Last updated: April 2026
Synnectra A/S ("we", "us", "our", or the "Company"), a company registered in Denmark, is committed to protecting and respecting your privacy and the personal data you entrust to us. This Privacy Policy describes how we collect, use, store, disclose, and otherwise process your personal data when you use the Synnectra platform and all associated services (collectively, the "Service").
We are the data controller for the personal data we process in connection with the Service. This means we are responsible for deciding how and why your personal data is processed.
Data Controller: Synnectra A/S, Egernvej 1, 4760 Vordingborg, Denmark. CVR: Pending registration.
Contact for privacy matters: [email protected]
Data Protection Officer (DPO): You may reach our Data Protection Officer at [email protected] for any questions, requests, or complaints relating to the processing of your personal data.
Supervisory Authority: In Denmark, the competent supervisory authority is the Danish Data Protection Agency (Datatilsynet), Borgergade 28, 5., 1300 København K, Denmark. You have the right to lodge a complaint with Datatilsynet at any time if you consider that the processing of your personal data infringes applicable data protection law.
This Privacy Policy is issued in accordance with the following legislation and regulatory frameworks:
By accessing or using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with any part of this policy, you must discontinue use of the Service.
We collect and process the following categories of personal data in connection with your use of the Service. The specific data items collected depend on how you interact with the platform:
| Data Category | Specific Data Points |
|---|---|
| Identity Data | Your full name (first and last name) as provided during account registration. |
| Contact Data | Your email address, which serves as your primary account identifier and the destination for all service-related communications. |
| Authentication Data | Hashed password (bcrypt, cost factor 12 — the plaintext password is never stored), TOTP (Time-Based One-Time Password) secret for two-factor authentication (if enabled), and JSON Web Token (JWT) session tokens used to maintain authenticated sessions. |
| Account Data | Your unique License ID, account settings and preferences, timezone configuration, subscription plan details, and account creation date. |
| Trading Data | Trading signals received from TradingView (including instrument, direction, and parameters), trade execution records, profit and loss (PnL) data, account balances, open and closed positions, symbol mapping configurations, and position sizing settings. |
| Financial Data | Your current subscription plan, billing history, and Stripe payment records (including payment status, dates, and amounts). We do not collect or store payment card information — this is handled entirely by Stripe. |
| Platform Credentials | Encrypted broker passwords for connected MetaTrader accounts, OAuth tokens for Tradovate and cTrader integrations, and API connection credentials. All credentials are encrypted at rest using AES-256-GCM before storage. |
| Technical Data | IP addresses (collected on each request), User-Agent strings (browser and operating system identification), request timestamps, and server-side access logs generated automatically when you interact with the Service. |
| Referral Data | Referral codes and referral links associated with your account, tracking cookies used for referral attribution, referral statistics (clicks, sign-ups, conversions), and commission earned through the affiliate program. |
| Admin Data | Administrator login attempts (successful and failed), administrative actions and configuration changes, audit trail entries, and privileged access logs. |
| News Data | Your news event exclusion preferences, including which economic calendar events or categories you have chosen to filter or exclude from trade execution. |
We do not collect, process, or store any special categories of personal data as defined by Article 9 of the GDPR. This includes, but is not limited to: racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation.
If you voluntarily submit any such data to us through any communication channel, we will delete it promptly upon becoming aware of it, unless we are required by law to retain it.
The Service is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children or minors under the age of 18. If we become aware that we have inadvertently collected personal data from a person under the age of 18, we will take immediate steps to delete such data from our systems. If you are a parent or guardian and become aware that a child under 18 has provided personal data to us, please contact us at [email protected] and we will take appropriate action.
We believe in data minimisation and transparency. The following is an explicit statement of data we do not collect or process:
Under Article 6 of the GDPR, we must have a lawful basis for processing your personal data. The table below sets out the lawful basis we rely on for each processing activity:
| Processing Activity | Lawful Basis | GDPR Article |
|---|---|---|
| Account registration and management (name, email, password) | Contract performance | Article 6(1)(b) |
| Signal processing and trade execution | Contract performance | Article 6(1)(b) |
| Processing trading data (signals, executions, PnL, positions) | Contract performance | Article 6(1)(b) |
| Storing and using platform credentials (broker passwords, OAuth tokens) | Contract performance | Article 6(1)(b) |
| Billing and subscription management (via Stripe) | Contract performance | Article 6(1)(b) |
| Security logging and intrusion detection | Legitimate interest | Article 6(1)(f) |
| Rate limiting and abuse prevention | Legitimate interest | Article 6(1)(f) |
| Admin audit logging and privileged access monitoring | Legitimate interest | Article 6(1)(f) |
| Referral and affiliate program operation | Legitimate interest | Article 6(1)(f) |
| News data and exclusion preferences processing | Legitimate interest | Article 6(1)(f) |
| Non-essential cookies (analytics, preferences) | Consent | Article 6(1)(a) |
| Data deletion upon request | Legal obligation | Article 6(1)(c) |
| Data breach notification to authorities and affected individuals | Legal obligation | Article 6(1)(c) |
Where we rely on contract performance (Article 6(1)(b)), the processing is necessary for the performance of the contract between you and Synnectra, namely the provision of the Service as described in our Terms of Service.
