Back to Home

GDPR Compliance

Data Processing Agreement

Effective Date: March 2, 2026

1. Introduction & Scope

This Data Processing Agreement ("DPA") supplements the EulerX Privacy Policy and outlines how EulerX ("Data Controller," "we," "us," or "our") processes personal data in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK GDPR.

This DPA applies to all individuals located in the European Economic Area (EEA), the United Kingdom, and Switzerland whose personal data is processed by EulerX in connection with the provision of our automated cryptocurrency trading platform and related services (the "Service").

EulerX acts as the Data Controller for the personal data collected directly from users. Where we engage third-party service providers to process data on our behalf, those providers act as Data Processors and are bound by appropriate data processing agreements.

2. Definitions

For the purposes of this DPA, the following terms have the meanings set out below:

  • Personal Data: Any information relating to an identified or identifiable natural person ("Data Subject"), as defined in Article 4(1) of the GDPR.
  • Data Controller: The entity that determines the purposes and means of processing personal data. In this context, EulerX is the Data Controller.
  • Data Processor: An entity that processes personal data on behalf of the Data Controller, such as our hosting providers and service partners.
  • Data Subject: An identified or identifiable natural person whose personal data is processed. In this context, Data Subjects are our users.
  • Processing: Any operation performed on personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
  • Supervisory Authority: An independent public authority responsible for monitoring the application of the GDPR in a given EU/EEA member state.
  • Data Protection Impact Assessment (DPIA): An assessment of the impact of envisaged processing operations on the protection of personal data, as required under Article 35 of the GDPR.

3. Legal Basis for Processing (Article 6)

We process your personal data based on one or more of the following legal bases as defined in Article 6(1) of the GDPR:

  • Performance of a Contract (Article 6(1)(b)): Processing is necessary for the performance of our contract with you (the Terms of Service). This includes creating and managing your account, processing subscriptions, executing trading strategies, and providing the core functionality of the Platform.
  • Legitimate Interests (Article 6(1)(f)): Processing is necessary for our legitimate interests, provided those interests are not overridden by your fundamental rights and freedoms. Our legitimate interests include improving the Service, ensuring platform security, preventing fraud, and conducting analytics.
  • Legal Obligation (Article 6(1)(c)): Processing is necessary to comply with our legal obligations, such as retaining financial records, responding to lawful requests from authorities, and meeting regulatory requirements.
  • Consent (Article 6(1)(a)): Where none of the above legal bases apply, we may process your data based on your explicit consent. You have the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

4. Categories of Data Processed

4.1 Identity Data

  • Email address
  • Username or display name
  • Account credentials (hashed passwords)

4.2 Technical Data

  • IP address
  • Browser type and version
  • Operating system and device information
  • Session identifiers and authentication tokens

4.3 Usage Data

  • Pages visited and features used
  • Trading strategy configurations
  • Signal and trade execution logs
  • Performance analytics and session duration

4.4 Transaction Data

  • Subscription plan details and payment transaction references
  • Encrypted exchange API keys
  • Trading activity records

5. Data Processing Activities

5.1 Primary Processing Activities

Our primary data processing activities include:

  • User account creation, authentication, and session management
  • Subscription management and payment processing
  • Trading signal generation and automated trade execution
  • Performance monitoring, analytics, and reporting
  • Customer support and communication

5.2 Sub-Processors

We engage the following categories of sub-processors to assist in providing the Service:

  • Cloud Hosting Providers: For server infrastructure and data storage
  • Payment Processors: For processing subscription payments
  • Email Service Providers: For transactional and service communications
  • Analytics Providers: For platform usage analytics and performance monitoring

All sub-processors are bound by data processing agreements that require them to process personal data only as instructed by us and to implement appropriate security measures.

5.3 Automated Decision-Making

Our Service uses automated decision-making in the form of AI-powered trading signal generation and automated trade execution. These automated processes:

  • Analyze market data (not personal data) to generate trading signals
  • Execute trades based on user-configured strategy parameters
  • Do not make decisions that produce legal effects or similarly significantly affect individuals based on personal data alone

Users maintain full control over their trading strategies and can modify or disable automated trading at any time.

6. Data Retention Periods

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, in accordance with the GDPR's data minimization principle. Our retention periods are as follows:

Data CategoryRetention PeriodLegal Basis
Account DataDuration of account + 90 daysContract performance
Trading LogsDuration of account + 12 monthsLegitimate interest
Payment Records7 yearsLegal obligation
Technical Logs90 daysLegitimate interest
Support Communications2 yearsLegitimate interest
Anonymized AnalyticsIndefiniteNot personal data

7. Your GDPR Rights

Under the GDPR, you have the following rights regarding your personal data:

7.1 Right of Access (Article 15)

You have the right to obtain confirmation as to whether your personal data is being processed and, if so, to access that data along with information about the purposes of processing, categories of data, recipients, retention periods, and your rights.

7.2 Right to Rectification (Article 16)

You have the right to request the correction of inaccurate personal data and to have incomplete data completed.

