Privacy Policy

Effective Date: April 17, 2026  |  Last Updated: April 17, 2026

Signal Core s.r.o.  |  IČO: 24460354

1. Data Controller

1.1 Controller Identification

The data controller responsible for processing your personal data is:

1.2 Data Protection Contact

For all data protection inquiries, requests to exercise your rights, or complaints regarding the processing of your personal data, please contact us at: privacy@tterminal.com.

1.3 Data Protection Officer

Given the nature and scale of our processing activities, Signal Core s.r.o. is not required under Article 37 of the GDPR to appoint a Data Protection Officer (DPO). Our data processing activities do not involve: (a) regular and systematic monitoring of data subjects on a large scale; or (b) large-scale processing of special categories of personal data. Nevertheless, we maintain robust data protection practices and our privacy team is available to address all data protection matters at the contact information provided above.

2. Personal Data We Collect

2.1 Data You Provide Directly

When you create an account, subscribe to the Service, or interact with us, we may collect the following categories of personal data:

• Account Information: Full name, email address, username, password (stored in hashed form), and profile information you choose to provide.
• Billing Information: Payment method details (processed and stored by Stripe, Inc.; we do not directly store credit card numbers), billing address, transaction history, and subscription status.
• Communication Data: Content of messages you send to us via email, support tickets, or other direct communication channels.
• Community Content: Posts, comments, trade ideas, and other content you submit to public community features of the Platform.
• Partner Broker Data: If you access the Service through a Partner Broker (Dolvero, PuPrime, or others), we may receive your account identifier and verification status from the Partner Broker to validate your access eligibility.

2.2 Data Collected Automatically

When you access or use the Service, we automatically collect certain data, including:

• Device Information: Device type, operating system, browser type and version, screen resolution, and device identifiers.
• Usage Data: Pages viewed, features used, instruments and asset classes accessed, ML models consulted, time spent on pages, clickstream data, and interaction patterns.
• Log Data: IP address, access times, referring URLs, error logs, and server request logs.
• Performance Data: Page load times, response times, and technical performance metrics.
• Location Data: Approximate geographic location derived from your IP address (we do not collect precise GPS location).

2.3 Trading Preferences and Platform Configuration

We collect data about your use of the Platform's analytical features, including:

• Instruments and asset classes you follow or monitor;
• Dashboard configurations, widget layouts, and display preferences;
• Alert and notification settings;
• Chart configurations and saved analyses;
• Watchlists and portfolio tracking selections.

This data is collected to provide and improve the Service and is not shared with third parties for marketing purposes.

2.4 Data We Do Not Collect

We do not collect: (a) your actual trading account balances or positions at brokers; (b) the content of end-to-end encrypted messages (see Section 8); (c) special categories of personal data (racial or ethnic origin, political opinions, religious beliefs, health data, genetic or biometric data, sexual orientation) unless voluntarily disclosed by you in community features; (d) data from children under 18 (see Section 12).

3. Legal Basis for Processing

We process your personal data on the following legal bases under Article 6(1) of the GDPR:

3.1 Performance of Contract — Article 6(1)(b)

Processing necessary for the performance of our contract with you, including:

• Creating and managing your account;
• Providing access to the Service and its features;
• Processing subscription payments;
• Delivering market data, analytics, and ML model outputs;
• Providing customer support;
• Validating Partner Broker eligibility.

3.2 Legitimate Interest — Article 6(1)(f)

Processing necessary for our legitimate interests or those of a third party, where such interests are not overridden by your rights and freedoms, including:

• Improving the Service, developing new features, and conducting analytics on Platform usage;
• Detecting, preventing, and investigating fraud, security incidents, and abuse;
• Ensuring the security and integrity of the Service;
• Enforcing our Terms of Service;
• Conducting aggregate, anonymized research and analysis;
• Communicating service updates, security alerts, and administrative messages.

3.3 Consent — Article 6(1)(a)

Processing based on your explicit consent, where applicable, including:

• Sending marketing communications and newsletters;
• Setting non-essential cookies and similar tracking technologies;
• Processing data for purposes beyond those specified at the time of collection.

Where processing is based on consent, you may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.

3.4 Legal Obligation — Article 6(1)(c)

Processing necessary to comply with a legal obligation to which we are subject, including:

• Tax and accounting obligations;
• Responding to lawful requests from courts, regulators, or law enforcement authorities;
• Compliance with applicable data retention requirements.

