Version 2.0 - July 2026
This Privacy Policy describes how Orixium processes personal data provided by its users through the Strategy Lab service (registration and authentication, creating and validating trading strategies through backtesting, paper-trading simulation bots, an AI copilot, billing and support), in accordance with Regulation (EU) 2016/679 (GDPR) and Organic Law 3/2018 on Personal Data Protection (LOPDGDD). Orixium is a pure software tool to create and validate algorithmic strategies: it does not execute real trades on user capital, does not emit real-time trading signals, does not manage third-party funds, and does not connect exchange or broker accounts on behalf of users. Section 3.1 separately and honestly describes a restricted operational capability of the platform operator that does involve connecting real accounts.
Controller: Dídac Odena Andújar, natural person, as founder of the Orixium project during the pre-launch phase, pending corporate incorporation. Country of residence: Spain. Contact email: [email protected]. All communications relating to personal data processing, including the exercise of GDPR rights, must be addressed to the email address indicated.
Processing carried out during the pre-revenue phase does not trigger any mandatory DPO designation scenarios set out in Article 37.1 GDPR (public authority, large-scale systematic monitoring, or large-scale processing of special categories). Consequently, no DPO is formally designated at this time. The controller identified in section 1 acts as single point of contact for any data protection matter, also available at [email protected]. If future Orixium activity triggers Article 37.1 scenarios, a DPO will be appointed and this Policy will be updated accordingly; the public commitment is to appoint an independent DPO before reaching 250 active users or opening public beta.
Orixium processes personal data strictly necessary to deliver the Strategy Lab service:
| Data | Mandatory | Purpose |
|---|---|---|
| Email address and password (hash) | Yes | User account identification and authentication in the service. The password is stored only as an irreversible hash; never in plain text. |
| Federated identity (Google or GitHub, if the user chooses social sign-in) | No | Alternative authentication via the OAuth provider chosen by the user, without requiring a dedicated password. |
| Two-factor authentication (2FA/TOTP) | No | Enhanced account security, voluntarily enabled by the user. |
| Country of residence | No | Geographic segmentation to tailor communications and regulatory availability (MVP limited to the EU; LATAM and other regions out of scope). |
| Taller content: created strategies, backtest configuration, results and validation verdicts | Yes (core functionality) | Delivery of the strategy creation and validation service through backtesting on historical data. Results are always hypothetical and simulated. |
| Conversation history with the AI copilot (Orixia) | No | Conversational assistance to build and understand strategies. The AI works in the abstract on strategy logic: it does not profile the user, does not recommend specific assets, and does not personalize based on the user's financial situation (see section 4). |
| Simulation (paper trading) accounts and simulation bot activity | No | Simulation functionality on a virtual balance, with no connection to any real exchange or broker and no real capital movement. |
| Browser push notification subscription (endpoint, p256dh/auth encryption keys, user-agent) | No | Delivery of browser push notifications (system alerts), voluntarily enabled by the user. The endpoint is assigned by the browser itself and is opaque (does not identify the user on its own). |
| Billing data (customer and invoice identifiers at the payment provider, amounts, period) | Yes (paid plan) | Subscription management and compliance with accounting and tax obligations. Orixium does not store card data; it is managed directly by the payment provider (section 6). |
| IP address and technical metadata (device, browser) | Automatic | Abuse prevention, anti-bot protection (Cloudflare Turnstile), session security and technical error diagnosis. |
| Account audit records (logins, security changes, consent events) | Automatic | Security traceability, abuse prevention and compliance with legal retention obligations. |
No special categories of personal data (Article 9 GDPR) or minors' data are collected. The service is exclusively directed at persons over 18. Orixium does not collect or use the user's investment objectives, net worth or risk tolerance to personalize strategies, nor does it present any tool's output as suitable for the specific user: a backtest verdict is identical for any user applying the same parameters to the same asset.
At the infrastructure level, the system retains the technical capability to connect a real exchange or broker account via encrypted API keys and to run a bot in real mode on that account. This capability is NOT part of the Strategy Lab product offered to users: today, the interface allowing a real account to be connected is restricted to the platform operator (the controller identified in section 1) at the user-interface level, who uses it exclusively over their own capital, under strong authentication. This restriction is enforced both at the interface and at the server: the API rejects the connection and management of real accounts for any user other than the operator. Where the platform operator connects a real account in their capacity as a user of the system itself, the data processed is: exchange or broker API keys (encrypted at rest with AES-256-GCM, with no withdrawal permissions), and the records of the resulting orders. This section is kept for transparency and technical accuracy, not because the service offered to users includes real execution.
Data is processed exclusively for: (i) user account management, authentication and preferences; (ii) delivery of the strategy creation and validation service through backtesting on historical data, including the AI copilot that helps build and understand strategies in the abstract, without recommending specific assets or personalizing based on the user's situation (red lines of the product's legal canon); (iii) simulation (paper trading) functionality on a virtual balance, with no real execution; (iv) delivery of browser push notifications when the user voluntarily enables them; (v) transactional and security communications (email verification, password changes, account alerts); (vi) abuse prevention, anti-bot protection and system security; (vii) subscription management and billing; (viii) compliance with legal obligations (audit and accounting records); and (ix) marketing communications only where the user's explicit and separate consent exists, withdrawable at any time without affecting the rest of the service. Data is not used for third-party marketing nor shared with them for advertising purposes.
Performance of a contract (Art. 6.1.b GDPR) for delivery of the Strategy Lab service: user account, strategy creation and validation, AI copilot, simulation functionality and billing. Consent of the data subject (Art. 6.1.a GDPR) for marketing communications, browser push notifications and non-strictly-necessary cookies (analytics). Legitimate interest of the controller (Art. 6.1.f GDPR) for abuse prevention, anti-bot protection and platform security, with the corresponding balancing test performed and this minimal processing considered not to override the rights and freedoms of the data subject. Compliance with legal obligation (Art. 6.1.c GDPR) in the retention of billing records and consent traces for the periods required by applicable regulation.
