Privacy Policy
Effective date: June 1, 2026 Last updated: July 7, 2026
This Privacy Policy explains how MRV Software SRL ("we", "us", "our") collects, uses, and protects your personal data when you visit our website kelixtrade.com or use the Kelix Trade web application. Kelix Trade is the trading-name of the service operated by MRV Software SRL. Together, the website and the application are referred to as the "Service".
This Privacy Policy should be read together with our Terms of Service and Cookie Policy, which are incorporated by reference.
We are committed to protecting your privacy. We collect the minimum data necessary to operate the Service, we do not sell your data, and we do not use advertising trackers.
1. Data Controller
The data controller responsible for your personal data is:
MRV Software SRL (operating the Kelix Trade service) Romanian unique tax identification code (CUI): 54696336 Registered office: Str. Județului nr. 8, Sector 2, București, România Email: legal@kelixtrade.com
For any privacy-related questions, requests, or to exercise your rights under GDPR, contact us at the email above.
2. What Data We Collect
2.1 Account data
When you create an account, we collect: - Email address - Password (stored hashed, never in plaintext) - Display name or username (if provided) - Account creation date and authentication metadata
2.2 Authentication data
- Session tokens and JWTs (managed by Supabase Auth)
- IP address at signup (used for abuse prevention and rate limiting)
- If you sign in with Google: name, email, and profile picture provided by Google's OAuth flow
2.3 Trading and product data
When you use the App, we store data that you generate, including: - Paper trading positions, orders, and trade history - Watchlists, alerts, and saved settings - Backtest configurations and results - Strategies you build or import - Journal entries and notes - AI Assistant conversation history (so you can revisit past sessions)
This data is generated by simulated/paper trading only. We do not have access to your real broker accounts or real money.
2.4 Subscription and billing data
Payments are processed by Stripe (Stripe Payments Europe, Ltd. and its affiliates). MRV Software SRL is the seller (merchant) of record for all sales of Kelix Trade subscriptions: we contract with you for the purchase, issue the invoice/receipt, and are responsible for collecting and remitting applicable VAT and sales taxes. Stripe collects your payment-card details directly through Stripe-hosted checkout; we never see or store your full card number, CVC, or banking credentials (PCI-DSS scope is borne entirely by Stripe).
From Stripe we receive and store for our records: - Subscription status (active, cancelled, past due, trialing) - Plan tier (FREE, PRO, ULTRA) and billing interval - Billing country, postal code, and currency (used for VAT/tax calculation and invoicing) - Last four digits of the card and card brand - Transaction IDs, invoice numbers, renewal and cancellation dates - Your billing email if different from your account email
We use this data to manage your subscription, issue invoices, enforce tier entitlements, and comply with Romanian tax and accounting law.
2.5 Content you submit to AI features
When you use AI-powered features (AI Assistant, Candle Scanner, Strategy Builder, AI Trading Journal), the inputs you submit — including chat messages, chart screenshots you upload, strategy parameters, and trade data — are transmitted to our AI providers (Anthropic and/or Google) for real-time processing.
Chart screenshots and AI inputs are not permanently stored by the AI providers (they are processed in-memory and discarded by the provider after the response is returned). We may store the outputs of these AI features (e.g. the analysis text, the generated journal entry) in your account so that you can revisit them — these outputs are tied to your account and are deleted when you delete the account.
2.6 Technical and security logs
For security, abuse prevention, and debugging we keep limited server logs containing: - IP address - User agent / browser type - Timestamps of requests - Endpoint accessed and HTTP status - AI usage logs (model, token count, cost) for the purpose of enforcing usage limits and detecting abuse
Logs are retained for a maximum of 90 days unless required longer for legal or security investigations.