Where we rely on legitimate interest (Article 6(1)(f)), we have conducted a balancing test to ensure that our interests do not override your rights and freedoms. Our legitimate interests include: maintaining the security and integrity of the Service, preventing fraud and abuse, operating and improving the platform, and administering the referral program.
Where we rely on consent (Article 6(1)(a)), you may withdraw your consent at any time by contacting us at [email protected] or by adjusting your cookie preferences. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.
Where we rely on legal obligation (Article 6(1)(c)), the processing is necessary for compliance with a legal obligation to which we are subject, such as obligations under the GDPR and the Danish Data Protection Act.
We use the personal data we collect for the following purposes:
The Service includes automated signal processing and trade execution functionality. When a trading signal is received from TradingView, our system automatically processes and routes it to your connected MetaTrader account(s) for execution without manual intervention. This automated processing constitutes the performance of the contract between you and Synnectra as described in our Terms of Service.
This automated processing does not constitute automated decision-making within the meaning of Article 22 of the GDPR, as it does not produce legal effects concerning you or similarly significantly affect you. The trading decisions and strategies that generate signals are made by you (or by TradingView scripts and indicators you have configured). Synnectra acts solely as a technical conduit for the relay and execution of your trading instructions.
We do not use automated profiling, artificial intelligence, or machine learning algorithms to make decisions about you that have legal or similarly significant effects.
We may share your personal data with the following categories of recipients. We do not sell, rent, trade, or otherwise monetise your personal data by providing it to third parties for their own marketing or commercial purposes.
| Recipient | Purpose | Data Shared | Safeguards |
|---|---|---|---|
| Stripe, Inc. | Payment processing and subscription billing | Name, email address | Data Processing Agreement (DPA) in place. Stripe is PCI DSS Level 1 certified. |
| ForexFactory | Retrieving economic news calendar data | No personal data is sent | Only public calendar data is retrieved via API. No user data is transmitted. |
| Tradovate / cTrader | OAuth-based broker account integration | OAuth tokens, account IDs | Minimum data principle applied. Only tokens necessary for authentication are exchanged. |
We do not sell, rent, lease, trade, or otherwise provide your personal data to any third party for their own commercial or marketing purposes. Your data is processed solely for the purposes described in this Privacy Policy.
We may disclose your personal data to law enforcement agencies, regulatory authorities, courts, or other governmental bodies if such disclosure is required by law, regulation, court order, or legal process, or if we believe in good faith that such disclosure is necessary to: (a) comply with a legal obligation; (b) protect and defend our rights or property; (c) prevent or investigate possible wrongdoing in connection with the Service; (d) protect the personal safety of our users or the public; or (e) respond to a valid legal request from a competent authority.
We engage the following sub-processors to process personal data on our behalf. Each sub-processor is bound by a written data processing agreement that provides adequate safeguards for the protection of your personal data in compliance with Article 28 of the GDPR:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Stripe, Inc. | Payment processing, subscription billing, and payment card handling | United States / EU |
| Cloud hosting provider | Server infrastructure, data storage, application hosting, and network delivery | EU / EEA |
We will notify you of any changes to our sub-processor arrangements by updating this Privacy Policy. If you object to a new sub-processor, you may contact us at [email protected] to discuss your concerns.
Your personal data is primarily processed and stored within the European Union / European Economic Area (EU/EEA). However, certain processing activities may involve the transfer of personal data to countries outside the EU/EEA. The following transfers may occur:
When you make a payment, your name and email address are transmitted to Stripe, Inc., which processes payment data in the United States. Stripe participates in the EU-U.S. Data Privacy Framework (DPF), which has been recognised by the European Commission as providing an adequate level of data protection. Additionally, Stripe has implemented Standard Contractual Clauses (SCCs) as adopted by the European Commission, and maintains a comprehensive data processing agreement with Synnectra.
We have previously used Google Fonts (served from servers operated by Google LLC in the United States) for web font delivery. We no longer use Google Fonts. All fonts are now self-hosted on our own servers. No requests are made to Google's servers when you visit our website, and no data (including your IP address) is transmitted to Google in connection with font loading.