Data is shared with the following processors, acting on behalf of the controller under Article 28 GDPR, under processing agreement and with the guarantees required by data protection regulation:
| Processor | Purpose | Location | Guarantees |
|---|---|---|---|
| Cloudflare, Inc. | Site and service hosting (Cloudflare Pages), CDN, anti-bot protection (Turnstile) and security. | USA (with EU presence). | European Commission Standard Contractual Clauses (SCC) and EU-US Data Privacy Framework certification. |
| Resend (Resend, Inc.) | Transactional email delivery (verification, security alerts, billing) and, subject to consent, marketing communications. | United States. | European Commission Standard Contractual Clauses (SCC). Final verification of the data processing agreement (DPA) pending before commercial launch. |
| PostHog, Inc. | Product analytics. Aggregate usage measurement of the service (pages visited, product actions, retention, conversion funnel). Only active with prior opt-in consent from the user. | United States (instance hosted in the European Union — AWS Frankfurt, Germany). | Data hosted on EU infrastructure (EEA). No international transfer. DPA available at https://posthog.com/dpa |
| Anthropic PBC | AI model provider (Claude) that processes strategy text and copilot messages to generate strategy logic and conversational replies. The system filters and rejects, before reaching the model, messages that combine the user's financial data (net worth, risk profile) with a request for personalized advice; users must not enter personal financial information in the chat. | United States. | European Commission Standard Contractual Clauses (SCC). Anthropic does not use content submitted via the API to train its models, under its commercial API policy in effect as of this version. |
| Stripe (payment provider) | Payment processing and subscription management. Stripe receives and holds card data; Orixium only receives customer/invoice identifiers and amounts. | European Union / United States, depending on the applicable Stripe entity. | European Commission Standard Contractual Clauses (SCC) and Stripe's own payment security certifications (PCI DSS). |
| Sentry (Functional Software, Inc.) | Detection and diagnosis of technical service errors. Session data (passwords, tokens, API keys) is automatically stripped before transmission. | European Union (German ingest region, technically enforced in the service's code). | Hosted on EU infrastructure. No international transfer when the EU region is active (automatic verification in production). |
| User's browser push service (Firebase Cloud Messaging for Chrome/Edge, Mozilla Autopush for Firefox, or another browser-native relay) | Delivery of push notifications to the user's browser. The browser itself chooses the relay; Orixium only sends the encrypted payload to the endpoint the browser provides. | Depending on the user's browser and vendor (typically United States). | End-to-end encrypted payload (standard Web Push protocol); Orixium cannot read the content in transit through the relay. |
| Exchange or broker (only under the operational capability of section 3.1) | Execution of orders in a real account, exclusively when the platform operator connects their own account via API keys. Does not apply to users' use of the Strategy Lab product. | Depending on the provider connected by the operator. | Orixium does not hold funds; it only transmits orders using the API keys provided. |
No data is transferred to any other third party except by legal obligation. No international transfers additional to those indicated are performed.
User account and preferences: retained while the account is active; upon deletion request (Settings > Data > Delete account) a 30-day grace period applies during which the user may cancel the request. After that period: the user's personal identifiers (email, password, name, country, 2FA) are pseudonymized; sessions, notifications, preferences, manual positions and human-review requests are permanently deleted; and API keys of any connected exchange or broker account are cryptographically erased. Operational records subject to legal obligation are automatically purged once their period elapses: trades (Trade) are deleted 6 years after closing (Commercial Code) via a scheduled purge job, and audit logs after 5 years (aligned with MiCA). The user's own content is deleted in full together with the account: Taller strategies and experiments, AI-copilot conversation history, simulation accounts, push notification subscriptions, social-login (OAuth) identities, trusted devices and contact messages are permanently erased in the same purge process. Consent traces retain their evidentiary value for 5 years, after which the associated IP address and browser metadata are automatically erased. Email verification, password reset and 2FA OTP tokens: permanently deleted upon expiry or use. Consent traces: retained for the applicable statute-of-limitations period in case of claim or legal requirement.
Under Articles 15 to 22 GDPR and LOPDGDD, any data subject may exercise the following rights: access to their personal data, rectification of inaccurate data, erasure (right to be forgotten), restriction of processing, portability of provided data, objection to processing based on legitimate interest, withdrawal of consent at any time without retroactive effect, and the right not to be subject to automated decisions with legal effects without human review. To exercise any of these rights, simply send an email to [email protected] indicating the right to be exercised; a response will be issued within one month (Art. 12.3 GDPR), extendable by two additional months for complex requests, with prior notice to the data subject. If you consider that processing does not comply with regulation, you have the right to lodge a complaint with the Spanish Data Protection Agency (AEPD), www.aepd.es, C/ Jorge Juan, 6, 28001 Madrid, or with the data protection authority of your Member State of residence.
The controller implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk (Art. 32 GDPR), including: in-transit encryption via TLS for all website and service communications; at-rest encryption (AES-256-GCM) of any connected API key and of sensitive credentials in the database; passwords stored only as an irreversible hash; automatic redaction of secrets and credentials in the system's technical logs before they are sent to diagnostic tools; anti-bot protection with Cloudflare Turnstile and IP abuse control; data minimization, requesting only strictly necessary data; multi-factor authentication available for user accounts; and restricted access to controller and processors under least-privilege principle.
This Policy may be updated to reflect changes in processors, legal basis, retention periods or controller status (for example, after corporate incorporation). Material changes will be notified to data subjects with active consent via email before they take effect. The effective date at the top of the document always reflects the current version.