Legal

Privacy Policy

Last updated: 19 April 2026

This Privacy Policy describes how CERTIRON (operated by Joeri De Bonnaire, France, European Union) collects, uses and protects personal data when you use our website certiron.io and the CERTIRON trading-signal filtering service (the "Service").

We are committed to protecting your privacy under the EU General Data Protection Regulation (GDPR, Regulation 2016/679) and applicable French law. If you have any question, write to privacy@certiron.io.

1. Who we are (Data Controller)

CERTIRON — Sole proprietorship operated by Joeri De Bonnaire, France, European Union.

Contact: privacy@certiron.io

2. What data we collect

Account data

• Email address (required to sign in)
• Display name (optional, for emails)
• Magic-link and session tokens (automatically generated)

Payment data

Payment is processed by Stripe, Inc. We receive only a Stripe customer ID and subscription ID — we never see your card number. See Stripe's privacy policy at stripe.com/privacy.

Trading data

• Trade signals you route through the Service (symbol, direction, entry, TPs, SL)
• Bot activity and trade lifecycle (open trades, closes, P&L)
• Your exchange API credentials, encrypted at rest
• Configuration (selected channels, risk parameters, paper/live mode)

We never withdraw funds from your exchange account. You are the only party with withdrawal privileges.

Technical data

• Server logs (IP address, user agent, request timestamp) — retained 30 days for security and debugging
• A single functional session cookie to keep you signed in (see Cookie Policy)

3. Why we process your data (legal basis)

• Contract (Art. 6(1)(b) GDPR): to deliver the Service you subscribed to
• Legal obligation (Art. 6(1)(c) GDPR): accounting, tax records, VAT
• Legitimate interest (Art. 6(1)(f) GDPR): service security, fraud prevention

We do not process your data for advertising, profiling or training third-party AI models.

4. Who we share data with (processors)

We work with the following sub-processors:

• Stripe, Inc. — payment processing (USA; SCC)
• Resend — transactional email delivery (USA/EU; SCC)
• Railway.app — application hosting & PostgreSQL database (USA/EU)
• Cloudflare — static website delivery & DDoS protection (global CDN)
• Anthropic — AI signal analysis (your trade signals are sent for scoring; never stored by Anthropic for training)

We do not sell, rent, or trade your personal data.

5. International transfers

Some processors are based outside the European Economic Area. Where this happens, transfers are governed by the European Commission's Standard Contractual Clauses (SCCs).

6. How long we keep data

• Account + trading data: while your account is active, plus 3 years after cancellation (for support and dispute resolution)
• Invoices & payment records: 10 years (French accounting law)
• Server logs: 30 days
• Magic-link tokens: 15 minutes (single-use)

7. Your GDPR rights

You have the right to:

• Access your personal data and receive a copy
• Rectify incorrect or incomplete data
• Delete your data ("right to be forgotten")
• Restrict or object to certain processing
• Data portability — receive your data in machine-readable form
• Withdraw consent at any time (for consent-based processing)

To exercise any of these rights, email privacy@certiron.io. We respond within 30 days.

You also have the right to lodge a complaint with the French data protection authority — the CNIL.

8. Security

Exchange API keys and session tokens are encrypted at rest. All connections use TLS (HTTPS). Access to production systems is restricted and logged. You are responsible for keeping your own password/email account secure.

9. Children

The Service is not directed at anyone under 18. We do not knowingly collect data from minors.

10. Changes to this policy

We may update this policy. If the changes are material, we will notify you by email at least 14 days before they take effect.