Privacy Policy
Last updated: 5 April 2026 · Questions: legal@phoinix.nl
Phoinix Payment Solutions ("we", "us", or "our"), registered in the Netherlands, operates Kairos. This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and what rights you have under the General Data Protection Regulation (GDPR) and other applicable privacy laws.
We act as the data controller for personal data processed through the Service.
1. Data We Collect
Account data
When you register, we collect:
- Email address
- Password (stored as a one-way bcrypt hash — we cannot recover your password)
- Account creation timestamp
- Investor type (business or individual, for tax calculation purposes)
Brokerage credentials
When you connect your Alpaca brokerage account, we receive your Alpaca API key and secret. These are encrypted at rest using AES-256 (Fernet) encryption immediately on receipt. The encryption key is stored separately from the database. We decrypt credentials only at the moment of sending a trade execution request, and never log, display, or transmit them in plain text. You may also optionally store a personal Anthropic API key and a Discord webhook URL, both handled the same way.
Trading activity data
To operate the Service, we record:
- Your watchlist symbols and bot configuration settings
- Each AI trading cycle: the market data analysed, Claude's reasoning and decision, and the orders submitted
- Trade outcomes: entry/exit prices, P&L, hold times, and the market conditions at entry (RSI, SPY regime, VIX level)
- Daily and hourly account equity snapshots
- AI model usage: token counts per API call, model name, and timestamp (for cost tracking)
Billing data
Payment processing is handled entirely by Stripe. We receive and store your Stripe customer ID and subscription status. We do not store your card number, bank details, or any payment instrument data — these are held exclusively by Stripe.
Security data
- Email verification status and one-time verification tokens
- TOTP two-factor authentication secret (encrypted), if you enable 2FA
- Timestamp of your withdrawal waiver acknowledgment (Article 16m Consumer Rights Directive)
Technical data
- Session cookies (required to keep you logged in)
- IP address (used for rate limiting and fraud prevention, not stored long-term)
- Server-side logs (errors and warnings, retained for up to 30 days)
What we do not collect
- We do not collect your real name, phone number, or postal address
- We do not use tracking pixels, third-party analytics, or advertising cookies
- We do not read or store the contents of your Alpaca portfolio beyond what is needed for the current trading cycle
2. Legal Basis for Processing
| Processing activity | Legal basis (GDPR Art. 6) |
|---|---|
| Account registration and authentication | Contract performance (Art. 6(1)(b)) |
| Executing trades on your behalf | Contract performance (Art. 6(1)(b)) |
| Storing encrypted brokerage credentials | Contract performance (Art. 6(1)(b)) |
| Billing and subscription management | Contract performance (Art. 6(1)(b)) |
| Recording trade history and P&L | Contract performance + legal obligation (Art. 6(1)(b)(c)) — Dutch bookkeeping law requires 7-year retention of financial records |
| Security logging, rate limiting, fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Retaining withdrawal waiver record | Legal obligation (Art. 6(1)(c)) — consumer contract law |
| Sending transactional emails | Contract performance (Art. 6(1)(b)) |
3. How We Use Your Data
- To provide the Service — executing AI trading cycles, submitting orders to Alpaca, recording outcomes
- To improve the AI model's performance — trade outcomes feed back into Claude's context so the bot adapts to what has worked for your account. This data stays within your account and is not shared with other users or Anthropic.
- To send transactional communications — email verification, password reset, billing receipts, and (if configured) trade alerts. We do not send marketing emails without your explicit opt-in.
- To calculate and export tax data — if you enable the Google Sheets integration, trade data is pushed to a spreadsheet in your own Google account. We do not retain a separate copy for this purpose.
- To comply with legal obligations — retaining financial records and contractual records for the periods required by Dutch law.
- To protect the Service — detecting abuse, rate limiting, and preventing unauthorised access.
We do not sell your data, rent it, or use it for advertising. We do not use your trade data to train any AI model operated by us or any third party.
4. Data Retention
| Data category | Retention period | Reason |
|---|---|---|
| Account data (email, settings) | Duration of account, deleted within 30 days of account closure | Contract performance |
| Brokerage credentials (encrypted) | Deleted immediately on account closure or manual removal | Minimisation — no purpose after account ends |
| Trade history and P&L records | 7 years | Dutch bookkeeping law (Wet bewaarplicht) |
| Daily equity snapshots | 7 years | Dutch bookkeeping law |
| Withdrawal waiver timestamp | 5 years after contract end | Dutch statute of limitations (art. 3:310 BW) |
| Billing records (Stripe customer ID, plan) | 7 years | Dutch bookkeeping law |
| Server logs | 30 days | Security monitoring |
| Session data | Session duration (or 30 days if 'remember me' is used) | Authentication |
5. Third-Party Data Processors
We share your data only with the following processors, and only to the extent necessary to deliver the Service. All processors are contractually bound to process your data only on our instructions.
