Privacy Policy

Privacy Policy

This Privacy Policy explains how FXOptimize, operated by Frederik Baunsøe ("we", "us", "our"), a private individual based in Denmark, collects, uses, and protects your information. We believe in transparency — especially when it comes to your trading data.

Last updated: 2026-05-03

The short version: Your backtest files are parsed entirely in your browser — the raw files are never uploaded to our servers. The same applies to the Pass Lab propfirm calculator: all Monte Carlo, walk-forward, and bootstrap computation happens locally in WebAssembly. We do collect anonymized portfolio-level metrics (EA names, performance statistics) to improve the service. We never see your individual trades, prices, lot sizes, or account balances.

Contact

1. Data Controller

The data controller responsible for your personal data under the General Data Protection Regulation (GDPR) is:

Collection

2. What We Collect

Account Information

When you sign up via Supabase (our authentication provider), we collect:

  • Email address and name (from email signup or Google login)
  • Authentication tokens managed by Supabase

Saved Sessions

If you choose to save a portfolio session, the session data (EA configurations, portfolio settings, optimization results) is stored on our servers. This is opt-in — you control when and what you save.

Anonymous Portfolio Analytics

After each analysis, we automatically collect anonymized performance data to improve our service. This includes:

  • EA names and currency pairs — as detected from your backtest report headers (e.g., "FXHexaFlow 8", "EURUSD")
  • Portfolio-level metrics — return %, max drawdown, Calmar ratio, Sortino ratio, win rate, and other aggregate statistics
  • Portfolio compositions — which combinations of EAs appeared in top-performing portfolios
  • Backtest date ranges — the start and end dates of your backtests
  • Verdict outcomes — when you run the propfirm pass-rate calculator: the firms compared, the primary backtest match firm and its 95% CI, top failure modes, and the worst-EA-contributor ranking. We never receive your trades or balance — only the aggregated per-firm pass-probability summary.

This data helps us build EA performance rankings and identify which EA combinations work well together. It is anonymized — it cannot be traced back to individual users or their trading accounts.

What we do NOT collect: individual trade entries/exits, prices, lot sizes, account balances, commission details, or the raw backtest file content. Pass Lab is no exception — the Monte Carlo simulation runs entirely in your browser via WebAssembly.

Payment Information

Payments are processed entirely by Stripe. We never see, store, or have access to your full card number. We only receive confirmation of payment status and subscription details from Stripe.

Verified Badge

The Pass Lab propfirm calculator can produce a Verified Badge share link of the form /pass-lab/badge#v=…. The badge encodes only the high-level summary you see on the results page (primary backtest match firm, 95% CI bounds, match strength, top failure mode, badge timestamp). It does not contain your trades, your balance, your EA names, or any account identifier. The badge data lives entirely in the URL fragment (the part after #), which is never sent to our servers — browsers do not transmit URL fragments in HTTP requests. The badge includes a non-cryptographic checksum (FNV-1a) so the page can detect tampering and warn the viewer; this is integrity-only, not encryption.

Collection

3. What We Don't Collect

Backtest files — Your MT4/MT5 HTML files are parsed entirely in your browser. They are never uploaded to or processed by our servers.

Individual trade data — We don't see your specific trades, entry/exit prices, lot sizes, or account balances. Only aggregated portfolio-level metrics are used for anonymous analytics.

Tracking cookies — We do not use advertising cookies, tracking pixels, or any form of cross-site tracking.

Browsing history — We don't track what pages you visit outside of FXOptimize.

Collection

4. How We Use Your Data & Legal Bases

We process your personal data on the following legal bases under GDPR Art. 6:

  • Contract (Art. 6(1)(b)) — Account management, service delivery, storing and retrieving your saved sessions, and payment processing. Required to provide the Service you signed up for.
  • Legitimate interest (Art. 6(1)(f)) — Product improvement via anonymized portfolio metrics; security, fraud prevention, and abuse mitigation (including per-device quota enforcement for the free tier).
  • Legal obligation (Art. 6(1)(c)) — Retention of payment records for tax and accounting purposes under Danish bogføringsloven.
  • Communication — Service-related emails (billing, important updates). No marketing spam.
Sharing

5. Sub-Processors

We use the following sub-processors that may process some of your data. Where data is transferred outside the EU/EEA, transfers rely on the EU-US Data Privacy Framework and/or Standard Contractual Clauses (SCCs):

Sub-ProcessorPurposeData ProcessedRegion
SupabaseAuthentication & databaseEmail, name, hashed credentials, OAuth tokens, saved sessionsEU (configured)
StripePayment processingPayment method, billing address, subscription statusUS (SCCs / DPF)
CloudflareCDN, DDoS protection, DNSIP address, request metadataGlobal edge
HetznerServer hostingApplication data at restGermany (EU)
Cloudflare Web AnalyticsCookieless pageview/traffic analytics (server-side)Aggregated page views, referrers (no PII, no cookies, no fingerprinting)Global edge
Umami (self-hosted — first-party, not a third party)In-app product analytics, runs on our own Hetzner server. Loaded only with your analytics consent.Aggregated in-app events (which features/steps were used) + a cookieless localStorage visitor count. No PII, no cross-site tracking, no backtest data.Germany (EU)
MetaApi (Agile Trading B.V.)MT4/MT5 broker connection (sync-time only) — opt-in via the Sync feature, see §7Encrypted investor password (decryption-in-flight), broker server name, account number, trade historyNetherlands (EU)

Each sub-processor has its own privacy policy. We recommend reviewing them if you have specific concerns.

