Privacy Policy

Data Protection Officer: privacy@rigelnexus.com

General Enquiries: info@rigelnexus.com

Postal Address: Rigel Nexus Ltd, England, United Kingdom

You have the right to lodge a complaint at any time with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). For users located in Brazil, you may also lodge a complaint with the Autoridade Nacional de Protecao de Dados (ANPD). We would, however, appreciate the opportunity to address your concerns before you approach a supervisory authority, so please contact us in the first instance.

In accordance with Article 23 of the LGPD, we have designated a representative (encarregado) for the processing of personal data of Brazilian data subjects. Brazilian users may direct any enquiries, requests, or complaints regarding the processing of their personal data to privacy@rigelnexus.com, with the subject line "LGPD Request". We are committed to responding to all LGPD-related enquiries within the timeframes prescribed by Brazilian law.

This includes your first name, last name, username or similar identifier, date of birth, and nationality. For users who subscribe to paid tiers (Centurion, Pretorian, Champion, or Emperor), we may also collect government-issued identification documents as required by anti-money laundering (AML) and know-your-customer (KYC) regulations applicable to financial services platforms. Identity data is essential for account creation, verification, and regulatory compliance.

This includes your email address, telephone number, billing address, and any other contact information you voluntarily provide. We use contact data to communicate with you about your account, provide customer support, deliver service notifications, and send marketing communications where you have consented to receive them.

This includes payment card details (processed securely through our PCI DSS-compliant payment processor), billing history, subscription tier information, invoices, and refund records. We do not store full payment card numbers on our servers. All payment processing is handled by Stripe, our third-party payment processor, which is certified to PCI DSS Level 1, the most stringent level of certification available in the payment industry.

This includes your internet protocol (IP) address, browser type and version, operating system and version, device identifiers, time zone setting, screen resolution, hardware configuration, and other technology-related identifiers on the devices you use to access the Services. We also collect information about your Gladiator desktop application version, update history, and system compatibility data. Technical data is collected automatically when you interact with our Services and is used for security, diagnostics, and service optimisation purposes.

This includes information about how you use the Platform, such as features accessed, pages visited, time spent on specific sections, click patterns, navigation paths, session duration, frequency of use, and interaction with the AI Advisor. Usage data helps us understand how our users engage with the Platform so that we can improve user experience, prioritise feature development, and identify potential issues before they affect service quality.

This includes data related to your trading activities conducted through the Platform, such as broker connection configurations (we do not store broker API secrets after initial encryption), trading strategy configurations, portfolio composition, order history, execution logs, risk management settings, alert preferences, and performance analytics. Trading data may also include anonymised and aggregated derivatives of your activity used for improving our AI/ML models. We process trading data strictly for the purpose of delivering the Services and never use it for proprietary trading or share it with third parties for their own trading purposes.

This includes the content of communications you send to us, including emails, support tickets, feedback submissions, contact form entries, and any messages exchanged with our customer support team. We retain communications data to provide consistent support, resolve disputes, and improve our service quality.

You provide personal data directly when you create an account on the Platform, subscribe to a paid tier, fill in forms on our website, configure broker connections, set up trading strategies, interact with the AI Advisor, correspond with us by email or through our contact form, participate in surveys or promotions, or report a problem with the Services. Any personal data you provide through direct interaction is processed on the basis of your explicit consent or the performance of our contract with you.

As you interact with the Platform and our website, we automatically collect technical data about your equipment, browsing actions, and usage patterns. We collect this data using cookies, server logs, application telemetry, and similar technologies. The Gladiator desktop application collects diagnostic and performance telemetry to ensure optimal operation, detect errors, and facilitate automatic updates. You may control certain automated data collection through the Platform's privacy settings and through your browser's cookie management features. Please refer to the Cookies and Tracking Technologies section of this Privacy Policy for further details.

