Privacy Policy

Last updated: February 16, 2026

1. Data Controller

The data controller for your personal data is:

Marketflows AB

Email: hello@marketflows.io

Website: marketflows.io

If you have questions about how we process your personal data, you can contact us at any time using the email address above.

2. Information We Collect

Account Information

  • Name and email address
  • Payment information (processed and stored by Stripe; we do not store your card details)
  • Brokerage API credentials (encrypted at rest using AES-256)

Usage Information

  • Trading activity and performance metrics
  • Selected trading profile and settings
  • Login timestamps and IP addresses

Technical Information

  • Browser type and version
  • Device type (for responsive experience)
  • Server logs (access logs, error logs)

3. Legal Basis for Processing (GDPR Article 6)

We process your personal data based on the following legal grounds:

Contract Performance (Art. 6(1)(b))

Processing your account data, API credentials, and trading activity is necessary to provide the Service you subscribed to.

Legitimate Interest (Art. 6(1)(f))

Processing usage data and technical logs to maintain security, prevent fraud, improve the Service, and ensure system stability.

Consent (Art. 6(1)(a))

Marketing communications (if any). You can withdraw consent at any time.

Legal Obligation (Art. 6(1)(c))

Retaining certain records as required by Swedish accounting law (bokföringslagen) and tax regulations.

4. How We Use Your Information

  • To provide and operate the Service (executing trades, displaying performance)
  • To authenticate you and secure your account
  • To process subscription payments
  • To send important service notifications (trade alerts, system status)
  • To provide customer support
  • To improve our ML models using aggregated, anonymized trading data
  • To detect and prevent fraud and abuse

5. Data Sharing and Third Parties

We do NOT sell your personal data. We share data only with the following categories of recipients, as necessary to provide the Service:

1.
Alpaca Markets (US) — Your API credentials are used to execute trades on your brokerage account. Alpaca's own privacy policy governs their handling of your data.
2.
Stripe (US) — Payment processing. We do not store your credit card details; Stripe handles all payment data under PCI-DSS compliance.
3.
Cloud infrastructure provider — Server hosting for the application. Data is stored encrypted at rest.
4.
Law enforcement — When legally required by Swedish or EU law.

6. International Data Transfers

Some of our third-party service providers (Alpaca, Stripe) are based in the United States. When your data is transferred outside the EU/EEA, we ensure appropriate safeguards are in place:

  • EU-US Data Privacy Framework: Where applicable, our US-based providers are certified under the EU-US Data Privacy Framework.
  • Standard Contractual Clauses (SCCs): Where the Data Privacy Framework does not apply, transfers are covered by EU-approved Standard Contractual Clauses.

You can request more information about these safeguards by contacting us.

7. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • API credentials are encrypted at rest using industry-standard encryption
  • All data in transit uses HTTPS/TLS encryption
  • We do not store your brokerage login password
  • We cannot withdraw funds from your brokerage account (API keys are scoped to trading only)
  • Access to production systems is restricted and logged
  • Regular security monitoring and updates

8. Your Rights Under GDPR

As a data subject under the GDPR, you have the following rights:

Right of Access (Art. 15)

You can request a copy of all personal data we hold about you.

Right to Rectification (Art. 16)

You can request correction of inaccurate personal data.

Right to Erasure (Art. 17)

You can request deletion of your personal data ("right to be forgotten").

Right to Restriction (Art. 18)

You can request restriction of processing in certain circumstances.

Right to Data Portability (Art. 20)

You can request your data in a structured, machine-readable format.

Right to Object (Art. 21)

You can object to processing based on legitimate interest.

Right to Withdraw Consent (Art. 7(3))

Where processing is based on consent, you can withdraw it at any time.

To exercise any of these rights, contact us at hello@marketflows.io. We will respond within 30 days.

9. Supervisory Authority

If you believe we are processing your personal data in violation of the GDPR, you have the right to lodge a complaint with a supervisory authority. The Swedish supervisory authority is:

Integritetsskyddsmyndigheten (IMY)

Swedish Authority for Privacy Protection

Website: www.imy.se

Email: imy@imy.se

You may also lodge a complaint with the supervisory authority in your country of residence within the EU/EEA.

10. Data Retention

We retain your personal data only for as long as necessary:

  • Account data: For the duration of your subscription, plus 30 days after account deletion
  • Trading history: For the duration of your subscription (needed for performance reporting)
  • Payment records: 7 years as required by Swedish accounting law (bokföringslagen)
  • Server logs: 90 days for security and debugging
  • Anonymized analytics: May be retained indefinitely (no longer personal data)

11. Cookies

We use only essential cookies required for the Service to function:

  • Session cookies: Authentication and session management
  • CSRF tokens: Security and fraud prevention
  • Preference cookies: Remembering your dashboard settings (stored in localStorage)

We do not use third-party tracking cookies, advertising cookies, or analytics cookies.

12. Children's Privacy

The Service is not intended for users under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a person under 18, we will promptly delete it.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or in-app notification at least 14 days before the changes take effect. The "Last updated" date at the top of this page reflects the latest revision.

14. Contact Us

For privacy-related questions or to exercise your data rights:

Marketflows AB

Email: hello@marketflows.io

Website: marketflows.io

← Back to home | Terms of Service | Risk Disclaimer