Retention

6. Data Retention

  • Account data — Retained while your account is active, plus up to 90 days after deletion for operational wind-down
  • Saved sessions — Retained until you delete them or close your account
  • Anonymous analytics — Retained indefinitely (cannot be linked back to you)
  • Payment records — Retained for 5 years after transaction as required by Danish bogføringsloven
  • Broker-sync data — Retained only while the broker account is connected. Hard deletion immediately upon disconnect (encrypted password, trades, EA mappings, account snapshot). Self-attestation timestamp + country may be retained up to 7 years as audit trail (no broker credentials)
Collection

7. Synchronization (Optional Feature)

If you opt into the Synchronization feature (available on the Solo and Studio plans), we process additional data necessary to maintain a read-only connection to your MetaTrader 4 or MetaTrader 5 brokerage account. This section applies only to users who explicitly connect a broker account via the /app/connect flow. It does not apply to backtest analysis, Pass Lab, or any other Service feature.

What we collect for broker sync

  • Broker investor password — encrypted at rest with AES-256 (256-bit Advanced Encryption Standard). The encryption key is rotated every 90 days and never stored in our database. Decryption only occurs server-side at sync time, in memory, and is wiped immediately after each sync.
  • Broker server name and account number — used to route sync requests to the correct broker.
  • Trade history — closed trades and currently-open positions retrieved from your account, normalized to UTC.
  • Per-trade metadata — symbol, lots, open/close price, profit, swap, commission, magic number, comment.
  • Account snapshot — current balance, equity, margin level, currency. Updated on each 5-minute sync cycle.
  • Self-attestation record — timestamp + your Cloudflare-detected country at the moment you confirmed non-EU/UK residency. Required for compliance audit (see §10 Data Breach Notification + internal residency-decline policy).
  • Subsequent IP-country detections — recorded each sync cycle to flag potential residency changes per our Edge Case 21 runbook.

What broker sync allows us to do

  • Retrieve your read-only trade history and account statistics for display in your dashboard.
  • Compute drift detection metrics comparing your live trades to a backtest baseline you previously uploaded (Pass Lab flow).
  • Group trades by EA (using the magic number assigned by your EA, which you can override or rename).

What broker sync does NOT allow us to do

The investor password gives read-only access only. We cannot, and will never:

  • Place, modify, or close trades on your account
  • Deposit funds, withdraw funds, or change your balance
  • Modify your account settings, leverage, or risk parameters
  • Access your trading password, full broker portal, or any funds-movement capability
  • Access your personal banking, payment methods, or KYC documentation held by your broker

Residency restriction

Synchronization is currently not offered to residents of the European Economic Area (EEA) or the United Kingdom while we complete our compliance review under GDPR for credential-storage processing. Before you can connect a broker account, you must affirm by self-attestation that you are not an EEA/UK resident and agree to disconnect your account if your residency status changes to one of these jurisdictions.

We capture your Cloudflare-detected country code at the moment of attestation as part of the audit record, and we monitor subsequent IP-country detections per the Edge Case 21 process described below. If a pattern of EEA/UK access emerges after attestation, we will pause sync and ask you to reconfirm; an unconfirmed EEA/UK pattern triggers automatic disconnect with hard deletion of your credentials.

The remainder of FXOptimize (backtest analysis, Pass Lab, etc.) is fully available to all users worldwide, including EEA/UK residents — only the Synchronization feature is restricted by the residency self-attestation.

Sub-processor for broker connections

For both MetaTrader 4 and MetaTrader 5 connections, we use MetaApi (operated by Agile Trading B.V., Netherlands) as a sub-processor to broker the connection between our infrastructure and your broker server. MetaApi receives your encrypted investor password only at sync time. See §5 Sub-Processors for details.

Retention

All broker-sync data is retained until you disconnect the account. When you click "Disconnect" in your settings, we perform a hard delete immediately:

  • Encrypted investor password — deleted
  • All synced trades — deleted
  • EA mappings — deleted
  • Account snapshot — deleted

The self-attestation audit-trail row may be retained for up to 7 years to satisfy regulatory record-keeping obligations, but it contains no broker credentials, no trade data, and no account identifiers — only the timestamp + country code at the moment you consented.

