PRIVACY POLICY

Privacy Policy

This policy describes how we collect, use, and protect your personal data in compliance with the General Data Protection Regulation (GDPR) and applicable laws.

Last updated: August 12, 2025

Legal Basis and Data Collection

Legal Basis for Processing (Art. 6 GDPR)

  • Contract performance: Provision of trading services
  • Legal obligation: Financial regulatory compliance (KYC, AML)
  • Legitimate interest: Security, service improvement
  • Consent: Marketing communications (revocable at any time)

Personal Information

  • Account Information: Name, email address, phone number
  • Identity Verification: Government-issued ID, proof of address
  • Financial Information: Exchange API credentials (encrypted)
  • Communication: Support inquiries, feedback, and correspondence

Automatically Collected Data

  • Usage Data: Platform interactions, feature usage, session duration
  • Technical Data: IP address, device information, browser type
  • Trading Data: Strategy performance, risk metrics, portfolio analytics
  • Log Data: System logs, error reports, security events

How We Use Your Information

Service Provision

  • • Execute algorithmic trading strategies
  • • Provide performance analytics
  • • Risk management and monitoring
  • • Customer support and assistance

Platform Improvement

  • • Enhance user experience
  • • Develop new features
  • • Optimize system performance
  • • Conduct research and analysis

Legal Compliance

  • • Regulatory reporting requirements
  • • Anti-money laundering (AML)
  • • Know Your Customer (KYC)
  • • Tax reporting obligations

Security & Fraud Prevention

  • • Account security monitoring
  • • Fraud detection and prevention
  • • System security maintenance
  • • Compliance monitoring

Data Protection & Security

Security Measures

Encryption

All data is encrypted in transit and at rest using industry-standard AES-256 encryption

Access Control

Strict role-based access controls with multi-factor authentication for all team members

API Security

You maintain full control of API keys. We use read-only and trading-only permissions (no withdrawal rights). Keys are encrypted with AES-256, stored in HSM vaults, and never transmitted in plain text. API keys are your responsibility to secure.

Monitoring

24/7 security monitoring with automated threat detection and response systems

Fund Security

NorthStone never has access to withdraw your funds. We only use trading permissions with your exchange API keys, ensuring your assets remain secure in your own accounts.

Your GDPR Rights

Data Protection Officer (DPO)

DPO Contact: support@northstone.com | For any questions regarding personal data protection

Data Rights

  • Access (Art. 15): Copy of your personal data
  • Rectification (Art. 16): Correction of inaccurate data
  • Erasure (Art. 17): Deletion under legal conditions
  • Portability (Art. 20): Structured data export
  • Object (Art. 21): Refuse processing for legitimate reasons
  • Restrict (Art. 18): Temporary processing restriction

Communication Preferences

  • Marketing: Opt-out of promotional communications
  • Notifications: Customize alert preferences
  • Reports: Choose frequency of performance reports
  • Support: Select preferred contact methods

How to Exercise Your Rights

To exercise your rights: support@northstone.com or via your dashboard. Response within 1 month (extendable to 3 months for complex requests).Right to lodge a complaint with CNIL or competent authority.

Data Sharing & Third Parties

We Do Not Sell Your Data

NorthStone does not sell, rent, or trade your personal information to third parties for marketing purposes.

Limited Sharing

We may share information only in these circumstances:

  • Service Providers: Trusted partners who help us operate our platform
  • Legal Requirements: When required by law or regulatory authorities
  • Business Transfers: In the event of a merger or acquisition
  • Security: To protect our platform and users from fraud or abuse

Data Retention & International Transfers

Retention Period

We retain your personal information for as long as necessary to provide our services and comply with legal obligations. Specific retention periods include:

  • Account data: Contract duration + 7 years (financial legal obligations)
  • Trading records: 7 years (EU/US regulation per applicable jurisdiction)
  • Communications: 3 years after last interaction
  • Marketing data: Until unsubscribe or 2 years of inactivity
  • KYC/AML data: 5 years minimum post-client relationship (financial regulation)

International Transfers (Art. 44-49 GDPR)

Your data may be processed outside EU/EEA. Safeguards applied:

  • Adequacy decisions: Countries recognized by European Commission
  • Standard contractual clauses: Commission-approved clauses
  • Certifications: Recognized certification mechanisms
  • Derogations: Explicit consent or contractual necessity

Contact Information

If you have questions about this Privacy Policy or our data practices, please contact us:

Privacy Officer

Email: support@northstone.com
Subject: Privacy Inquiry

General Contact

Email: support@northstone.com
Response time: Within 24 hours

Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. We will notify you of any material changes by email or through our platform. Your continued use of our services after any changes constitutes acceptance of the updated policy.