We may receive personal data about you from various third parties, including: (a) technical data from analytics providers; (b) identity and contact data from broker integrations (such as Interactive Brokers, Alpaca, OANDA, and Binance) when you authorise the Platform to connect to your brokerage account; (c) financial data from payment processors (Stripe) in relation to your subscription transactions; (d) identity verification data from KYC/AML compliance providers when required by applicable financial regulations; and (e) publicly available data from company registries, social media profiles (only where you have linked your account), and other public sources. We only process third-party data where we have a lawful basis to do so and where the third party has confirmed that it has obtained your consent or otherwise has a legal right to disclose your personal data to us.

We process your personal data where it is necessary for the performance of a contract to which you are a party, or in order to take steps at your request prior to entering into a contract. This includes processing necessary to create and manage your account, deliver the Platform's features and functionality, process subscription payments, connect to your broker accounts, execute trading strategies on your behalf, provide AI Advisor responses, and deliver customer support. Without this processing, we would be unable to provide you with the Services.

We process certain personal data on the basis of your freely given, specific, informed, and unambiguous consent. This applies to marketing communications, non-essential cookies and analytics, the use of anonymised trading data for AI/ML model improvement, and the processing of any special category data (though we do not ordinarily collect special category data). You have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal. You may withdraw consent by contacting us at privacy@rigelnexus.com or by using the relevant controls within the Platform's settings.

We process personal data where it is necessary for our legitimate interests (or those of a third party) and your fundamental rights and freedoms do not override those interests. Our legitimate interests include operating and improving the Platform, ensuring network and information security, preventing fraud and abuse, conducting internal analytics to understand usage patterns, and administering our business. We have conducted legitimate interest assessments for each processing activity relying on this basis and have concluded that the processing is proportionate and does not unduly impact your rights. You have the right to object to processing based on legitimate interests, as described in the Your Rights sections of this Privacy Policy.

We process personal data where it is necessary for compliance with a legal obligation to which we are subject. This includes retaining financial records for tax and accounting purposes, complying with anti-money laundering and counter-terrorist financing regulations, responding to lawful requests from law enforcement or regulatory authorities, and fulfilling our obligations under the Financial Conduct Authority (FCA) rules where applicable. We may also process personal data to comply with court orders, subpoenas, or other legal processes.

In rare circumstances, we may process your personal data where it is necessary to protect your vital interests or the vital interests of another natural person, or where processing is necessary for the performance of a task carried out in the public interest. We do not anticipate relying on these bases in the ordinary course of our operations, but they are available to us under the law where necessary.

We use your identity, contact, and financial data to create and maintain your account, manage your subscription, process payments, deliver the features and functionality of your chosen tier (Centurion, Pretorian, Champion, or Emperor), facilitate broker connections, and provide you with access to the Platform. This includes provisioning your AI Advisor instance, configuring your trading engine, and ensuring your data is synchronised across sessions.

We use strictly anonymised and aggregated trading and usage data to train, validate, and improve our AI and machine learning models, including the 623 AI engines and the AI Advisor. This data is irreversibly de-identified before being used for model training, ensuring that no individual user can be re-identified from the training dataset. We do not use identifiable personal data for AI/ML model training. You may opt out of contributing anonymised data to model training through the Platform's privacy settings, and such opt-out will not affect your access to or the quality of the Services.

We use technical and usage data to analyse Platform performance, identify and resolve bugs, monitor system health, optimise user experience, prioritise feature development, and conduct A/B testing of new features. Analytics processing is performed using aggregated and, where possible, anonymised data. We use analytics to ensure the Platform meets our 99.99% uptime target and sub-500 microsecond execution latency standards.

We use your contact data to send you service-related communications, including account notifications, security alerts, subscription confirmations, billing reminders, and platform update announcements. These communications are transactional in nature and are necessary for the performance of our contract with you. With your consent, we may also send you marketing communications about new features, promotions, educational content, and events. You may unsubscribe from marketing communications at any time using the unsubscribe link in any marketing email, or by contacting us at privacy@rigelnexus.com.