7.3 Right to Erasure (Article 17)

You have the right to request the deletion of your personal data when it is no longer necessary for the purposes for which it was collected, when you withdraw consent, when you object to processing, or when processing is unlawful. This right is subject to certain exceptions, such as compliance with legal obligations.

7.4 Right to Restrict Processing (Article 18)

You have the right to request restriction of processing when you contest the accuracy of data, when processing is unlawful, when we no longer need the data but you require it for legal claims, or when you have objected to processing pending verification.

7.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (such as JSON or CSV) and to transmit that data to another controller without hindrance.

7.6 Right to Object (Article 21)

You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes. Where you object, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

7.7 Right Not to Be Subject to Automated Decision-Making (Article 22)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you. Our automated trading operates on market data and user-configured parameters, not on profiling of personal characteristics.

8. How to Exercise Your Rights

To exercise any of your GDPR rights, you may contact our Data Protection Officer at:

Data Protection Officer

Email: dpo@eulerx.io

When submitting a request, please include:

  • Your name and the email address associated with your EulerX account
  • A clear description of the right you wish to exercise
  • Any additional information needed to verify your identity and process your request

We will acknowledge your request within 72 hours and respond substantively within 30 days. In complex cases, we may extend this period by an additional 60 days, in which case we will notify you of the extension and the reasons for it.

Exercising your rights is free of charge. However, we may charge a reasonable fee or refuse to act on manifestly unfounded or excessive requests.

9. Security Measures

In accordance with Article 32 of the GDPR, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. These measures include:

  • Encryption: TLS/SSL encryption for data in transit and AES-256 encryption for sensitive data at rest
  • Pseudonymization: Where possible, we pseudonymize personal data to reduce privacy risk
  • Access Controls: Role-based access controls with multi-factor authentication for internal systems
  • Regular Testing: Regular security assessments, penetration testing, and vulnerability scanning
  • Incident Response: Documented incident response procedures for detecting, reporting, and investigating security breaches
  • Staff Training: Regular data protection and security awareness training for all team members
  • Backup & Recovery: Regular encrypted backups with tested recovery procedures to ensure data availability and resilience

10. International Data Transfers

Where we transfer personal data outside the EEA, UK, or Switzerland, we ensure that appropriate safeguards are in place as required by Chapter V of the GDPR. These safeguards include:

  • Adequacy Decisions: Transfers to countries that have received an adequacy decision from the European Commission
  • Standard Contractual Clauses (SCCs): EU-approved standard contractual clauses with all sub-processors located outside the EEA
  • Supplementary Measures: Additional technical and organizational measures where required based on a transfer impact assessment

You may request a copy of the safeguards in place for international transfers by contacting our Data Protection Officer.

11. Regulatory Reporting

If you are not satisfied with how we handle your personal data or respond to your rights requests, you have the right to lodge a complaint with a supervisory authority. You may file a complaint with:

  • The supervisory authority in your country of residence within the EEA
  • The supervisory authority in the country where you work
  • The supervisory authority in the country where the alleged infringement took place

We encourage you to contact us first so we can attempt to resolve your concerns directly.

12. Data Breach Notification

In accordance with Articles 33 and 34 of the GDPR, we have established the following data breach notification procedures:

  • Supervisory Authority Notification: In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach
  • Data Subject Notification: Where a breach is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay, providing a description of the breach, the likely consequences, and the measures we have taken or propose to take
  • Breach Documentation: We maintain a record of all data breaches, including the facts, effects, and remedial action taken, regardless of whether notification to the supervisory authority is required

13. Data Protection Officer

EulerX has appointed a Data Protection Officer (DPO) to oversee our GDPR compliance and serve as a point of contact for data subjects and supervisory authorities.

Data Protection Officer

Email: dpo@eulerx.io

The DPO is responsible for:

  • Monitoring compliance with the GDPR and our internal data protection policies
  • Advising on data protection impact assessments (DPIAs)
  • Acting as the contact point for supervisory authorities
  • Handling data subject rights requests and inquiries
  • Ensuring ongoing awareness and training within the organization

14. Compliance & Certifications

EulerX is committed to maintaining the highest standards of data protection compliance. Our compliance program includes:

  • Regular GDPR Audits: Periodic internal and external audits of our data processing activities and security measures
  • Data Protection Impact Assessments: DPIAs conducted for new processing activities or significant changes to existing processing that may present high risk
  • Records of Processing Activities: Maintained in accordance with Article 30 of the GDPR, documenting all categories of processing activities
  • Privacy by Design and Default: Data protection principles are embedded into the design and development of our systems and processes from the outset
  • Vendor Assessment: All third-party vendors and sub-processors are assessed for GDPR compliance before engagement and on an ongoing basis
  • Continuous Improvement: We continuously review and update our data protection practices to reflect changes in the regulatory landscape, technology, and best practices

For questions about our GDPR compliance or to exercise any of your data protection rights, please contact our Data Protection Officer at dpo@eulerx.io.