2.7 What we do NOT collect
- Real money trading data or live broker credentials
- Payment card numbers, CVCs, IBANs, or banking details
- Precise geolocation
- Health data, biometric data, or any other special-category data under GDPR Art. 9
- Behavioural advertising profiles or cross-site tracking data
3. How We Use Your Data
| Purpose | Legal basis (GDPR Art. 6) |
|---|---|
| Provide and maintain the Service | Performance of a contract (Art. 6(1)(b)) |
| Process subscriptions, billing, invoicing, and tier management | Performance of a contract (Art. 6(1)(b)) |
| Send account-related and transactional emails | Performance of a contract (Art. 6(1)(b)) |
| AI-powered analysis (Assistant, Scanner, Strategy Builder, Journal) | Performance of a contract (Art. 6(1)(b)) |
| Prevent abuse, fraud, and enforce usage limits | Legitimate interest (Art. 6(1)(f)) |
| Maintain security of the Service | Legitimate interest (Art. 6(1)(f)) |
| Improve the Service through aggregated, non-identifying usage statistics | Legitimate interest (Art. 6(1)(f)) |
| Send product updates and feature announcements | Legitimate interest (Art. 6(1)(f)) — opt-out anytime |
| VAT calculation, invoicing, and tax reporting | Legal obligation (Art. 6(1)(c)) |
| Comply with other legal obligations (accounting, regulatory) | Legal obligation (Art. 6(1)(c)) |
We do NOT: - Sell your personal data - Use your data for targeted or behavioural advertising - Use your trading data, AI conversations, or strategies to train AI models - Make automated decisions that produce legal effects on you
4. Third-Party Service Providers (Sub-processors)
We share data with the following service providers only as necessary to operate the Service. Each has its own privacy policy and security commitments, and we have entered into a Data Processing Agreement (DPA) with every provider that processes personal data on our behalf.
4.1 Infrastructure
- Supabase Inc. — database, authentication, file storage, and edge functions. Account data, trading data, and AI conversation history are stored on Supabase infrastructure.
- Cloudflare, Inc. — CDN, DNS, DDoS protection, and bot mitigation. Cloudflare may set strictly necessary security cookies (see the Cookie Policy).
4.2 AI processing
- Anthropic, PBC (Claude AI) — used for AI Assistant, Candle Scanner, and Claude-tier features.
- Google LLC (Gemini API) — used for AI features routed to Gemini 2.5 Flash for cost-efficient processing.
We have Data Processing Agreements (DPAs) in place with all AI providers. Under these agreements, the providers are contractually prohibited from using your inputs or outputs to train their models, and they process your data solely as our sub-processors to provide the AI features.
Inputs sent to AI providers may include: chart screenshots you upload, chat messages, strategy parameters, and trade data. These inputs are processed in real-time and are not retained by the providers after the response is returned.
4.3 Market data
- Yahoo Finance — public OHLC market data for stocks, commodities, and indices.
- Twelve Data — public market data fallback.
- Binance.vision — public OHLC data for crypto markets.
No personal data is shared with market-data providers. We only fetch public price/volume data.
4.4 Payments
- Stripe (Stripe Payments Europe, Ltd. and its affiliates) — payment processor. Stripe collects your payment-card details directly through Stripe-hosted checkout; we do not see or store your full card details. Stripe acts as our data processor for processing your payments, and as an independent data controller for certain data it uses for its own fraud-prevention and legal-compliance purposes. See stripe.com/privacy.
- MRV Software SRL is the seller (merchant) of record on all transactions and issues the receipt/invoice to you; we are responsible for charging (via Stripe) and for collecting and remitting applicable VAT and sales taxes.
4.5 Identity providers (optional)
- Google — if you sign in with Google, we receive your name, email, and profile picture. We do not push data back to Google.
4.6 Email delivery
- Transactional email delivery (account verification, password reset, billing notifications) is handled by Supabase's built-in email service or an equivalent email provider.
