00

Jurisdictional Coverage

This Privacy Policy applies to all users of NexaTrade globally. The following data protection frameworks are specifically addressed:

01

Data Controller / Data Processor Identity

NexaTrade operates as the data controller (or equivalent role under applicable law — "responsável pelo tratamento" under LGPD; "responsable del tratamiento" under Colombian law) for personal information collected through our website, Telegram channels, and payment processes.

02

Data We Collect

We collect the following categories of personal data. We apply the principle of data minimisation — we only collect what is necessary to provide the service.

When you join a Telegram channel / submit your details:

• Full name (provided voluntarily when joining)
• Email address (required for Pro subscribers; may be provided by Free users)
• Telegram username or user ID (to manage channel access)
• Date, time, and version of consent acceptance
• Tier selection (Free or Pro)

When you subscribe to Pro:

• Email address (for payment confirmation and access management)
• Payment method details — processed and stored exclusively by Stripe, Inc. NexaTrade never sees, receives, or stores your card number, CVV, or full billing details.
• Subscription status and billing history (received via Stripe webhooks)

Automatically collected when visiting our website:

• IP address (pseudonymised / anonymised after 7 days)
• Browser type and version
• Referring URL
• Pages visited and approximate time on page

We do not collect: government-issued IDs, financial account numbers, social security or tax identification numbers, trading portfolio data, biometric data, health data, or any other sensitive personal data as defined by GDPR Article 9, LGPD Article 11, Colombian Law 1,581/2012, or UAE PDPL.

03

How We Use Your Data

• To grant and manage access to Free and Pro Telegram channels
• To process subscription payments and send payment confirmations
• To send important service communications (billing changes, Terms updates, security notices)
• To improve our AI models and service quality (using anonymised and aggregated data only)
• To comply with applicable legal obligations across all operating jurisdictions
• To detect, investigate, and prevent fraud, abuse, or violations of our Terms of Service
• To maintain records of consent as required by law

We do not use your data for: targeted advertising, sale or rental to third parties, automated profiling that produces legal or similarly significant effects, or any purpose not explicitly described in this policy.

04

Legal Basis for Processing — By Jurisdiction

The legal basis for processing your personal data depends on your jurisdiction of residence.

🇪🇺 EU / EEA General Data Protection Regulation (GDPR)

For users in the European Economic Area, our legal bases under GDPR Article 6 are:

• Contract performance (Art. 6(1)(b)): Processing necessary to deliver the service you subscribed to (e.g., granting Telegram access, processing payments)
• Legitimate interests (Art. 6(1)(f)): Fraud prevention, service security, and service improvement — balanced against your rights and freedoms
• Legal obligation (Art. 6(1)(c)): Retaining financial records, responding to lawful regulatory requests
• Consent (Art. 6(1)(a)): For non-essential cookies and direct marketing communications, where explicitly obtained and documented

You have the right to withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal. You also have the right to lodge a complaint with your national data protection supervisory authority.

🇧🇷 Brazil Lei Geral de Proteção de Dados (LGPD — Law 13,709/2018)

For users in Brazil, NexaTrade processes personal data in accordance with the LGPD. The applicable legal hypotheses (hipóteses legais) under LGPD Article 7 are:

• Consent (Art. 7, I): Where you have given express, informed consent for specific processing activities (e.g., joining our mailing list)
• Performance of a contract (Art. 7, V): Processing necessary to perform a contract to which you are a party (e.g., granting Pro access upon payment)
• Legitimate interests (Art. 7, IX): Processing for fraud prevention, service security, and analytical purposes, balanced against your fundamental rights
• Legal or regulatory obligation (Art. 7, II): Processing required to comply with applicable Brazilian law

Brazilian users have rights under LGPD Article 18, detailed in Section 09 of this policy. Complaints regarding LGPD compliance may be submitted to the Autoridade Nacional de Proteção de Dados (ANPD).

🇨🇴 Colombia Habeas Data — Law 1,581/2012 & Decree 1,377/2013

For users in Colombia, NexaTrade processes personal data pursuant to Law 1,581/2012 (Protección de Datos Personales) and its regulatory decree. Processing is authorised on the following grounds:

• Express authorisation (autorización): Obtained at the point of data collection through our consent mechanism, prior to processing
• Contractual necessity: Processing required to fulfil the services requested by you
• Legal mandate: Processing required to comply with Colombian law

Colombian users may exercise their Habeas Data rights — including the right to know, update, rectify, and suppress personal data — by contacting support@nexatrade.trade. Complaints may also be submitted to the Superintendencia de Industria y Comercio (SIC), which supervises personal data protection in Colombia.

🇦🇪 UAE Personal Data Protection Law (Federal Decree-Law No. 45/2021)

For users in the United Arab Emirates, NexaTrade complies with Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (UAE PDPL) and its Executive Regulations. Processing is based on:

• Consent: Obtained at the time of data collection
• Contractual necessity: Processing required to provide the service
• Legal obligation: Compliance with UAE laws and regulatory requirements

UAE users may submit data requests to support@nexatrade.trade. Requests will be acknowledged within 5 business days and fulfilled within 30 days, or such other period as required by the UAE PDPL Executive Regulations.