4. Purposes of Processing

We process your personal data for the following purposes:

1. Service Provision: To operate, maintain, and provide the features and functionality of the Service.
2. Account Management: To create, maintain, and secure your account.
3. Payment Processing: To process subscription payments, manage billing, and handle refund requests.
4. Service Improvement: To understand how Users interact with the Service, identify areas for improvement, and develop new features.
5. Personalization: To customize your experience, including remembering your preferences, dashboard configurations, and frequently accessed instruments.
6. Security: To protect the Service and its Users from unauthorized access, fraud, and abuse.
7. Communication: To send you service-related notifications, security alerts, updates, and respond to your inquiries.
8. Legal Compliance: To comply with applicable legal obligations, resolve disputes, and enforce our agreements.
9. Analytics: To conduct aggregate, anonymized analysis of Platform usage patterns to improve our ML models and analytical tools.

5. Data Retention

5.1 Retention Periods

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. Specific retention periods are as follows:

Data Category	Retention Period	Basis
Account information	Duration of account plus 3 years after deletion	Contractual; legal obligation (tax records)
Billing and transaction data	10 years from transaction date	Czech Accounting Act (Act No. 563/1991 Coll.)
Usage data and analytics	24 months from collection, then anonymized	Legitimate interest
Server logs	12 months	Security; legitimate interest
Community content	Duration of account plus 1 year, or until deleted by User	Contractual
Encrypted messages	See Section 8 (end-to-end encrypted; content inaccessible to us)	N/A — content not accessible
Trading preferences	Duration of account	Contractual
Cookie data	As specified in Section 9 (Cookie Policy)	Consent or legitimate interest
Support communications	3 years from resolution	Legitimate interest; legal obligation

5.2 Anonymization

Where possible, we anonymize personal data when the original purpose for collection has been fulfilled and no legal retention requirement applies. Anonymized data, which cannot be used to identify you, may be retained and used indefinitely for research, analytics, and service improvement.

6. Data Sharing and Disclosure

6.1 Service Providers

We share personal data with the following categories of third-party service providers who process data on our behalf:

• Stripe, Inc. (Payment Processing) — Billing information is shared with Stripe for payment processing. Stripe's privacy policy governs their processing: stripe.com/privacy.
• DigitalOcean, LLC (Infrastructure and Hosting) — Account data, usage data, and Platform content are stored on DigitalOcean infrastructure. DigitalOcean's Data Processing Agreement and privacy policy apply.
• Email Service Providers — Email address and name for transactional and, with consent, marketing communications.

6.2 Data Providers

We share limited technical data (API request metadata, usage statistics) with our data providers (Polygon.io, Bybit, Twelve Data, Tiingo) as required by their terms of service. We do not share your personal account information with data providers.

6.3 Partner Brokers

If you access the Service through a Partner Broker program, we may share limited data with the Partner Broker to verify your eligibility, including account status confirmation. We do not share your usage data, trading preferences, or Platform activity with Partner Brokers unless required for program administration and with appropriate safeguards.

6.4 Legal and Regulatory Disclosure

We may disclose your personal data if required to do so by law, or in the good faith belief that such disclosure is necessary to: (a) comply with a legal obligation, court order, or lawful request from public authorities; (b) protect and defend the rights or property of Signal Core s.r.o.; (c) prevent or investigate possible wrongdoing in connection with the Service; (d) protect the personal safety of Users or the public; (e) protect against legal liability.

6.5 Business Transfers

In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal data may be transferred to the acquiring entity. We will notify you via email or prominent notice on the Platform before your personal data is transferred and becomes subject to a different privacy policy.

6.6 No Sale of Personal Data

We do not sell, rent, or trade your personal data to third parties for their marketing purposes.

7. International Data Transfers

7.1 Transfer Mechanisms

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States, where our infrastructure provider DigitalOcean operates data centers. When we transfer personal data outside the EEA, we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR, including:

• EU-U.S. Data Privacy Framework: Transfers to service providers certified under the EU-U.S. Data Privacy Framework;
• Standard Contractual Clauses (SCCs): EU Commission-approved standard contractual clauses (Commission Implementing Decision (EU) 2021/914) with supplementary measures where required;
• Adequacy Decisions: Transfers to countries recognized by the European Commission as providing an adequate level of data protection.

