring, debugging, platform reliability United States Standard Contractual Clauses (GDPR); provider DPA on file
Transactional email delivery Email address, name Delivering account and notification emails United States Standard Contractual Clauses (GDPR); provider DPA on file
Your connected broker Trading instructions and orders you initiate through Raxx Executing orders at your direction Varies by broker Your broker's privacy policy applies to data they receive

We may disclose personal data when required to do so by law, court order, or government authority, or when we have a good-faith belief that disclosure is necessary to protect the rights, property, or safety of Raxx, our users, or the public.

3.3 Business Transfers

If Raxx is involved in a merger, acquisition, or sale of all or substantially all of our assets, personal data may be transferred to the successor entity. We will notify you by email and/or prominent notice on the platform before personal data becomes subject to a different privacy policy.

3.4 Aggregate and De-Identified Data

We may share aggregated or de-identified data — data that cannot reasonably be used to identify you — for research, analytics, or business purposes without restriction.

GDPR note — International transfers: Your personal data may be transferred to and processed in the United States. The European Commission has not issued an adequacy decision for the United States. We rely on Standard Contractual Clauses (SCCs) approved by the European Commission as our transfer mechanism for all such transfers. You may obtain a copy of the applicable SCCs by contacting us at support@raxx.app.

4. How Long We Retain Your Data

We retain personal data only as long as necessary for the purposes described in this policy, or as required by applicable law.

Data category Retention period Rationale
Account data (name, email address) Duration of active subscription + 90 days post-cancellation Service delivery; account recovery window
Billing records (invoices, payment history) 7 years from transaction date Tax, accounting, and financial reporting obligations
Payment event history Duration of active subscription + 12 months post-cancellation Subscription integrity; fraud audit
Strategy configuration data Duration of active subscription + 90 days post-cancellation Service delivery; user export window
Trading performance data Duration of active subscription + 90 days post-cancellation Service delivery; user export window
Usage and log data 90 days rolling Security monitoring, debugging
Support interaction records 3 years from date of last support interaction Dispute resolution; service improvement
IP addresses (rate-limiting and security logs) 90 days rolling Security and fraud prevention
Waitlist email address Until you are notified of launch and given opportunity to convert, or until you request deletion, whichever is earlier Pre-launch communications
Cookies Session cookies expire at session end; persistent cookies up to 12 months; see Section 5 Functionality and analytics

When retention periods expire, we delete or irreversibly anonymize the data. You may request earlier deletion of certain data as described in Section 6.

Support access to your data: Our support team accesses your account data only when you have an active, open support ticket with us. When a support ticket is closed, support-team access to your personal account data is revoked. Administrative access to your data for operational purposes generates an audit log entry; in the event of administrative access, we will notify you within a reasonable time unless prohibited by law.

5. Cookies and Tracking

We use the following types of cookies and similar tracking technologies:

Type Purpose Required?
Essential / security Login sessions, security tokens, CSRF protection, session management Yes — required for platform function; cannot be disabled
Preference Saved display settings and user preferences No — can be disabled via cookie settings
Analytics Usage statistics (pages viewed, session duration, feature usage) No — requires consent; can be disabled via cookie settings

GDPR and ePrivacy note: We request consent before setting non-essential cookies for users located in the European Economic Area, as required by the ePrivacy Directive. You may manage your cookie preferences at any time via the consent banner or by contacting us.

We do not use cookies for cross-site behavioral advertising or for selling your data.

6. Your Rights

6.1 All Users

Regardless of where you are located, you may contact us at support@raxx.app to request:

We will respond to verified requests within 30 days (extendable to 45 days for complex requests, with notice).

6.2 California Residents — CCPA/CPRA

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

Right to Know: You may request the categories and specific pieces of personal information we have collected, the sources we collected it from, the business or commercial purpose for collecting it, and the categories of third parties with whom we share it.

Right to Delete: You may request deletion of personal information we have collected, subject to certain legal exceptions.

Right to Correct: You may request correction of inaccurate personal information.

Right to Opt Out of Sale or Sharing: We do not sell or share your personal information for cross-context behavioral advertising. If this changes, we will update this policy and provide a "Do Not Sell or Share" link.

Right to Limit Sensitive Personal Information: We do not use or disclose sensitive personal information for purposes beyond those permitted under CPRA.

Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA/CPRA rights.

To submit a California privacy request, email support@raxx.app with the subject line "California Privacy Request." We will verify your identity before processing. Response within 45 days, extendable by 45 days with notice.

GLBA note: If Raxx is determined to be a financial institution subject to the Gramm-Leach-Bliley Act, certain data handling may be governed by GLBA's Regulation P in addition to or in lieu of the CCPA. We will update this policy if that determination is made.

6.3 EEA and UK Residents — GDPR / UK GDPR

If you are located in the European Economic Area or United Kingdom, you have the following rights under the General Data Protection Regulation (GDPR) or UK GDPR:

A list of EU data protection authorities is available at:

https://edpb.europa.eu/about-edpb/about-edpb/members_en

To exercise your GDPR rights, contact support@raxx.app. We will respond within 30 days.

7. Data Security

We implement reasonable technical and organizational measures to protect your personal data, including:

No system is completely secure. If you discover a security vulnerability in our platform, please notify us promptly at support@raxx.app so we can address it.

Data breach notification: In the event of a data breach affecting your personal data, we will notify affected users and applicable regulators within the timeframes required by applicable law (for example, 72 hours under GDPR Article 33; without undue delay under CCPA Section 1798.150 where the private right of action applies).

CCPA breach note: Under California Civil Code Section 1798.150, California residents may bring a private right of action for actual or statutory damages ($100–$750 per consumer per incident) in the event of a data breach resulting from our failure to implement reasonable security measures.