5. International Data Transfers
Some service providers process your data outside the European Economic Area (EEA), primarily in the United States. We rely on the following transfer mechanisms under GDPR Chapter V:
| Provider | Primary processing region(s) | Transfer mechanism |
|---|---|---|
| Supabase Inc. | EU and/or US (depending on region) | EU Standard Contractual Clauses (SCCs) + supplementary measures |
| Cloudflare, Inc. | Global edge network | EU SCCs + EU–US Data Privacy Framework (Cloudflare is DPF-certified) |
| Anthropic, PBC | US | EU SCCs |
| Google LLC (Gemini API) | US | EU SCCs + EU–US Data Privacy Framework (Google is DPF-certified) |
| Stripe (Stripe Payments Europe, Ltd. and affiliates) | Ireland / EU (primary), US (group affiliates) | SCCs and the EU–US Data Privacy Framework for any US transfers |
These mechanisms are supplemented by the providers' own GDPR-compliance commitments, encryption in transit and at rest, and access-control measures.
6. Data Retention
| Data category | Retention |
|---|---|
| Account data (email, profile) | While your account is active; deleted within 30 days of account closure |
| Trading and strategy data | While your account is active; deleted within 30 days of account closure |
| AI conversation history and outputs | While your account is active; you can delete individual conversations at any time |
| Billing and tax records (invoices) | Up to 10 years, as required by Romanian tax and accounting law (Law 227/2015 and Law 82/1991) |
| Security and access logs | Up to 90 days |
| Email marketing data | Until you unsubscribe |
| Backups | Rolling backups retained up to 30 days after primary deletion |
You can request deletion of your account at any time by emailing legal@kelixtrade.com or using the in-app account deletion option (where available). Note that billing records linked to your invoices must be retained for the legal period above even after account deletion, but they are stored in a restricted form for compliance purposes only.
7. Your Rights Under GDPR
If you are in the EEA, UK, or Switzerland, you have the following rights:
- Right of access (Art. 15) — request a copy of the personal data we hold about you.
- Right to rectification (Art. 16) — correct inaccurate or incomplete data.
- Right to erasure / "right to be forgotten" (Art. 17) — request deletion of your data (subject to legal retention obligations for billing).
- Right to restriction of processing (Art. 18) — limit how we use your data.
- Right to data portability (Art. 20) — receive your data in a structured, machine-readable format (JSON).
- Right to object (Art. 21) — object to processing based on legitimate interest, including marketing.
- Right to withdraw consent — where processing is based on consent, you may withdraw it at any time.
- Right not to be subject to automated decision-making (Art. 22) — we do not engage in such decision-making.
To exercise any of these rights, email legal@kelixtrade.com. We will respond within 30 days.
If you are unsatisfied with our response, you have the right to lodge a complaint with: - The Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP) — www.dataprotection.ro - Or the supervisory authority in your EU member state of residence.
8. Data Security
We implement appropriate technical and organisational measures to protect your data, including:
- TLS/HTTPS encryption for all data in transit
- Row-Level Security (RLS) policies in Supabase so users can only access their own data
- API keys and secrets stored as server-side secrets, never exposed in frontend code
- JWT-based authentication with secure, short-lived session tokens
- Signup abuse protection via Cloudflare Turnstile, IP rate limiting, disposable-email rejection, and mandatory email verification
- Server-side tier validation and rate limiting on AI endpoints
- Removal of unauthenticated edge functions and patching of RLS vulnerabilities
- Payment-card data handled exclusively by Stripe (PCI-DSS Level 1); we never see or store card details
While we take reasonable precautions, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.
9. Cookies and Similar Technologies
We use only strictly necessary cookies and equivalent technologies (such as localStorage for UI preferences). We do not use advertising, analytics, or behavioural tracking cookies.
For full details, please see our separate Cookie Policy.
10. Children's Privacy
The Service is not intended for anyone under 18 years of age. We do not knowingly collect personal data from minors. If we learn that we have collected data from someone under 18, we will delete it promptly. If you believe a minor has provided us with personal data, please contact legal@kelixtrade.com.
11. Changes to This Policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top will reflect the most recent revision. Material changes will be communicated by email or in-app notification at least 14 days before they take effect.
12. Contact
For any privacy-related questions, requests, or complaints:
MRV Software SRL (operating the Kelix Trade service) CUI: 54696336 Email: legal@kelixtrade.com Str. Județului nr. 8, Sector 2, București, România