Ticpoz Back to site

Privacy Policy

What we collect, why we collect it, how long we keep it, who we share it with, and how to make us stop.

Last updated · May 5, 2026
Plain-English summary
We collect the data we need to run a trading platform — your account details, usage logs, the strategies you build, the broker connections you make, and basic device telemetry. We do not sell personal data, we do not sell strategy code, and we do not share data with brokers beyond what you explicitly authorise. You can export or delete your account at any time from Settings → Account.

1. Who we are

“Ticpoz”, “we”, “us” means TICPOZ Ltd, a software company registered in the United Kingdom providing the TICPOZ trading-automation platform (the “Service”). For the purposes of the EU GDPR and the UK GDPR we are the data controller for the personal data described in this policy. For the California Consumer Privacy Act (CCPA / CPRA) we are the “business” that determines the purpose and means of processing.

Registered entity
TICPOZ Ltd · United Kingdom · Company number TBD (registration in progress).
Registered office
Address to be published on /legal once registration completes.
Privacy contact
[email protected] — for data-subject requests, complaints, or DPA enquiries.
General support
[email protected]

EU GDPR representative (Article 27)

We are in the process of appointing an EU representative (likely VeraSafe or Prighter) to act on our behalf under Article 27 of the EU GDPR. Until appointment completes, EU data subjects may contact us directly at [email protected]. Once appointed, the representative's name and contact details will be published here and at /legal.

UK GDPR representative

TICPOZ Ltd is established in the United Kingdom, so a UK GDPR representative is not required. UK data subjects may contact us directly at [email protected].

Supervisory authorities

If you have a complaint we have not resolved, you have the right to lodge a complaint with your local supervisory authority. UK residents: the Information Commissioner's Office (ICO, ico.org.uk); EU residents: your country's national data-protection authority (full list at edpb.europa.eu). ICO registration is in progress; the registration number will appear here once issued.

2. What this policy covers

This policy applies to the public marketing site (ticpoz.com), the web application (app.ticpoz.com), our APIs, and any official extensions or integrations. It does not cover websites linked from ours (e.g. broker login pages, ForexFactory) — those have their own privacy policies and you should read them.

3. What we collect

We collect five categories of data.

3.1 Account data

You provide this when you create an account or update your profile.

Identity
Display name, email address, optional avatar, optional country/timezone.
Authentication
Password hashed with a modern, memory-hard hashing function plus per-user salt and a server-side secret. Never stored or transmitted in plaintext. Signed, expiring session tokens. Optional 2FA secrets.
Billing
Subscription plan, billing cycle, last 4 digits of card. We do not store full PAN — payment processing is handled by Stripe.

3.2 Usage data

Strategy artefacts
The plain-English prompts you send to Quant-AI, the StrategySpec JSON the AI emits, your edits, your backtest runs and their results.
Application telemetry
Pages visited, features used, error reports, performance metrics. Sampled and aggregated for product improvement.
Audit log
Sign-in events, password changes, API key creations, broker connections, order placements (timestamp + outcome only).

3.3 Trading-connection data

Broker connections
Broker name, connection state, account ID (as supplied by your broker), trade history pulled from your broker. We never see your broker password — we use OAuth or broker-issued API tokens.
Order metadata
Symbol, side, size, price, timestamp, fill status, P&L. We do not see your bank or wire details — those stay at your broker.

3.4 Device and network data

Device
Browser, operating system, screen size, language preference, timezone.
Network
IP address (truncated for analytics; full IP retained briefly for fraud and abuse detection).

3.5 Cookies and similar technologies

See Section 11 for the full cookie list and how to control it.

4. Why we collect it

  • To run the Service. Authenticating you, executing your orders, running your backtests, syncing your broker positions.
  • To bill you. Subscription management, invoicing, tax compliance.
  • To keep the Service safe. Detecting brute-force attacks, fraudulent sign-ups, abuse of compute, suspicious trading-API patterns.
  • To improve the product. Aggregated analytics about feature use, latency, error rates. Strategy artefacts you create are never used to train public models without explicit opt-in.
  • To communicate with you. Service emails (security alerts, billing receipts), and — only if you opt in — product news.
  • To meet legal obligations. Tax records, AML / fraud-prevention queries, lawful requests from regulators.

5. Legal bases (GDPR Article 6)

  • Contract — to provide the Service you signed up for. Without this data we cannot run your account.
  • Legitimate interests — security, fraud prevention, analytics that don't override your rights.
  • Legal obligation — tax records, regulator requests, court orders.
  • Consent — only for marketing emails, optional analytics cookies, and any data uses listed as “opt-in” in this policy. You can withdraw consent at any time.