05

Data Sharing & Third Parties

We share personal data with the following categories of third parties only, and solely to the extent necessary to provide the service:

• Stripe, Inc. — Payment processing. Stripe is PCI-DSS Level 1 certified and processes payment data under its own Privacy Policy and Data Processing Agreement. NexaTrade has a Data Processing Agreement with Stripe where applicable under GDPR/LGPD requirements.
• Telegram Messenger Inc. — Channel access management. Your Telegram account data is governed by Telegram's Privacy Policy. We share only the minimum data necessary to add you to a channel.
• Hosting / infrastructure providers — Cloud hosting services under contractual data processing agreements that include appropriate technical and organisational security measures.

We do not sell, rent, or share your personal data with advertisers, data brokers, analytics companies that identify individual users, or any third party for commercial purposes.

International Data Transfers

Some of our service providers (including Stripe and Telegram) may process data outside your country of residence. Where personal data is transferred internationally, we ensure appropriate safeguards are in place:

• EU users: Standard Contractual Clauses (SCCs) approved by the European Commission, or transfers to countries with an EU adequacy decision
• Brazilian users: Transfer mechanisms compliant with LGPD Article 33, including contractual clauses or adequacy determination by the ANPD
• Colombian users: Transfers to third countries with adequate protection levels or under binding privacy policies
• UAE users: Transfers subject to UAE PDPL cross-border transfer requirements and, where required, approval from the UAE Data Office

06

Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. The following retention periods apply:

• Active subscribers: Account data retained for the duration of the subscription plus 12 months after cancellation
• Free channel members: Email (if provided) retained for 12 months from last interaction; deleted upon request
• Payment records: Retained for 7 years to comply with financial record-keeping obligations (applicable in UAE, EU, Brazil, and Colombia)
• Consent records: Retained for 3 years from the date of consent, or longer if required by applicable law (e.g., GDPR compliance documentation)
• Website analytics: IP addresses pseudonymised within 24 hours and anonymised after 7 days; aggregated analytics data retained indefinitely
• Data subject requests / complaints: Records of requests and our responses retained for 5 years

Upon expiry of the applicable retention period, personal data is securely deleted or irreversibly anonymised. You may request early deletion of your data subject to the legal retention requirements above.

07

Cookies & Local Storage

NexaTrade uses only essential, functional storage mechanisms required for the website to operate:

• Consent record (localStorage): Stores your consent choice and timestamp locally on your device. Not transmitted to our servers.
• Session state: Temporary session data deleted when you close your browser
• PWA / Service Worker cache: Static assets cached locally on your device to enable offline functionality

We do not use advertising cookies, cross-site tracking pixels, Google Analytics (individual user tracking), Facebook Pixel, or any third-party tracking that identifies individual users across websites.

You can clear all locally stored data at any time through your browser's storage settings. For EU users, our consent mechanism ensures non-essential storage is only activated with your prior consent as required by the ePrivacy Directive.

08

Data Security

We implement appropriate technical and organisational security measures proportionate to the risk associated with processing your personal data:

• HTTPS / TLS encryption for all data in transit between your device and our servers
• Payment data handled exclusively by Stripe (PCI-DSS Level 1 compliant)
• Access controls and role-based permissions limiting who within NexaTrade can access personal data
• Regular security reviews and vulnerability assessments
• Pseudonymisation of analytics data within 24 hours of collection

Data Breach Notification: In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours where required (GDPR Art. 33; LGPD Art. 48)
• Notify affected individuals without undue delay where the breach is likely to result in high risk (GDPR Art. 34; LGPD Art. 48)
• Comply with UAE PDPL breach notification requirements and those of other applicable jurisdictions

09

Your Rights — By Jurisdiction

Depending on your country of residence, you have the following rights over your personal data. To exercise any right, contact support@nexatrade.trade.

🇪🇺 EU / GDPR Rights under Regulation 2016/679

🇧🇷 Brazil Rights under LGPD Article 18

🇨🇴 Colombia Rights under Law 1,581/2012 (Habeas Data)

🇦🇪 UAE Rights under Federal Decree-Law No. 45/2021 (PDPL)

10

Children's Privacy

NexaTrade is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from minors. If you are under 18, do not use our service or provide any personal data to us.

If you believe a minor has provided us with personal data, contact support@nexatrade.trade and we will delete it promptly upon verification.

In jurisdictions where a higher minimum age applies (e.g., certain EU member states where the age of digital consent under GDPR is 16), users below that age require verifiable parental consent.

11

Changes to This Policy

We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or service offerings. We will:

• Update the "Last updated" date at the top of this page
• Notify Pro subscribers via Telegram or email at least 7 days before material changes take effect
• Where required by applicable law (e.g., LGPD, Colombian Law 1,581/2012), obtain renewed consent if we substantially change the purposes for which we process your data

Continued use of NexaTrade after the effective date of any update constitutes acceptance of the revised Privacy Policy. If you do not agree, you may cancel your subscription and request deletion of your data.

12

Contact & Data Requests

To exercise any of your rights, submit a data request, report a concern, or ask a question about this Privacy Policy, contact us using the details below. We will acknowledge your request within 5 business days and respond within 30 days (or the timeframe required by applicable local law, whichever is shorter).

If you are not satisfied with our response, you have the right to escalate your complaint to the relevant data protection authority in your jurisdiction:

• EU / EEA: Your national data protection authority (e.g., CNIL, ICO, AEPD, Garante, etc.)
• Brazil: Autoridade Nacional de Proteção de Dados (ANPD) — www.gov.br/anpd
• Colombia: Superintendencia de Industria y Comercio (SIC) — www.sic.gov.co
• UAE: UAE Data Office — www.uaedataoffice.ae