7.2 Transfer Impact Assessment

Prior to international data transfers, we conduct transfer impact assessments to evaluate the level of data protection in the recipient country and implement supplementary technical and organizational measures where necessary, including encryption of data in transit and at rest.

7.3 Copy of Safeguards

You may request a copy of the safeguards we have put in place for international data transfers by contacting us at privacy@tterminal.com.

8. End-to-End Encryption and Message Privacy

8.1 Signal Protocol Encryption

The Service provides end-to-end encrypted messaging using the Signal Protocol. This means that the content of messages exchanged between Users through the Platform's encrypted messaging feature is encrypted on your device before transmission and can only be decrypted by the intended recipient. The Company does not possess the encryption keys necessary to decrypt message content.

8.2 What We Cannot Access

Due to end-to-end encryption, we cannot: (a) read the content of your encrypted messages; (b) provide the content of encrypted messages to law enforcement, courts, or any third party; (c) recover lost encrypted messages; (d) moderate or review the content of encrypted messages.

8.3 Metadata

While message content is encrypted, we may process limited metadata necessary for message delivery, including sender and recipient identifiers, timestamps, and message delivery status. This metadata is retained for the minimum period necessary for service operation and security.

8.4 User Responsibility

You are solely responsible for the content of your encrypted messages. We cannot intervene in disputes regarding encrypted message content, as we have no ability to access it.

9. Cookies and Similar Technologies

9.1 Types of Cookies

We use the following categories of cookies and similar technologies:

• Strictly Necessary Cookies: Essential for the operation of the Service, including authentication, session management, and security. These cookies cannot be disabled. Legal basis: legitimate interest.
• Functional Cookies: Enable enhanced functionality and personalization, including remembering your preferences, dashboard layout, and display settings. Legal basis: legitimate interest or consent.
• Analytics Cookies: Collect information about how you use the Service, including pages visited, features used, and error encounters. This data is aggregated and anonymized. Legal basis: consent.
• Performance Cookies: Monitor the performance and availability of the Service to ensure a reliable experience. Legal basis: legitimate interest.

9.2 Cookie Management

You can manage your cookie preferences through: (a) the cookie consent banner displayed when you first access the Service; (b) your browser settings to block or delete cookies; (c) your account settings on the Platform. Please note that disabling certain cookies may impair the functionality of the Service.

9.3 Cookie Duration

Session cookies are deleted when you close your browser. Persistent cookies remain on your device for the period specified in the cookie, typically ranging from 30 days to 12 months, unless you delete them sooner.

10. Your Rights Under the GDPR

10.1 Summary of Rights

Under the GDPR and applicable Czech data protection law, you have the following rights regarding your personal data:

1. Right of Access (Article 15): You have the right to request confirmation of whether we process your personal data and, if so, to obtain access to that data and information about how it is processed.
2. Right to Rectification (Article 16): You have the right to request correction of inaccurate personal data and completion of incomplete personal data.
3. Right to Erasure (Article 17): You have the right to request deletion of your personal data in certain circumstances, including when the data is no longer necessary for the purposes for which it was collected, when you withdraw consent, or when the data has been unlawfully processed.
4. Right to Restriction of Processing (Article 18): You have the right to request restriction of processing in certain circumstances, including when you contest the accuracy of your data or when processing is unlawful but you oppose erasure.
5. Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller, where processing is based on consent or contract and is carried out by automated means.
6. Right to Object (Article 21): You have the right to object to processing based on legitimate interests at any time. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests. You have an absolute right to object to direct marketing at any time.
7. Right to Withdraw Consent (Article 7(3)): Where processing is based on your consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.
8. Right Not to Be Subject to Automated Decision-Making (Article 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. See Section 11 for details on our automated processing.

10.2 Exercising Your Rights

To exercise any of the above rights, please submit a request to privacy@tterminal.com. We will respond to your request within one (1) month of receipt, in accordance with Article 12(3) of the GDPR. This period may be extended by two (2) further months where necessary, taking into account the complexity and number of requests. We will inform you of any such extension within one month of receipt, together with the reasons for the delay.

10.3 Identity Verification

To protect your rights and ensure the security of your personal data, we may need to verify your identity before processing your request. We may ask you to provide additional information necessary for identity verification.