6. Who we share it with

We do not sell personal data. We share it only with the following categories of recipients, and only as needed:

Sub-processors
Hosting (Hetzner Cloud, Helsinki + Hillsboro), edge CDN and DDoS protection (Cloudflare, global), email delivery (Postmark, US), payment processing (Stripe, US/EU), AI inference (DeepSeek, with PII scrubbing on prompts), error reporting (Sentry, with PII scrubbing). The full, current sub-processor list with regions, purposes and contact information is published at /sub-processors.
Brokers
When you place an order, we pass it to the broker you connected. We do not push personal data beyond what the broker API requires (typically your broker account ID and the order parameters).
Authorities
If we receive a valid court order, regulator request, or are required to disclose by law. We narrow the disclosure to what is strictly required and notify you unless legally prohibited.
Buyers in a corporate transaction
If TICPOZ is acquired, merged or part of a bankruptcy, your data may transfer to the successor entity, who will be bound by this policy or a more protective one.

7. International transfers

TICPOZ is a multi-region service. Personal data may be processed in the EU, UK and US. Where we transfer EU/UK data outside the EEA / UK, we rely on the EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum, plus supplementary safeguards where appropriate (encryption in transit and at rest, role-based access, audit logging).

8. Retention

  • Account data — kept while your account is active and for 12 months after closure (so a re-activation doesn't lose your strategies). Hard-deleted after that, except items we're legally required to retain.
  • Strategy artefacts and backtests — kept while the parent account exists. You can delete individual strategies at any time from the Strategies page.
  • Audit log — 24 months for security and compliance investigations.
  • Billing records — 7 years (statutory accounting retention).
  • Marketing consent — until you withdraw it, plus a small record (date + IP truncation) to demonstrate consent.

9. Security

  • Passwords are protected with a modern, memory-hard password-hashing function with a per-user salt and a server-side secret. Never stored or logged in plaintext.
  • Broker connection tokens (OAuth refresh/access credentials, MT5 API credentials) are encrypted at rest with a strong symmetric cipher. Decryption only happens inside the order-routing path.
  • Each user receives a dedicated, routable IPv4 address bound exclusively to their broker traffic, so outbound connections do not collide with other users on shared infrastructure. See /security for the full security posture.
  • All public traffic is TLS 1.3 (1.2 minimum). HSTS is enabled.
  • Production storage is on a private volume with locked permissions; admin access requires an IP allowlist and a separately authenticated admin login.
  • Two-factor authentication is available on every account and recommended for accounts with broker connections.
  • Security reports / responsible disclosure: [email protected] (full vulnerability-disclosure policy at /security).

10. Your rights

Depending on where you live, you have some or all of the following rights.

10.1 GDPR / UK GDPR

  • Access — get a copy of the data we hold on you.
  • Rectification — correct inaccurate data.
  • Erasure — “right to be forgotten”, subject to legal retention obligations.
  • Restriction and objection — pause processing, or object to processing based on legitimate interests.
  • Portability — receive your data in a structured, machine-readable format (JSON).
  • Withdraw consent — for any processing based on consent.
  • Lodge a complaint — with your local supervisory authority (in the UK, the ICO).

10.2 CCPA / CPRA (California residents)

  • Right to know what we collect, why, and who we share it with (this policy).
  • Right to delete personal information, subject to legal exceptions.
  • Right to correct inaccurate personal information.
  • Right to opt out of “sale” or “sharing” for cross-context behavioral advertising — we do not do either, but you can confirm via [email protected].
  • Right to non-discrimination for exercising any of the above.

To exercise any of these rights, email [email protected] or use Settings → Account → Export / Delete in the app. We respond within 30 days.

11. Cookies

We use a small number of cookies. None of them are sold to advertisers.

Strictly necessary
Session cookies for authentication, CSRF tokens, region routing. Cannot be disabled — the Service does not work without them.
Functional
Theme preference, last-used workspace, default symbol. Persisted for 12 months.
Analytics (opt-in)
First-party event analytics on the marketing site (no third-party trackers). You can disable via the cookie banner.

We do not use third-party advertising cookies. We do not use cross-context tracking pixels. We honour Global Privacy Control (GPC) signals as a request to opt out of analytics where applicable.

12. Children

The Service is not directed at children under 18. We do not knowingly collect personal data from anyone under 18. If you believe a minor has signed up, contact us and we will delete the account.

13. Changes to this policy

We may update this policy. Material changes are announced in the app and by email at least 30 days before they take effect. The “Last updated” date at the top of this page reflects the latest revision.

14. Contact

Privacy enquiries: [email protected]
Security disclosures: [email protected]
General support: [email protected]

Trading risk reminder
TICPOZ is a software platform. We do not provide investment advice and we are not a broker. Past backtest performance is not a guarantee of future results. See the Terms of Service for the full risk disclosure.