If you connect a Tradovate account, OAuth tokens and account identifiers may be transmitted to Tradovate's servers in the United States. We apply the minimum data principle, sharing only the tokens strictly necessary for authentication and trade execution. Transfers are protected by the data processing safeguards described below.
For all international transfers of personal data, we rely on one or more of the following safeguards to ensure that your data receives an adequate level of protection:
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including satisfying any legal, accounting, or reporting requirements. The table below specifies the retention periods applicable to each category of data:
| Data Category | Retention Period |
|---|---|
| Account data (name, email, settings) | Duration of the account plus 30 days after deletion request, to allow for potential reactivation and to comply with legal obligations. |
| Trading data (signals, executions, PnL, positions) | Duration of the account plus 30 days after deletion request. After this period, trading data is anonymised and may be retained in aggregate form for analytical purposes. |
| Platform credentials (broker passwords, OAuth tokens) | Until explicitly deleted by the user through the Dashboard. Deleted immediately upon account termination. |
| Session cookies (authentication) | 24 hours from creation. Extended to 3 days if "Remember Me" is selected. Session cookies are automatically invalidated upon logout. |
| CSRF tokens | 2 hours from creation. CSRF tokens are rotated on each significant request. |
| Admin audit logs | 2 years from the date of the logged event, for security and compliance purposes. |
| System logs containing IP addresses | 90 days from the date of creation, after which IP addresses are removed or anonymised. |
| Stripe payment records | 5 years from the date of the transaction, as required by the Danish Bookkeeping Act (Årsregnskabsloven) and applicable tax legislation. |
| Referral data (codes, statistics) | Duration of the account plus 30 days after deletion request. |
| Cookie consent records | 2 years from the date consent was given or last updated, in accordance with the Danish Cookie Order (Cookiebekendtgørelsen). |
Upon expiry of the applicable retention period, your personal data will be securely deleted or anonymised so that it can no longer be associated with you, unless we are required to retain it for a longer period by applicable law (e.g., tax or accounting legislation).
Under the GDPR and the Danish Data Protection Act, you have the following rights with respect to your personal data:
You have the right to obtain confirmation from us as to whether or not personal data concerning you is being processed, and if so, to obtain access to that data along with a copy of it. You are entitled to information about the purposes of processing, the categories of data concerned, the recipients or categories of recipients, the retention periods, and your rights regarding the data.
You have the right to request the correction of inaccurate personal data concerning you, and the right to have incomplete personal data completed. You can update your name, email address, and account settings directly through the Dashboard at any time.
You have the right to request the deletion of your personal data ("right to be forgotten") in the following circumstances: (a) the data is no longer necessary for the purpose for which it was collected; (b) you withdraw your consent and there is no other lawful basis for processing; (c) you object to the processing and there are no overriding legitimate grounds; or (d) the data has been unlawfully processed. We will comply with erasure requests without undue delay and in any event within 30 days, subject to any legal obligations requiring us to retain certain data.
You have the right to request the restriction of processing of your personal data in the following circumstances: (a) you contest the accuracy of the data (pending verification); (b) the processing is unlawful but you prefer restriction over erasure; (c) we no longer need the data but you need it for the establishment, exercise, or defence of legal claims; or (d) you have objected to processing pending the verification of our legitimate grounds.
You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance. Your data export is available at /api/user/export through the Dashboard. This right applies to data you have provided to us, where the processing is based on consent or contract, and the processing is carried out by automated means.
You have the right to object to the processing of your personal data at any time on grounds relating to your particular situation, where the processing is based on legitimate interest (Article 6(1)(f)). If you object, we will cease processing your data unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or for the establishment, exercise, or defence of legal claims.
Where the processing of your personal data is based on your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal. You may withdraw your consent by contacting us at [email protected] or by adjusting your cookie preferences through the Service.
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. As explained in Section 7 (Automated Processing), our automated signal processing constitutes contract performance and does not constitute automated decision-making within the meaning of Article 22. We do not engage in profiling or automated decision-making that would invoke Article 22 protections.
You may exercise any of the rights described above through any of the following channels:
We will not charge a fee for processing your request unless it is manifestly unfounded, excessive, or repetitive, in which case we may charge a reasonable administrative fee or refuse to act on the request.
If you consider that the processing of your personal data infringes the GDPR or the Danish Data Protection Act, you have the right to lodge a complaint with the Danish Data Protection Agency (Datatilsynet):
Datatilsynet (The Danish Data Protection Agency)
Borgergade 28, 5.
