1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service and Privacy Policy (collectively, the "Agreement") between Algo Trade Analytics ("Processor", "we", "us", "our") and the entity or person agreeing to these terms ("Controller", "you", "your", "Customer").

This DPA reflects the parties' agreement with respect to the processing of personal data in accordance with the requirements of applicable data protection legislation, including the European Union General Data Protection Regulation ("GDPR").

By using our services, you acknowledge that you have read and understand this DPA and agree to be bound by its terms and conditions.

2. Definitions

• Controller
  The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
• Processor
  The natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller.
• Personal Data
  Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier.
• Processing
  Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means.
• Data Subject
  An identified or identifiable natural person to whom the Personal Data relates.

3. Data Processing

3.1 Processing Activities

We will process Personal Data only in accordance with your documented instructions, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law. In such a case, we shall inform you of that legal requirement unless the law prohibits such information.

The Processor shall process Personal Data for the purposes of providing the services as described in the Agreement, which may include:

• User account management
• Trading data synchronization and analysis
• Processing of account data from connected trading platforms
• Generation of analytics and reports
• AI feature processing, including prompt handling and usage metering
• Providing customer support
• Billing, payment processing, and credit issuance

3.2 Duration of Processing

The Processor shall process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing, or until all Personal Data is deleted or returned to the Controller in accordance with this DPA.

3.3 Types of Personal Data

The Processor shall process the following types of Personal Data in connection with the Agreement:

• Identity data (name, username, email address)
• Contact information (email address, phone number)
• Account credentials (hashed passwords, API keys)
• Financial data (payment information, trading history)
• AI feature data (prompts, code snippets, and AI-generated outputs)
• Technical data (IP address, device information, logs)
• Usage data (activity logs, feature usage statistics, token counts, credit usage records)

3.4 Categories of Data Subjects

The Personal Data processed concerns the following categories of Data Subjects:

• Users of the Service
• Employees or representatives of the Controller
• End users authorized by the Controller to use the Service

4. GDPR Compliance

We are committed to complying with the GDPR and ensuring that your Personal Data is processed in accordance with its provisions. As part of our GDPR compliance, we:

4.1 Data Protection Contact

As a small startup that does not meet the criteria requiring a formal Data Protection Officer under GDPR, we designate a Data Protection Contact for privacy matters. You can reach us at privacy@algo-trade-analytics.com.

4.2 Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) when required for high-risk processing activities. We will assist you in conducting DPIAs related to your use of our services when necessary.

4.3 Records of Processing Activities

We maintain records of all processing activities as required by the GDPR. These records include the purposes of processing, categories of personal data, recipients of data, transfers to third countries, and applicable security measures.

4.4 Data Subject Rights

We will assist you in fulfilling your obligation to respond to requests from Data Subjects exercising their rights under the GDPR, including the right to access, rectify, erase, restrict, port, and object to the processing of their Personal Data.

5. Data Retention Policies

We have implemented appropriate data retention policies to ensure that Personal Data is kept only for as long as necessary for the purposes for which it was collected.

5.1 Retention Periods

Different types of Personal Data may be kept for different periods of time, depending on the purpose for which it was collected:

• Account Information: For the duration of your account plus 30 days after account closure
• Trading Data: For the duration of your subscription plus 90 days, unless you opt to extend retention
• Payment Information: For as long as required by applicable financial and tax regulations
• Communication Records: For 2 years after the last communication
• Technical Logs: For 90 days

5.2 Data Deletion

When Personal Data reaches the end of its retention period, we will securely delete or anonymize it, unless:

• We are required to retain it to comply with a legal obligation
• Retention is necessary for the establishment, exercise, or defense of legal claims
• You have requested an extended retention period for specific data

5.3 Data Return

Upon termination of the Agreement or upon your request, we will, at your choice, delete or return all Personal Data to you and delete existing copies, unless retention is required by applicable law.

You may request a copy of your data at any time through your account settings or by contacting our support team.

6. International Data Transfers

We may transfer Personal Data to countries outside the European Economic Area (EEA) or the country where you are located. When we do so, we ensure appropriate safeguards are in place to protect your Personal Data.

6.1 Safeguards for International Transfers

We implement one or more of the following safeguards when transferring Personal Data internationally:

• Standard Contractual Clauses (SCCs): We use the European Commission's approved Standard Contractual Clauses in agreements with third parties receiving data outside the EEA
• Adequacy Decisions: We may transfer data to countries that have been deemed to provide an adequate level of protection by the European Commission
• Privacy Shield: For transfers to the United States, we may rely on the EU-U.S. and Swiss-U.S. Privacy Shield Framework for certified organizations
• Binding Corporate Rules: For intra-group transfers, we may use approved binding corporate rules

6.2 Locations of Processing

Our primary data processing activities take place in the following locations:

• United States (primary data center location)
• European Union (backup data centers)
• United Kingdom (business operations)

A complete and updated list of our sub-processors and their locations can be provided upon request.

6.3 Data Transfer Impact Assessments

Following the Schrems II decision, we conduct Transfer Impact Assessments (TIAs) for all international data transfers to ensure that Personal Data receives an equivalent level of protection in the destination country.

7. Sub-processors

We may engage third-party service providers ("Sub-processors") to process Personal Data on your behalf. We maintain a list of all Sub-processors and will inform you of any intended changes concerning the addition or replacement of Sub-processors.

Sub-processors may include AI model providers used to deliver AI-powered features.

All Sub-processors are contractually required to:

• Process Personal Data only in accordance with your documented instructions
• Implement appropriate technical and organizational security measures
• Assist with data subject rights requests
• Delete or return all Personal Data upon termination of services
• Submit to audits and inspections

8. Security Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of Personal Data in transit and at rest
• Regular testing and evaluation of security measures
• Measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems
• Processes for regular testing, assessing, and evaluating the effectiveness of security measures
• Measures to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident
• Access controls and authentication requirements
• Staff training on data protection and security

9. Data Breach Notification

In the event of a Personal Data breach affecting your data, we will notify you without undue delay after becoming aware of the breach. The notification will:

• Describe the nature of the breach
• Provide the contact details of our Data Protection Contact
• Describe the likely consequences of the breach
• Describe the measures taken or proposed to address the breach

We will assist you in fulfilling your obligation to notify the relevant supervisory authority and affected Data Subjects, as required by the GDPR.

10. Audit Rights

We will make available to you all information necessary to demonstrate compliance with the obligations laid down in this DPA and will allow for and contribute to audits, including inspections, conducted by you or another auditor mandated by you, subject to reasonable notice and confidentiality obligations.

11. Changes to This Agreement

We may update this DPA from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes to this DPA. The updated DPA will be effective when posted, unless otherwise stated.