Last updated: 2026-05-03
This Privacy Policy explains how FXOptimize, operated by Frederik Baunsøe ("we", "us", "our"), a private individual based in Denmark, collects, uses, and protects your information. We believe in transparency — especially when it comes to your trading data.
🔒 The short version: Your backtest files are parsed entirely in your browser — the raw files are never uploaded to our servers. The same applies to the Pass Lab propfirm calculator: all Monte Carlo, walk-forward, and bootstrap computation happens locally in WebAssembly. We do collect anonymized portfolio-level metrics (EA names, performance statistics) to improve the service. We never see your individual trades, prices, lot sizes, or account balances.
The data controller responsible for your personal data under the General Data Protection Regulation (GDPR) is:
When you sign up via Supabase (our authentication provider), we collect:
If you choose to save a portfolio session, the session data (EA configurations, portfolio settings, optimization results) is stored on our servers. This is opt-in — you control when and what you save.
After each analysis, we automatically collect anonymized performance data to improve our service. This includes:
This data helps us build EA performance rankings and identify which EA combinations work well together. It is anonymized — it cannot be traced back to individual users or their trading accounts.
What we do NOT collect: individual trade entries/exits, prices, lot sizes, account balances, commission details, or the raw backtest file content. Pass Lab is no exception — the Monte Carlo simulation runs entirely in your browser via WebAssembly.
Payments are processed entirely by Stripe. We never see, store, or have access to your full card number. We only receive confirmation of payment status and subscription details from Stripe.
The Pass Lab propfirm calculator can produce a Verified Badge share link of the form /pass-lab/badge#v=…. The badge encodes only the high-level summary you see on the results page (primary backtest match firm, 95% CI bounds, match strength, top failure mode, badge timestamp). It does not contain your trades, your balance, your EA names, or any account identifier. The badge data lives entirely in the URL fragment (the part after #), which is never sent to our servers — browsers do not transmit URL fragments in HTTP requests. The badge includes a non-cryptographic checksum (FNV-1a) so the page can detect tampering and warn the viewer; this is integrity-only, not encryption.
🚫 Backtest files — Your MT4/MT5 HTML files are parsed entirely in your browser. They are never uploaded to or processed by our servers.
🚫 Individual trade data — We don't see your specific trades, entry/exit prices, lot sizes, or account balances. Only aggregated portfolio-level metrics are used for anonymous analytics.
🚫 Tracking cookies — We do not use advertising cookies, tracking pixels, or any form of cross-site tracking.
🚫 Browsing history — We don't track what pages you visit outside of FXOptimize.
We process your personal data on the following legal bases under GDPR Art. 6:
We use the following sub-processors that may process some of your data. Where data is transferred outside the EU/EEA, transfers rely on the EU-US Data Privacy Framework and/or Standard Contractual Clauses (SCCs):
| Sub-Processor | Purpose | Data Processed | Region |
|---|---|---|---|
| Supabase | Authentication & database | Email, name, hashed credentials, OAuth tokens, saved sessions | EU (configured) |
| Stripe | Payment processing | Payment method, billing address, subscription status | US (SCCs / DPF) |
| Cloudflare | CDN, DDoS protection, DNS | IP address, request metadata | Global edge |
| Hetzner | Server hosting | Application data at rest | Germany (EU) |
| Umami (self-hosted) | Cookieless analytics | Aggregated page views, referrers (no PII, no cookies) | EU |
| MetaApi (Agile Trading B.V.) | MT4/MT5 broker connection (sync-time only) — opt-in via the Sync feature, see §7 | Encrypted investor password (decryption-in-flight), broker server name, account number, trade history | Netherlands (EU) |
Each sub-processor has its own privacy policy. We recommend reviewing them if you have specific concerns.
If you opt into the Synchronization feature
(available on the Solo and Studio
plans), we process additional data necessary to maintain a read-only
connection to your MetaTrader 4 or MetaTrader 5 brokerage account.
This section applies only to users who explicitly connect a
broker account via the /app/connect flow. It does not
apply to backtest analysis, Pass Lab, or any other Service feature.
The investor password gives read-only access only. We cannot, and will never:
Synchronization is currently not offered to residents of the European Economic Area (EEA) or the United Kingdom while we complete our compliance review under GDPR for credential-storage processing. Before you can connect a broker account, you must affirm by self-attestation that you are not an EEA/UK resident and agree to disconnect your account if your residency status changes to one of these jurisdictions.