| Processor | Location | What we share | Purpose |
|---|---|---|---|
| Hetzner Online | Germany (EU) | All application data | Web hosting and database server |
| Stripe | United States | Email address, subscription events | Payment processing and billing |
| Anthropic | United States | Market data for your watchlist symbols (OHLCV, indicators, news headlines). No personal identifiers are included in API calls. | AI trading analysis (Claude API) |
| Alpaca Markets | United States | Your encrypted credentials (decrypted only during execution); trade orders | Brokerage order execution |
| NewsAPI | United States | Watchlist symbol names | News headlines for trading context |
| Google (optional) | United States | Trade history and P&L data, pushed to your own Google Sheet | Tax reporting — only if you enable the Sheets integration |
| Discord (optional) | United States | Trade notifications (symbol, action, outcome) | Alerts — only if you configure a Discord webhook |
| SMTP provider (configurable) | Varies | Email address | Transactional email delivery |
6. International Data Transfers
Several of our processors (Stripe, Anthropic, Alpaca, NewsAPI, Google) are based in the United States, which is outside the European Economic Area (EEA). We rely on the following mechanisms to ensure an adequate level of protection for transfers to these processors:
- Standard Contractual Clauses (SCCs) — we use processors who have implemented the European Commission's standard contractual clauses for international transfers
- EU-U.S. Data Privacy Framework — where the processor is certified under the DPF (currently Stripe, Google)
For Anthropic specifically: market data sent to the Claude API does not include your email address, name, or any other personal identifier. The data is limited to financial market information about the symbols on your watchlist.
7. Cookies and Tracking
We use only the following cookies:
- Session cookie (
session) — required for authentication. Stores a signed, encrypted session token. Expires when your browser session ends, or after 30 days if you use "remember me". HttpOnly and Secure flags are set. - CSRF token — a one-time token included in forms to prevent cross-site request forgery. Not a tracking cookie.
We do not use advertising cookies, third-party analytics (Google Analytics, Mixpanel, etc.), social media pixels, or any cross-site tracking technology.
8. Data Security
We implement the following technical and organisational measures:
- All connections are encrypted in transit using TLS (HTTPS enforced via Caddy reverse proxy)
- Brokerage API credentials are encrypted at rest using AES-256 (Fernet) with a key stored separately from the database
- Passwords are hashed using bcrypt (one-way, not recoverable)
- TOTP secrets are encrypted at rest
- Session cookies are HttpOnly, Secure, and SameSite=Lax
- Rate limiting is applied to authentication endpoints to prevent brute-force attacks
- Security headers (HSTS, X-Frame-Options, CSP, X-Content-Type-Options) are applied to all responses
- Optional two-factor authentication (TOTP) is available and recommended
No security measure is perfect. In the event of a data breach that poses a risk to your rights and freedoms, we will notify you and the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) within 72 hours as required by GDPR Article 33.
9. Your Rights
Under the GDPR, you have the following rights. To exercise any of them, email legal@phoinix.nl. We will respond within 30 days.
Right of Access (Art. 15)
Request a copy of all personal data we hold about you.
Right to Rectification (Art. 16)
Request correction of inaccurate or incomplete data.
Right to Erasure (Art. 17)
Request deletion of your data. Note: financial records (7 years) and contractual records (5 years) must be retained by law and cannot be erased early.
Right to Restriction (Art. 18)
Request that we restrict processing while a dispute is resolved.
Right to Portability (Art. 20)
Request your trade history and account data in a structured, machine-readable format (JSON or CSV).
Right to Object (Art. 21)
Object to processing based on legitimate interest. We will stop unless we have compelling grounds that override your interests.
Right to lodge a complaint
If you believe we have violated your privacy rights, you have the right to lodge a complaint with the Dutch supervisory authority:
Autoriteit Persoonsgegevens (AP)
Website: autoriteitpersoonsgegevens.nl
Phone: +31 (0)70 888 85 00
We would appreciate the opportunity to address your concerns before you contact the AP — please email us first at legal@phoinix.nl.
10. Children
The Service is not directed at children under 18. We do not knowingly collect personal data from anyone under 18. If we become aware that we have inadvertently collected such data, we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will notify you by email at least 14 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.
12. Contact
For any privacy-related questions, requests, or concerns:
Phoinix Payment Solutions
Email: legal@phoinix.nl
Website: phoinix.nl