Privacy Policy

GDPR · UK GDPR · CCPA — UPDATED MAY 2026

1. Data Controller

Enrico Westenburger
Calle es Prat 26, 07157 Port Andratx
Illes Balears, Spain
Email: [email protected]

2. Data We Collect

We collect and process the following personal data:

• Registration / Trial: email address, selected plan
• License activation: license key, anonymized machine ID (hardware hash)
• Payment data: processed exclusively by Stripe — we never store card or bank details
• Usage data: app version, operating system (for update checks only)
• Support inquiries: name, email, message content

3. Purpose of Processing

• Providing and managing your software license
• Handling payments and subscriptions
• Technical support and customer communication
• Delivering software updates
• Abuse prevention (per-license device cap)

4. Legal Bases

• Art. 6(1)(b) GDPR: Contract performance (license provision, support)
• Art. 6(1)(a) GDPR: Consent (newsletter, trial signup)
• Art. 6(1)(f) GDPR: Legitimate interest (abuse prevention, updates)

5. Third Parties and Data Transfers

Stripe Inc.	Payment processing	USA (EU SCCs)
Cloudflare Inc.	CDN, downloads, bot protection (Turnstile)	USA (EU SCCs)
Anthropic PBC	AI chat processing (CORTEX Assistant, Claude Haiku)	USA (EU SCCs)
Google LLC	Email delivery (SMTP)	USA (EU SCCs)
Squarespace Inc.	Website hosting, cookies	USA (EU SCCs)

6. Software & Local Data Processing

The OrderFlowAi software processes all trading data exclusively locally on your device. No chart data, tick data, or trading activity is transmitted to our servers.

Only the following data is sent to our server for license validation:

• License key (encrypted)
• Anonymized machine ID (hash value, no hardware reverse-engineering possible)
• Software version
• Validation timestamp

7. Cookies

This website uses technically necessary cookies from Squarespace for basic functionality. No tracking or advertising cookies are deployed. Squarespace analytics cookies can be disabled in your browser settings.

8. Retention Periods

• License data: Duration of subscription + 30 days after cancellation
• Payment data: As required by statutory retention obligations (max. 10 years)
• Support inquiries: 6 months after resolution
• Trial data: 90 days after trial expiration

9. Your Rights (GDPR)

You have the following rights at any time:

• Access to your stored data (Art. 15 GDPR)
• Rectification of incorrect data (Art. 16 GDPR)
• Erasure of your data (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Objection to processing (Art. 21 GDPR)
• Withdrawal of previously granted consent (Art. 7 GDPR)

To exercise your rights, contact us at [email protected].

10. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority in Spain is:

Agencia Española de Protección de Datos (AEPD)
C/ Jorge Juan, 6, 28001 Madrid, Spain
www.aepd.es

If you are based in the UK, you can lodge a complaint with the Information Commissioner's Office (ICO):
ico.org.uk

11. California Residents (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you the following rights:

• Right to know what personal information we collect, use, and disclose
• Right to delete the personal information we have collected from you
• Right to opt out of the sale or sharing of your personal information (we do not sell or share personal information as defined under CCPA)
• Right to non-discrimination for exercising your CCPA rights

To exercise these rights, email [email protected] with "CCPA Request" in the subject line. We will respond within 45 days.

Categories of personal information collected: identifiers (email), commercial information (subscription plan), internet activity (license validation logs).

Sources: directly from you (signup, support).

Disclosed for business purposes to: Stripe (payments), Cloudflare (CDN), Anthropic (AI chat), Google (email), Squarespace (hosting). See Section 5.

12. Security

We use industry-standard security measures to protect your data, including SSL/TLS encryption, secure server infrastructure, and restricted access controls. Payment data is processed exclusively by Stripe under PCI-DSS standards.

13. CORTEX Web Chat Assistant

This website operates an AI-based chat assistant ("CORTEX Assistant") that answers visitor questions about the software, plans, and setup. Note: CORTEX Assistant is a support-only chatbot — it is not identical to the trading engine in the product and makes no market decisions.

13.1 Data processed

• Chat content: Your inputs and generated responses are transmitted to our processor Anthropic PBC (USA) for response generation.
• Session ID: A random UUID stored in your browser (sessionStorage) for up to 6 hours to preserve conversation context.
• Hashed IP address: Your IP is salted and SHA-256 hashed into a 32-character hash (no plaintext storage), exclusively for rate limiting and abuse prevention.
• Hashed user agent + language + visited page: for language mapping and simple analytics.
• Cloudflare Turnstile: For protection against automated abuse, a bot-detection token from Cloudflare is processed (comparable to an invisible CAPTCHA, no tracking cookies).

13.2 Purpose

Providing automated first-line support and answering recurring questions about the software, licensing, and installation.

13.3 Legal basis

Art. 6(1)(f) GDPR — legitimate interest in efficient support provision and protection against abuse (bot detection, rate limiting).

13.4 Retention

• Conversation content: Held in server memory only short-term (max. 30 minutes), not persisted in a database.
• Metadata (session ID, IP hash, token count, latency, detected intent): up to 90 days for abuse prevention and cost monitoring.
• Cloudflare Turnstile tokens: Processed only for real-time validation, not persistently stored.

13.5 Processors

• Anthropic PBC, San Francisco, USA — AI chat processing. Transfer to the USA is based on EU Standard Contractual Clauses; a Data Processing Agreement (DPA) has been concluded.
• Cloudflare Inc., San Francisco, USA — bot protection via Turnstile (in addition to existing CDN function).

13.6 Objection and opt-out

You can deactivate the chat assistant at any time by appending the parameter ?cortex=off to any page URL. The setting applies to the current browser session. Alternatively, simply leave the widget unused — without input, no data is transmitted to Anthropic.

14. Legal Notice (Imprint)

Provider information (per EU E-Commerce Directive / Spanish LSSI Article 10):

Enrico Westenburger
Calle es Prat 26
07157 Port Andratx
Illes Balears, Spain

Email: [email protected]
Contact form: www.orderflowai.io/en/#cta

Tax information:

NIE: Y5147661E
VAT ID (NIF-IVA): ESY5147661E
Status: Autónomo (self-employed)

Responsible for content: Enrico Westenburger (address as above)

15. EU Online Dispute Resolution

The European Commission provides an online dispute resolution (ODR) platform: https://ec.europa.eu/consumers/odr/. We are not obliged and not willing to participate in dispute resolution proceedings before a consumer arbitration board.

16. Disclaimer

Content: The content on this website has been prepared with the greatest care. We assume no liability for the accuracy, completeness, or timeliness of the content.

Trading notice: OrderFlowAi is an analysis tool and not investment advice. Trading futures and derivatives carries substantial risk and can result in the loss of your invested capital. Past results are not indicative of future performance.

Links: This website contains links to third-party websites over whose content we have no influence. The respective providers are always responsible for the content of linked sites.