We capture your Cloudflare-detected country code at the moment of attestation as part of the audit record, and we monitor subsequent IP-country detections per the Edge Case 21 process described below. If a pattern of EEA/UK access emerges after attestation, we will pause sync and ask you to reconfirm; an unconfirmed EEA/UK pattern triggers automatic disconnect with hard deletion of your credentials.
The remainder of FXOptimize (backtest analysis, Pass Lab, etc.) is fully available to all users worldwide, including EEA/UK residents — only the Synchronization feature is restricted by the residency self-attestation.
For both MetaTrader 4 and MetaTrader 5 connections, we use MetaApi (operated by Agile Trading B.V., Netherlands) as a sub-processor to broker the connection between our infrastructure and your broker server. MetaApi receives your encrypted investor password only at sync time. See §5 Sub-Processors for details.
All broker-sync data is retained until you disconnect the account. When you click "Disconnect" in your settings, we perform a hard delete immediately:
The self-attestation audit-trail row may be retained for up to 7 years to satisfy regulatory record-keeping obligations, but it contains no broker credentials, no trade data, and no account identifiers — only the timestamp + country code at the moment you consented.
If we detect 3 or more sign-ins from EU/UK IP addresses within any 30-day window after you self-attested non-residency, we will pause sync on your account and email you to confirm your current residency. You have 14 days to respond. If you confirm continued non-EU residency (e.g. you were traveling), sync resumes. If you confirm a residency change to EU/UK, we trigger a user-initiated disconnect that hard-deletes your credentials. No response within 14 days results in automatic disconnect and hard delete.
FXOptimize uses only strictly necessary cookies and session storage required for the Service to function. No consent banner is required because no optional tracking cookies are used.
fxo_anon_session — HttpOnly, Secure, 1-year Max-Age. A pseudonymous per-device identifier (non-PII) used to enforce the free-tier monthly analysis quota. Legal basis: ePrivacy Directive Art. 5(3) "strictly necessary for a service the user has explicitly requested."We do not use any advertising, cross-site tracking, or third-party marketing cookies. Our analytics (Umami, self-hosted) is cookieless.
FXOptimize uses Umami (umami.is) for product analytics — a privacy-first, open-source alternative to Google Analytics. Umami is hosted on our own infrastructure (analytics.steadyflowfx.com), so your data never leaves SteadyFlowFX servers.
Umami stores a small localStorage entry to count unique visitors. It does not set tracking cookies, does not collect personal information, and does not enable cross-site tracking. The European Data Protection Board (EDPB) still considers localStorage trackers cookie-equivalent under ePrivacy — so we ask for explicit consent before loading the script, even though the practical privacy impact is minimal.
What we collect when consent is granted: pageviews, anonymized IPs, country (from IP), browser + OS family, screen resolution, and the referrer URL. What we do NOT collect: your email, name, raw IP address (it is anonymized at ingest), specific URLs of authenticated app pages (those are blocked from analytics in robots.txt), device fingerprints, or behavioral profiles.
If you reject the analytics cookie, we don't load Umami at all. We still receive minimal HTTP server logs (IP + URL + timestamp) for security and rate-limiting purposes — these are deleted after 14 days and never linked to user identity.
Click below to clear your saved cookie preference. The consent banner will appear on your next pageview so you can choose again.
We take reasonable measures to protect your data, including:
No method of transmission or storage is 100% secure. If you discover a security vulnerability, please contact us immediately at [email protected].
In the unlikely event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Danish Data Protection Authority (Datatilsynet) within 72 hours, and affected users without undue delay, in accordance with GDPR Articles 33 and 34.
As we are based in Denmark (EU), you have the following rights under GDPR:
To exercise any of these rights, use the self-service options in your account settings or contact us at [email protected]. We will respond within 30 days.
We do not engage in automated decision-making or profiling that produces legal effects or similarly significantly affects you.
FXOptimize is not directed at anyone under 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us.
We may update this Privacy Policy from time to time. Material changes will be communicated via email or through the Service. The "Last updated" date at the top reflects the most recent revision.
For privacy-related questions, data requests, or concerns:
Privacy contact: [email protected]
General support: [email protected]
Frederik Baunsøe · Denmark