Privacy Policy
How we process personal data, under UK GDPR.
1. Controller
XRPAID LTD (Company No. 15410296), registered in England & Wales, registered office: 60 Tottenham Court Road, Suite 7024a, Fitzrovia, London, W1T 2EW is the data controller. Contact: director@xrpaid.net. We are not currently required to register with the ICO; this is kept under review.
2. What we collect
Account data: email address, optional name and avatar from your sign-in provider.
Trading data: the trade history you upload or sync (instruments, prices, sizes, profits and losses, timestamps), journal entries, playbooks, and mistakes you log.
MetaTrader live sync (optional, Pro): if you link an account with its investor (read-only) password, we store your broker server and login. The investor password is passed to our sync provider to maintain the read-only connection and is never stored by us.
Billing data: subscription status and Stripe customer reference. Card details are held by Stripe, never by us.
Technical data: privacy-friendly aggregate analytics (no advertising cookies) and server logs kept for security.
3. Why we process it (lawful bases)
To provide the service you contracted for (contract): storing and analysing your trading data, computing metrics, generating AI commentary.
To take payment and prevent fraud (contract, legitimate interests).
To meet legal obligations (legal obligation): accounting and tax records.
To secure and improve the service (legitimate interests): logs, aggregate usage.
4. AI processing
AI commentary is generated by sending computed statistics and trade summaries to our AI provider (Anthropic) server-side. Your data is not used to train third-party models under our agreement, and no API keys or raw credentials are shared.
5. Sharing
Processors acting under contract: hosting infrastructure, Stripe (payments), Resend (sign-in emails), Anthropic (AI analysis), and — only if you enable live MetaTrader sync (Pro) — MetaApi Cloud (a read-only broker connection that holds your investor password to maintain the link). We never sell personal data and never share trading data with advertisers or other traders.
6. International transfers
Some processors are outside the UK. Where data leaves the UK we rely on adequacy regulations or the International Data Transfer Agreement / standard contractual clauses.
7. Retention
Active account data is kept while your account exists and for up to 90 days after closure, then deleted. Security logs: 90 days. Billing records: 6 years (legal requirement).
8. Your rights
Access, rectification, erasure, restriction, portability, and objection. Export everything as JSON or delete your account directly from Settings — no email required. For anything else, or to complain, contact us; you may also complain to the ICO (ico.org.uk).