SmartEA

Privacy Policy

Last updated: 20 May 2026

1. Data Controller

The data controller responsible for the personal data processed through SmartEA is the entity operating the Platform. Final controller details (legal name, registration number, registered address) will be published here once the operating entity is finalized. For all privacy-related inquiries in the interim, use the contact form.

2. Information We Collect

Personal Information You Provide

  • Name, email address, and password (during registration)
  • Google account profile information (if you sign in via Google OAuth)
  • Telegram account information (if you link your Telegram account)
  • MT5 broker account credentials (encrypted at rest using AES-256-GCM)
  • Trading preferences, risk level selection, and copy trading settings
  • Two-factor authentication (TOTP) secret, when 2FA is enabled
  • Newsletter subscription email address (if you subscribe)
  • Contact form and bug report submissions
  • Referral codes and referral activity (if you participate in the referral program)

Payment-Related Information

  • Card payments are processed by Stripe. SmartEA does not store full card numbers — Stripe holds them under PCI DSS compliance. We retain only a Stripe customer reference, payment status, and transaction metadata.
  • Cryptocurrency payments: we record the receiving wallet address used, transaction hash, and confirmation status. We do not have access to your personal crypto wallet.

Automatically Collected Information

  • IP address and approximate location (derived from IP)
  • Browser type, version, and user-agent string
  • Device information and operating system
  • Usage data, page-view events, and interaction patterns
  • Cookies and similar tracking technologies (see Section 7)

3. How We Use Your Information

  • To provide and maintain the copy trading service
  • To execute trades on your MT5 account as directed by the EA you selected
  • To authenticate your identity and secure your account (including 2FA)
  • To process payments and manage billing periods
  • To send transactional notifications about your account, trades, and billing
  • To send marketing communications, but only if you have explicitly subscribed (newsletter)
  • To improve the Platform, fix bugs, and develop new features
  • To comply with legal obligations and respond to lawful requests

4. Legal Basis for Processing (GDPR)

Where the General Data Protection Regulation (GDPR) applies, we rely on the following legal bases:

  • Contract performance — for account registration, trade execution, billing, and other core service operations.
  • Consent — for newsletter subscriptions and non-essential cookies. You may withdraw consent at any time.
  • Legitimate interests — for fraud prevention, platform security, abuse detection, and basic analytics necessary to operate the service.
  • Legal obligation — for tax records, anti-money-laundering checks, and responses to lawful requests by authorities.

5. Third-Party Service Providers

We share data only with service providers necessary to operate the Platform. Each operates under its own privacy policy and data processing terms:

  • Stripe, Inc. — payment processing (card payments). Stripe Privacy Policy
  • Google LLC — OAuth sign-in (Google account) and Google Tag Manager / Google Analytics (anonymized usage analytics).
  • Telegram — Telegram account linking (optional).
  • Your MT5 broker — receives your account credentials only to execute trades on your behalf.
  • Email infrastructure — transactional and (optional) newsletter delivery.
  • Hosting and cloud infrastructure providers — for storage, compute, and content delivery.

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

6. Data Security

We implement industry-standard security measures to protect your data:

  • MT5 credentials are encrypted using AES-256-GCM encryption at rest
  • Passwords are hashed using bcrypt with salt rounds
  • All data transmission is encrypted via HTTPS/TLS
  • Short-lived JWT access tokens for session management
  • HttpOnly refresh-token cookies to mitigate XSS
  • Optional two-factor authentication (TOTP) for enhanced account protection
  • Regular security review of dependencies and infrastructure

7. Cookies and Tracking

We use the following categories of cookies and similar technologies:

  • Essential cookies — required for authentication, session management, theme preference, and core Platform functionality. These cannot be disabled.
  • Analytics cookies — set by Google Tag Manager / Google Analytics to understand aggregated usage patterns (page views, navigation paths). These are used only with your consent, which you provide via the cookie banner.

You can withdraw cookie consent at any time by clearing your browser storage or contacting us. We do not currently use advertising cookies or sell behavioral data.

8. Data Retention

We retain your personal data for as long as your account is active or as needed to provide services. Upon account deletion, your personal data will be removed within 30 days, except where retention is required by law (e.g., tax records, AML obligations). MT5 credentials are deleted upon disconnecting your trading account. Newsletter subscriptions are retained until you unsubscribe.

9. Your Rights

Depending on your jurisdiction (including under GDPR for EU residents), you have the following rights:

  • Access: Request a copy of the personal data we hold about you
  • Correction: Request correction of inaccurate or incomplete data
  • Deletion: Request deletion of your personal data ("right to be forgotten")
  • Portability: Request transfer of your data in a machine-readable format
  • Restriction: Request restriction of processing in certain circumstances
  • Objection: Object to processing of your data based on legitimate interests
  • Withdraw consent: Withdraw consent for newsletter or analytics at any time
  • Lodge a complaint: File a complaint with your local data protection supervisory authority

To exercise any of these rights, use the contact form. We will respond within 30 days.

10. International Data Transfers

Some service providers we rely on (e.g., Stripe, Google) may process your data outside your country of residence, including in the United States. Where such transfers occur from the European Economic Area, we rely on Standard Contractual Clauses or equivalent safeguards approved by relevant authorities.

11. Data Breach Notification

In the event of a data breach that may pose a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. If the breach is likely to result in a high risk to you, we will also notify you directly without undue delay.

12. Children's Privacy

The Platform is not intended for individuals under the age of 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal information, please contact us so we can remove it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or through a notice on the Platform. Your continued use after changes constitutes acceptance of the updated policy.

14. Contact

For privacy-related inquiries, please use the contact form. We aim to respond to all data-protection requests within 30 days.