8. Geographic Restrictions

Raxx is not available to residents of certain jurisdictions. Specifically, we do not accept users located in the Province of Quebec, Canada. Users from restricted jurisdictions are blocked at the point of account registration. If you believe you have been incorrectly blocked, contact support@raxx.app.

This restriction does not affect users located elsewhere in Canada, or users located in other jurisdictions not explicitly restricted.

9. Children's Privacy

Raxx is intended for users who are at least 18 years of age. We do not knowingly collect personal data from anyone under 18. If you are a parent or guardian and believe we have inadvertently collected personal data from a minor, please contact us at support@raxx.app and we will delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by email to registered users and/or by a prominent notice on the platform at least 30 days before they take effect. The "Last Updated" date at the top reflects the most recent revision. Your continued use of the platform after the effective date of a material change constitutes your acceptance of the updated policy.

11. Contact Us

For privacy inquiries, rights requests, or complaints:

Email:   support@raxx.app
Mail:    MooseQuest LLC dba Raxx
         [REGISTERED ADDRESS — operator to complete before publication]

EU/EEA Representative (GDPR Article 27):

[EU REPRESENTATIVE NAME, ADDRESS, EMAIL — to be designated before EU marketing begins]

If you are in the EEA and we cannot resolve your concern, you have the right to lodge a complaint with the data protection authority in your EU member state.

Open Questions for Attorney Sign-Off

These questions must be resolved by the attorney engaged under issue #197 before this document is published. Attorney type: privacy attorney with US multi-state + GDPR expertise.

OQ-PP-1 (GDPR lawful basis — broker connection metadata): Broker connection metadata (status, timestamp, error state) is categorized under contract performance (Art. 6(1)(b)). Confirm this is the correct basis, or whether legitimate interest (Art. 6(1)(f)) is more defensible given the metadata is not strictly necessary to perform the core contract.

OQ-PP-2 (GDPR lawful basis — analytics and acquisition source): Analytics and acquisition-source data are currently categorized under legitimate interest (Art. 6(1)(f)). Confirm whether a Legitimate Interests Assessment (LIA) is required and whether consent (Art. 6(1)(a)) is the safer basis. EDPB Guidelines 1/2024 tighten the legitimate-interest bar for digital analytics. Source: https://www.edpb.europa.eu/system/files/2024-10/edpb_guidelines_202401_legitimateinterest_en.pdf

OQ-PP-3 (Art. 27 EU representative — timeline and service selection): Confirm that a commercial EU representative service (e.g., VeraSafe or DataRep) is sufficient for Raxx's profile, and in which member state the representative should be domiciled given Raxx's user geography is organic/unknown at launch. Source: https://gdpr-info.eu/art-27-gdpr/

OQ-PP-4 (Standard Contractual Clauses — execution status): This policy states SCCs are in place with service providers. Confirm that the 2021 EU Commission Module 2 (Controller-to-Processor) SCCs have been or will be executed with each service provider before EU users are accepted. Note: most major vendors (payment processor, hosting provider, error monitoring provider, email provider) offer standard DPAs that include the 2021 SCCs — these must be formally executed, not merely referenced. Source: https://commission.europa.eu/publications/standard-contractual-clauses-controllers-and-processors_en

OQ-PP-5 (GLBA/Reg P applicability): If the securities attorney determines that Raxx qualifies as a "financial institution" under the Gramm-Leach-Bliley Act, Regulation P (annual privacy notice requirements) applies in addition to or in lieu of certain CCPA provisions. Confirm the GLBA determination before publication and revise Section 6.2's GLBA note accordingly. Source: https://www.ecfr.gov/current/title-12/chapter-X/part-1016 (Reg P)

OQ-PP-6 (CCPA threshold re-check cadence): This policy asserts Raxx is not a covered business under CCPA/CPRA at v1. Confirm that the self-determination artifact at docs/legal/artifacts/cpra-threshold-self-determination.md is current and accurate. Determine the appropriate re-check trigger (e.g., at 10,000 California users or $1M ARR) and document it in the retention schedule.

OQ-PP-7 (Waitlist email — legal basis): Section 2.1 lists waitlist email under both consent and legitimate interest. Attorney must confirm the correct single basis for the waitlist collection context (pre-contractual vs. standalone consent) and advise whether a double opt-in flow is required to satisfy CASL for Canadian waitlist submitters.

OQ-PP-8 (Retention periods — 90-day post-cancellation window): The 90-day post-cancellation retention period for account and strategy data is drawn from internal architecture decisions. Attorney should confirm this period is (a) defensible as the minimum necessary under GDPR Art. 5(1)(e) storage limitation, and (b) consistent with any applicable state law retention obligations.

OQ-PP-9 (PA LLC — state-specific disclosure obligation): Pennsylvania does not have a comprehensive state privacy law equivalent to CCPA as of the drafting date. However, MooseQuest LLC is a Pennsylvania entity. Attorney should confirm no Pennsylvania-specific disclosure (e.g., under the UTPCPL or any sector-specific law) is required in the privacy policy for a SaaS operating in Pennsylvania. Source: https://www.legis.state.pa.us/cfdocs/legis/LI/consCheck.cfm?txtType=HTM&ttl=73

OQ-PP-10 (Cookie consent mechanism — ePrivacy Directive): Section 5 states we obtain consent before setting non-essential cookies for EEA users. Attorney should confirm whether a Termly Pro+ or equivalent consent management platform satisfies the ePrivacy Directive's opt-in consent standard as implemented in the key EU jurisdictions likely to produce Raxx users (Germany, Netherlands, Ireland, France). Source: https://gdpr-info.eu/recitals/no-32/

Sources