10.4 No Fee

Exercising your data protection rights is free of charge. However, if requests are manifestly unfounded or excessive, in particular because of their repetitive character, we may charge a reasonable fee based on administrative costs or refuse to act on the request, in accordance with Article 12(5) of the GDPR.

10.5 Right to Lodge a Complaint

If you believe that our processing of your personal data violates the GDPR or applicable Czech data protection law, you have the right to lodge a complaint with the supervisory authority:

You may also lodge a complaint with the supervisory authority in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

11. Automated Decision-Making and Profiling

11.1 ML Model Processing

The Service operates 42 proprietary machine learning models that process market data, news, and other public information to generate analytical scores, risk assessments, sentiment analyses, and other outputs. These models process market data and do not make decisions about you as an individual. Specifically:

• ML model outputs are analytical tools applied to market data, not individual user profiles;
• No automated decisions are made about your access to the Service, your account status, or your subscription based solely on automated processing;
• ML model outputs (scores, signals, analyses) are provided as informational content for your independent consideration and do not constitute automated decision-making within the meaning of Article 22 of the GDPR;
• The Platform does not execute trades, manage funds, or take any financial action on your behalf based on automated processing.

11.2 Usage Analytics

We may use automated systems to analyze aggregate usage patterns for the purpose of improving the Service. Such analysis does not produce legal effects concerning individual Users and is conducted on aggregated or anonymized data wherever possible.

12. Children's Privacy

The Service is not intended for individuals under the age of eighteen (18). We do not knowingly collect personal data from children under 18. If we become aware that we have collected personal data from a child under 18 without appropriate parental consent, we will take steps to delete such data promptly. If you believe a child under 18 has provided us with personal data, please contact us at privacy@tterminal.com.

13. Data Security

13.1 Technical Measures

We implement appropriate technical measures to protect your personal data, including:

• TLS/SSL encryption for all data in transit;
• Encryption at rest for stored personal data;
• End-to-end encryption using the Signal Protocol for private messages;
• AES-128 encryption for educational video content;
• Hashed and salted password storage;
• Regular security assessments and vulnerability scanning;
• Intrusion detection and prevention systems;
• DDoS protection and rate limiting;
• Database access controls and audit logging.

13.2 Organizational Measures

We implement appropriate organizational measures, including:

• Access controls based on the principle of least privilege;
• Regular security training for personnel with access to personal data;
• Confidentiality obligations for all personnel;
• Incident response procedures;
• Regular review and testing of security measures.

13.3 No Absolute Guarantee

While we implement industry-standard security measures, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee the absolute security of your personal data.

14. Data Breach Notification

14.1 Supervisory Authority Notification

In the event of a personal data breach, we will notify the ÚOOÚ (or other competent supervisory authority) without undue delay and, where feasible, not later than 72 hours after becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons, in accordance with Article 33 of the GDPR.

14.2 Data Subject Notification

If a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, we will notify affected individuals without undue delay, in accordance with Article 34 of the GDPR. The notification will describe the nature of the breach, the likely consequences, the measures taken or proposed to address the breach, and the contact point for further information.

14.3 Breach Documentation

We maintain records of all personal data breaches, including the facts, effects, and remedial actions taken, regardless of whether the breach is reportable to the supervisory authority.

15. Video Content Protection

Educational video courses provided through the Service are encrypted using AES-128 encryption technology. This encryption is implemented to protect the intellectual property of content creators and the Company. The encryption system processes technical access tokens linked to your account; it does not collect or process additional personal data beyond what is described elsewhere in this Privacy Policy.

16. Third-Party Links and Services

The Service may contain links to third-party websites, services, or resources. This Privacy Policy does not apply to third-party services, and we are not responsible for the privacy practices of such third parties. We encourage you to review the privacy policies of any third-party services you access through the Platform, including but not limited to Stripe (payments), Partner Brokers, and data provider platforms.

17. Updates to This Privacy Policy

17.1 Modifications

We may update this Privacy Policy from time to time to reflect changes in our processing activities, legal requirements, or business operations. Material changes will be communicated through: (a) a prominent notice on the Platform; (b) email notification to the address associated with your account; or (c) other appropriate means.

17.2 Review

We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the effective date of any changes constitutes your acknowledgment of the modified Privacy Policy.

17.3 Version History

Prior versions of this Privacy Policy are available upon request by contacting privacy@tterminal.com.

18. Contact Information

For all privacy-related inquiries, data subject access requests, or complaints, please contact: