Privacy Policy

1. Data Controller and Contact Information

The data controller (the organization responsible for your personal data) is Marek Majdak IT Consulting, a company based in Warsaw, Poland. Our address is Bajaderki 2a/1, 02-776, Warsaw, Poland. You can contact us with any questions or requests regarding your personal data at admin@wavetrader.net or by mail at the address above.

If we appoint a Data Protection Officer (DPO) or representative, we will provide their contact details here. In the meantime, please use the contact information above for all privacy-related inquiries.

2. Personal Data We Collect

We only collect personal data that is necessary for the operation of the App and provision of our services. The types of personal data we collect include:

• Account Information: When you create an account, we collect your name and email address. We use this information to register your account, identify you as a user, and communicate with you. You will also create a password (stored in encrypted form) to secure your account.
• Contact Details: Your email address (and optionally your name) may be used to send service-related notifications (e.g. confirmations, password resets) or updates about the App.
• Device and Usage Data: We automatically collect certain information when you use the App, such as your IP address, device type/model, operating system version, unique device identifiers, and the dates/times of access. We also collect usage information like app features used or pages viewed. This data helps us ensure security, prevent fraud, and analyze how users interact with our App (for example, to improve performance and user experience). IP addresses may be used to infer general location (country or city level) for fraud prevention and analytics.
• Payment Information: If you make purchases or transactions through the App, payment details (such as credit card numbers or other payment data) are collected and processed directly by our third-party payment processor, Stripe. We do not store your full payment information on our servers for security. (See Third-Party Services below for more on Stripe.)
• Communications: If you contact us for support or feedback (such as via email or an in-app support feature), we will collect the information you provide (e.g. your name, email, and the content of your inquiry) in order to respond to you.

No Special Categories: We do not intentionally collect any sensitive personal data such as racial or ethnic origin, political opinions, religious beliefs, health information, or biometric data through the App. Please avoid providing such data in your account or communications with us.

Children: Our App is not directed to children under 16, and we do not knowingly collect personal data from children. If you are a parent or guardian and believe your child has provided personal data, please contact us so we can delete it.

3. Purposes and Legal Bases for Processing

We process your personal data only for specific purposes and in accordance with the legal bases defined in Article 6 of the GDPR. This means we always have a lawful reason to use your data. The purposes for which we use personal data, and the corresponding legal bases, are:

• Providing and Improving the Service: We use your name, email, and device/usage data to create and manage your account, authenticate you, provide the trading features of the App, and personalize your experience. This is necessary to perform our contract with you (GDPR Article 6(1)(b)) and to pursue our legitimate interest in delivering and improving our services (Article 6(1)(f)). For example, we might analyze how users navigate the app to improve usability.
• Communications: We process your email (and possibly name) to send you important account or transaction-related communications (e.g. account confirmations, technical or security notices, updates about your trades or changes to the app). The legal basis is the performance of contract (Art. 6(1)(b)) when communications are necessary for providing our services, or our legitimate interest (Art. 6(1)(f)) in keeping you informed about your account and ensuring customer support. If we send optional marketing or newsletter emails, we will do so only with your consent (Art. 6(1)(a)), and you can opt-out at any time.
• Analytics and Product Development: We use Google Analytics and similar tools to collect device and usage data (such as IP address, device identifiers, and in-app behavior) to understand how the App is used and to improve its functionality. Our legal basis for this is our legitimate interest in analyzing usage and improving our product (GDPR Art. 6(1)(f)). Where required by law (for example, in certain jurisdictions), we will seek your consent before enabling analytics (GDPR Art. 6(1)(a)). We have configured Google Analytics to anonymize IP addresses, which means your IP is truncated within the EU to protect your privacy.
• Payments Processing: When you make a purchase or transaction, we process payment data via Stripe to complete the transaction and prevent fraud. This is done under the legal basis of contract necessity (processing your payment is required to provide the service, Art. 6(1)(b)) and our legitimate interest in using secure payment processors (Art. 6(1)(f)). For example, we might transfer your name and order amount to Stripe to process a credit card payment, relying on Stripe's secure infrastructure.
• Legal Obligations: We may process or retain some data to comply with legal obligations (Art. 6(1)(c)). For instance, as a business we must keep certain transaction records for tax and accounting purposes, or financial regulations may require us to retain trading logs. If we are under a legal obligation to retain or disclose data (e.g. a court order or regulatory requirement), we will do so to the extent required by law.
• Security and Fraud Prevention: We use personal data (such as IP address or device info) to monitor and prevent fraud, unauthorized access, and other illegal activities in our App. This processing is based on our legitimate interests (Art. 6(1)(f)) in keeping the App secure and preventing misuse, and in some cases on compliance with legal obligations to protect user data and secure transactions.

We will not use your personal data for any purposes that are incompatible with those described above without informing you and obtaining any necessary consent. We do not engage in any automated decision-making or profiling that produces legal or similarly significant effects on you (GDPR Article 22) – in other words, we do not make solely automated decisions about you that could affect your rights or livelihood (no automated credit scoring, etc., without human review).

4. Third-Party Services and Processors

To operate our App and provide certain features, we rely on a few trusted third-party service providers. We only share personal data with these providers as needed for them to perform their services on our behalf, and each provider is contractually obligated to protect your data and use it only for the specified purposes. The main third-party services we use are:

• Google Analytics: We use Google Analytics, provided by Google Ireland Limited (with parent company Google LLC in the USA), to collect analytics data about how users use our App. Google Analytics may process information such as your device identifiers, IP address (anonymized if possible), and usage patterns. This helps us analyze app performance and user engagement. We have a Data Processing Agreement with Google and have enabled appropriate safeguards since data may be transferred to the United States (see Data Transfers below). You can opt out of Google Analytics tracking by contacting us to object, or by adjusting your device settings to limit ad tracking; however, note that we do not use Google Analytics for advertising, only for usage analytics. More details can be found in Google's Privacy Policy.
• Email Service (SendGrid/Mailchimp): For email communications, we use a third-party email service such as SendGrid (provided by Twilio, Inc.) or Mailchimp (The Rocket Science Group LLC/Intuit) to send out emails efficiently. If we send you emails (for example, a welcome email, verification code, or newsletter), your name and email address are shared with that provider so the email can be delivered. These providers are based in the United States, so your data (email, name) may be transferred outside the EU for processing. We have agreements in place (including Standard Contractual Clauses) to ensure your data is protected in transit and at rest. The email service provider is not allowed to use your information except to send emails on our behalf and to improve their delivery service. You can unsubscribe from marketing emails at any time via the link in the email, or by contacting us.
• Payment Processor (Stripe): We use Stripe for secure payment processing. Stripe Payments Europe, Ltd. (located in Ireland) is the Stripe entity for EU customers, but as a global company Stripe may process data in the United States as well. When you make a payment or deposit through the App, your payment information (such as credit card number, cardholder name, expiration, billing address) is transmitted directly to Stripe via secure encryption. Stripe processes your payment and returns a confirmation to us. We do not store your sensitive payment details (like full card numbers) on our servers. Stripe may store your payment data to process future transactions and for fraud detection. The transfer of data to Stripe is necessary to perform the contract (process your transaction) and based on our legitimate interest in providing a reliable payment option. Stripe is a PCI-DSS compliant company and handles your personal data in accordance with its own privacy policy. For more information, see the Stripe Privacy Policy. If you have questions about how Stripe handles your data, we encourage you to review their policy.
• App Store Providers: Our App is distributed via the Apple App Store and Google Play Store. When you download or install the App, these platform providers may collect certain data about you and your device (for example, your Apple or Google account ID, device model, or purchase history). This data collection is governed by Apple's and Google's own privacy policies, not by us. We do not receive any personal data from Apple or Google about you except aggregate information (such as download counts) and whatever information you provide to us within the App. We recommend reviewing Apple's App Store Privacy information and Google's Privacy Policy to understand how they handle your data. We only receive information from Apple/Google as needed for app analytics and crash reports in aggregate form, or payments (if you make an in-app purchase, Apple/Google process that payment and do not share your financial info with us).

Each of these third parties is carefully vetted. We have signed Data Processing Agreements with processors where required, ensuring they only process personal data under our instructions and in compliance with GDPR. When these providers are located outside the EU, we implement appropriate safeguards for data transfers (see next section). We do not allow our third-party service providers to sell or use your data for their own marketing.

5. International Data Transfers

We primarily store and process your personal data within the European Union. However, some of our service providers (like Google, SendGrid/Mailchimp, Stripe) are based outside the European Economic Area (EEA) – for example, in the United States. This means your personal data may be transferred to or accessed from a country outside the EEA. When we transfer data to a third country, we ensure proper safeguards are in place to protect your privacy, as required by GDPR.

Our safeguards for international transfers include:

• EU Commission Adequacy Decisions: If the country has an official adequacy decision from the European Commission (meaning its laws are deemed to sufficiently protect personal data), your data will rely on that basis. (For example, data sent to a country like Canada or Israel, if applicable, would be covered by an adequacy decision.)
• Standard Contractual Clauses (SCCs): For transfers to the United States and other countries without an adequacy decision, we use the European Commission's approved Standard Contractual Clauses in our contracts with the service provider. These clauses are legal commitments that bind the recipient to protect your data to EU privacy standards. For instance, our agreements with Google, Twilio (SendGrid), and Stripe include SCCs or equivalent measures.
• Additional Safeguards: Where possible, we also implement technical measures like encryption and pseudonymization for data that is transferred, and we require recipients to have robust security practices. Some providers (like Google) participate in frameworks or have supplemental commitments to handle European data safely.

You can request more information about the safeguards we have in place for data transfers outside the EU (or obtain a copy of the relevant contractual clauses) by contacting us. We will not transfer your personal data to a third country or international organization unless it is necessary for the services you request and unless appropriate protections are in place as described. Our goal is to ensure that your data remains protected to the standard of EU law even when processed internationally.

6. Data Retention

We will retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, as outlined in this Policy, and to comply with applicable laws. This means:

• Active Account Data: We keep your account information (name, email, etc.) for as long as you have an active account with us. If you decide to close your account or request deletion, we will delete or anonymize your personal data associated with your account, except for any data we are required to keep by law (see below).
• Transaction and Payment Records: We retain records of transactions, payments, and related data as long as required by financial regulations, tax laws, and accounting rules. For example, Polish and EU law may require us to keep certain financial or transaction data for a minimum period (e.g., 5 years) for auditing or anti-fraud purposes. During this retention, your data will be stored securely and not used for other purposes.
• Analytics Data: Data collected for analytics (usage data) is generally retained for a shorter period, for example, Google Analytics data might be kept for 14 or 26 months by default, unless we configure it otherwise. We use aggregated analytics trends rather than personal profiles over the long term.
• Legal Compliance and Disputes: If we are dealing with a legal request or a dispute, we will retain the data relevant to that issue as long as necessary to resolve it and for a reasonable period thereafter, based on statutes of limitations (to defend or assert claims).

When the retention period for specific data expires, or if you ask for deletion and no lawful basis for retention applies, we will either securely delete or anonymize your personal data. If immediate deletion is not possible (for example, because the data is stored in secure backups), we will isolate the data and protect it from further processing until deletion is possible.

7. Data Security Measures

We take the security of your personal data very seriously. We have implemented appropriate technical and organizational measures to protect your data from unauthorized access, loss, alteration, or disclosure. These measures include, for example:

• Encryption of data in transit (e.g., using HTTPS/TLS when data is transmitted between our App and our servers, and between us and third-party services) and encryption of sensitive data at rest where applicable.
• Secure server infrastructure with firewalls and access controls to prevent unauthorized access. Personal data is stored on servers located in secure data centers with strict access restrictions.
• Access Control: Only authorized personnel who need to process your data for the purposes stated (e.g., our support or IT staff) have access to personal data, and they are bound by confidentiality obligations. We restrict administrative access and regularly review permissions.
• Monitoring and Testing: We monitor our systems for possible vulnerabilities and attacks, and we periodically test and evaluate the effectiveness of our security measures. This includes keeping software up-to-date and following industry best practices for cybersecurity.
• Organizational Policies: Our staff are trained on data protection principles and we have internal policies to handle personal data safely. In the event of a data breach that poses a risk to your rights, we will notify you and the appropriate authorities as required by GDPR.

Please note that while we strive to protect your data, no system can be 100% secure. We thus cannot guarantee absolute security of information. You also play a role in keeping your data safe: please use a strong, unique password for the App and notify us immediately if you suspect any unauthorized use of your account.

8. Cookies and Tracking Technologies

Cookies: Unlike a website, a mobile app does not use "cookies" in the traditional web browser sense. However, our App and third-party partners use similar technologies to cookies, such as mobile analytics SDKs and device identifiers, to recognize your device and gather data. For example, Google Analytics uses a mobile identifier or instance ID to anonymously track how you use the App. These technologies serve to remember your preferences, keep you logged in, and collect usage information for analytics.

• We do not use tracking for advertising purposes in the App (there are no third-party ads in the App).
• We do use analytic tracking to understand app performance and usage patterns (as described above in Analytics). This is done under our legitimate interest in improving our service. If applicable, we will request your consent for any tracking that is not strictly necessary (for instance, if in the future we introduce any personalized advertising, we would implement a consent mechanism).

Google Analytics in App: As noted, Google Analytics collects certain data about your device and app usage. This may involve placing a unique identifier in the app's storage. Google Analytics may also collect your IP address, but we have configured it to use IP anonymization, meaning Google truncates your IP within the EU to reduce identifiability. Google Analytics data is used in aggregate form to help us understand user trends (for example, which screens are most visited, how often the app crashes, etc.). You can opt out of Google Analytics by disabling analytics in the app settings (if available) or by contacting us to object to such processing, in which case we will cease Google Analytics data collection from your use of the app.

If you also use our website or other online services, you can manage cookies through your browser settings. On our website, we use cookies for functionality and analytics under similar principles (you can find details in our website Privacy/Cookie Policy). For mobile apps, you can limit ad tracking in your device settings (such as selecting "Limit Ad Tracking" on iOS or resetting your Advertising ID on Android), which will reduce the amount of tracking for advertising and potentially analytics.

Do Not Track: "Do Not Track" (DNT) is a setting in some web browsers that signals a preference not to be tracked across websites. As our service is a mobile app, DNT is not directly applicable. However, we treat any DNT signals on our website accordingly, and for the app, you can use the aforementioned methods to limit tracking.

10. Account Deletion and Data Access Requests

You can request access to your data or deletion of your account at any time:

• Data Access: If you want to know what personal data we have about you, you can contact us for a data access request (also known as a Subject Access Request). We will provide you a copy of your data and information on how it's used, in line with Article 15 GDPR.
• Account Deletion: The App may provide an in-app option to delete your account (for example, a "Delete Account" button in settings). Using that option will trigger the deletion process for your personal data. Alternatively, you can email us at admin@wavetrader.net with a request to delete your account. We will then erase your personal data from our systems (other than data we must keep for legal reasons, as noted in Data Retention above) and confirm to you once completed. Please note that once deleted, your account and data (like your profile, trading history, etc.) cannot be recovered.

By deleting the app from your device alone, your account data is not automatically deleted from our servers – you will need to follow the above steps to delete your account if you wish to exercise your right to erasure fully. After deletion, some residual information may remain in secure backups for a short period, but we will continue to protect it and delete in accordance with our retention policy.

11. Changes to This Privacy Policy

We may update or modify this Privacy Policy from time to time in response to evolving legal, technical, or business developments. When we update the Policy, we will change the "Effective Date" at the top. If changes are significant, we will notify you through the App (for example via a pop-up or notification) or by email, and where required by law, we will obtain your consent for any new purposes or uses of data. We encourage you to periodically review this Policy for the latest information on our privacy practices. The current version of the Privacy Policy will always be available within the App and on our website.

Your continued use of the App after any changes indicates your acknowledgment of the updated Policy. If you do not agree with any changes, you should stop using the App and, if applicable, delete your account.

12. Contact Us

If you have any questions, concerns, or feedback about this Privacy Policy or our data practices, please contact us at:

We will be happy to assist you and address any issues. Your privacy is important to us, and we appreciate you entrusting us with your personal data.