Post-attestation residency change detection

If we detect 3 or more sign-ins from EU/UK IP addresses within any 30-day window after you self-attested non-residency, we will pause sync on your account and email you to confirm your current residency. You have 14 days to respond. If you confirm continued non-EU residency (e.g. you were traveling), sync resumes. If you confirm a residency change to EU/UK, we trigger a user-initiated disconnect that hard-deletes your credentials. No response within 14 days results in automatic disconnect and hard delete.

Storage

8. Cookies & Session Storage

FXOptimize uses only strictly necessary cookies and session storage required for the Service to function. No consent banner is required because no optional tracking cookies are used.

  • fxo_anon_session — HttpOnly, Secure, 1-year Max-Age. A pseudonymous per-device identifier (non-PII) used to enforce the free-tier monthly analysis quota. Legal basis: ePrivacy Directive Art. 5(3) "strictly necessary for a service the user has explicitly requested."
  • Supabase authentication tokens — Stored in the browser's sessionStorage (cleared when you close the tab). Required to keep you signed in during a session.
  • Stripe cookies — Set by Stripe during checkout, governed by Stripe's privacy policy.

We do not use any advertising, cross-site tracking, or third-party marketing cookies. Our analytics — Cloudflare (pageviews, server-side) and self-hosted Umami (in-app usage) — set no advertising or cross-site cookies; Umami stores only a single first-party localStorage value to count unique visitors, and is loaded only after you consent.

Cookies & analytics consent

FXOptimize uses two privacy-first analytics layers, both free of advertising and cross-site tracking. Cloudflare measures aggregated pageviews and traffic server-side — no client-side script, cookies, or fingerprinting. Umami, which we self-host on our own server (no third-party analytics vendor), measures how the in-app tool is used — which features and funnel steps people reach — so we can improve it. It never receives your backtest data.

Umami is cookieless and does not fingerprint. It stores a single first-party localStorage value to count unique visitors without a cookie. Because that touches client-side storage, we load Umami only after you accept analytics in the cookie banner, and you can withdraw consent any time via Manage cookies, which stops it immediately. Cloudflare, being server-side and identifier-free, needs no consent.

What we collect: aggregated pageviews, country (from IP, not stored), browser + OS family, the referrer URL, and — once you consent — aggregated in-app events (which features and funnel steps were reached, never your backtest data). What we do NOT collect: your email, name, raw IP address (Cloudflare anonymizes it at ingest), specific URLs of authenticated app pages (those are blocked from analytics in robots.txt), device fingerprints, or behavioral profiles.

We also receive minimal HTTP server logs (IP + URL + timestamp) for security and rate-limiting purposes — these are deleted after 14 days and never linked to user identity.

Storage

9. Data Security

We take reasonable measures to protect your data, including:

  • Encrypted data transmission (HTTPS/TLS 1.3 with HSTS preload)
  • Secure authentication through Supabase
  • Cloudflare protection against DDoS and malicious traffic
  • Regular security audits
  • Broker investor passwords encrypted with AES-256, key rotation every 90 days, key material stored in environment variables + 1Password break-glass backup (never in the database)
  • Row-Level Security (RLS) policies on Supabase enforce per-user isolation: a user cannot read another user's broker credentials or trade history even with direct database access

No method of transmission or storage is 100% secure. If you discover a security vulnerability, please contact us immediately at [email protected].

Rights

10. Data Breach Notification

In the unlikely event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Danish Data Protection Authority (Datatilsynet) within 72 hours, and affected users without undue delay, in accordance with GDPR Articles 33 and 34.

Rights

11. Your Rights (GDPR)

As we are based in Denmark (EU), you have the following rights under GDPR:

  • Access (Art. 15) — Request a copy of all personal data we hold about you. Available self-service in your account settings as "Download my data".
  • Rectification (Art. 16) — Correct inaccurate personal data
  • Erasure / Right to be forgotten (Art. 17) — Request deletion of your account and personal data. Available self-service in your account settings as "Delete my account". Note: payment records are retained for 5 years under bogføringsloven but are disassociated from your identity.
  • Portability (Art. 20) — Receive your data in a structured, machine-readable format (JSON export via "Download my data")
  • Objection (Art. 21) — Object to processing of your data for specific purposes
  • Restriction (Art. 18) — Request limited processing of your data
  • Lodge a complaint — You have the right to lodge a complaint with the Danish Data Protection Authority (Datatilsynet) at datatilsynet.dk if you believe your data is being processed unlawfully

To exercise any of these rights, use the self-service options in your account settings or contact us at [email protected]. We will respond within 30 days.

Rights

12. Automated Decision-Making

We do not engage in automated decision-making or profiling that produces legal effects or similarly significantly affects you.

Collection

13. Children's Privacy

FXOptimize is not directed at anyone under 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us.

Rights

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or through the Service. The "Last updated" date at the top reflects the most recent revision.

Contact

15. Contact

For privacy-related questions, data requests, or concerns:

Privacy contact: [email protected]

General support: [email protected]

Frederik Baunsøe · Denmark