1300 København K
Denmark
Website: www.datatilsynet.dk
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. The following table summarises the key security measures we have implemented:
| Security Measure | Implementation Details |
|---|---|
| Transport Layer Security (TLS) | All data transmitted between your browser and our servers is encrypted using TLS 1.2/1.3 with strong cipher suites. We enforce HTTPS with HTTP Strict Transport Security (HSTS) to prevent downgrade attacks. |
| Encryption at rest | Sensitive data stored on our servers is encrypted using AES-256-GCM (Advanced Encryption Standard with 256-bit key in Galois/Counter Mode), including platform credentials, OAuth tokens, and broker passwords. |
| Password hashing | Passwords are hashed using bcrypt with a cost factor of 12, making brute-force attacks computationally infeasible. Plaintext passwords are never stored or logged. |
| Session management | HTTP-only secure cookies prevent client-side script access to session tokens. JSON Web Tokens (JWT) include expiration timestamps and are validated on each request. Tokens are rotated upon re-authentication. |
| Two-Factor Authentication (2FA) | Optional TOTP-based two-factor authentication (compatible with Google Authenticator, Authy, and similar apps) provides an additional layer of account protection beyond the password. |
| CSRF protection | Double-submit cookie pattern for Cross-Site Request Forgery (CSRF) prevention, with tokens rotated every 2 hours. |
| Rate limiting | Per-IP and per-account rate limiting on all API endpoints to prevent brute-force attacks, credential stuffing, denial-of-service attacks, and other forms of abuse. |
| Account lockout | Accounts are automatically locked for 15 minutes after 5 consecutive failed login attempts, preventing unauthorised access through repeated password guessing. |
| Security headers | Content Security Policy (CSP), X-Frame-Options (DENY), X-Content-Type-Options (nosniff), Referrer-Policy, and Permissions-Policy headers are applied to all responses to mitigate cross-site scripting (XSS), clickjacking, and other browser-based attacks. |
| HMAC authentication for EA endpoints | Expert Advisor (EA) communication endpoints are secured using HMAC-SHA256 message authentication, ensuring that only authorised MetaTrader terminals can submit and receive data. |
| Separate admin authentication | Administrator access uses a separate authentication mechanism from user accounts, with comprehensive audit logging of all administrative actions. |
| Database security | SQLite is operated in Write-Ahead Logging (WAL) mode for improved concurrency and reliability. Database files are protected by filesystem permissions and are not directly accessible from the internet. |
We regularly review and update our security measures to address emerging threats and vulnerabilities. However, no system connected to the internet can be completely secure, and we cannot guarantee the absolute security of your data. We encourage you to use strong, unique passwords and to enable two-factor authentication to enhance the security of your account.
We take the security of your personal data seriously and have implemented robust measures to prevent data breaches. However, in the event of a personal data breach (as defined in Article 4(12) of the GDPR), we will take the following actions:
In accordance with Article 33 of the GDPR, we will notify the Danish Data Protection Agency (Datatilsynet) of any personal data breach without undue delay and, where feasible, within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. The notification will include the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures we have taken or propose to take to address the breach.
In accordance with Article 34 of the GDPR, where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, we will communicate the breach to you directly without undue delay. This notification will describe the nature of the breach, provide recommendations for protecting yourself from potential adverse effects, and describe the remedial actions we are taking. We will use email as the primary communication channel for such notifications.
In accordance with Article 33(5) of the GDPR, we will document all personal data breaches, including the facts relating to the breach, its effects, and the remedial actions taken. This documentation will be made available to Datatilsynet upon request.
The Service is not directed at individuals under the age of 18 and we do not knowingly collect personal data from children or minors. By using the Service, you represent and warrant that you are at least 18 years of age.
If we discover that we have inadvertently collected personal data from a person under the age of 18, we will take immediate steps to delete such data from our systems. If you are a parent or guardian and become aware that a child under 18 has provided personal data to us, please contact us immediately at [email protected] and we will take prompt action to remove the information.
We may update or modify this Privacy Policy from time to time to reflect changes in our data processing practices, the features of the Service, legal or regulatory requirements, or other operational reasons.
In the event of any material changes to this Privacy Policy, we will provide you with at least 30 days' advance notice by sending an email to the address associated with your account and/or by displaying a prominent notice within the Dashboard. The notice will describe the nature of the changes and the date on which they will take effect.
Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Privacy Policy. If you do not agree with the revised policy, you must discontinue use of the Service and request the deletion of your account before the changes take effect.
We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal data. The "Last updated" date at the top of this page indicates when this policy was last revised.
If you have any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact us using the information below:
Data Controller: Synnectra A/S
CVR: Pending registration
Address: Egernvej 1, 4760 Vordingborg, Denmark
General Inquiries & Support: [email protected]
Data Protection Officer (DPO): [email protected]
Supervisory Authority: Datatilsynet (The Danish Data Protection Agency), Borgergade 28, 5., 1300 København K, Denmark — www.datatilsynet.dk
This Privacy Policy was last updated: April 2026