We use technical data, usage data, and identity data to detect, prevent, and investigate fraud, unauthorised access, and other security incidents. This includes monitoring login activity, detecting anomalous usage patterns, enforcing rate limits, verifying device integrity, and maintaining audit logs. Our 7-layer security architecture and post-quantum cryptographic protections require the processing of certain technical data to operate effectively.

We use identity, financial, and trading data to comply with applicable legal and regulatory requirements, including anti-money laundering (AML) regulations, know-your-customer (KYC) requirements, tax reporting obligations, financial services regulations, and any other obligations imposed by the FCA, HMRC, the ANPD, or other regulatory authorities. We maintain detailed audit trails as required by applicable compliance frameworks.

We engage trusted third-party service providers to perform functions on our behalf, including cloud hosting and infrastructure (data centres located in the United Kingdom and the European Economic Area), payment processing (Stripe), email delivery, customer support tools, analytics services, and security monitoring. All service providers are contractually bound by data processing agreements that require them to process your personal data only on our instructions, to maintain appropriate security measures, and to comply with applicable data protection legislation. We conduct due diligence on all service providers before engagement and periodically review their data protection practices.

When you connect a brokerage account to the Platform (such as Interactive Brokers, Alpaca, OANDA, or Binance), certain data is exchanged between the Platform and the broker to facilitate trading operations. This data exchange is initiated and authorised by you and is limited to the data necessary to execute trades, retrieve portfolio information, and synchronise account status. We do not share any personal data with brokers beyond what is required for the brokerage integration to function. Your relationship with your broker is governed by the broker's own terms and privacy policy.

Subscription payments are processed by Stripe, a PCI DSS Level 1 certified payment processor. When you make a payment, your payment card details are transmitted directly to Stripe using encrypted channels and are not stored on our servers. We receive from Stripe only a tokenised reference, transaction confirmation, and limited billing data necessary for invoice management. Stripe's handling of your payment data is governed by Stripe's own privacy policy.

We may disclose your personal data if we are required to do so by law or in response to valid legal process, including court orders, subpoenas, or requests from law enforcement or regulatory authorities. We may also disclose personal data where we believe in good faith that disclosure is necessary to protect our legal rights, enforce our Terms of Service, investigate potential violations, protect the safety of any person, or address fraud or security issues. Where legally permitted, we will notify you of any such disclosure.

In the event of a merger, acquisition, reorganisation, bankruptcy, or sale of all or a portion of our assets, your personal data may be transferred as part of the transaction. In such circumstances, we will ensure that the acquiring entity is bound by obligations no less protective than those set out in this Privacy Policy, and we will notify you of any change in the identity of the data controller or any material change in data processing practices.

We may share your personal data with third parties where you have given us your explicit consent to do so. You may withdraw such consent at any time.

Where we transfer personal data to a country that has received an adequacy decision from the UK Secretary of State (confirming that the country provides an adequate level of data protection), the transfer is permitted without the need for additional safeguards. We monitor adequacy decisions and adjust our data transfer mechanisms accordingly.

Where we transfer personal data to a country that has not received an adequacy decision, we implement appropriate safeguards, including the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs), as approved by the Information Commissioner's Office. These contractual mechanisms impose data protection obligations on the data recipient and provide you with enforceable rights and effective legal remedies. We also conduct transfer risk assessments to evaluate the legal framework and practices of the destination country and implement supplementary measures where necessary.

For personal data originating from Brazilian users, we comply with the international data transfer requirements set out in Chapter V of the LGPD. Transfers of personal data of Brazilian data subjects to the United Kingdom are conducted on the basis that the UK has been recognised as providing an adequate level of data protection. Where data is subsequently transferred to jurisdictions without adequate protection, we implement standard contractual clauses, obtain your specific and informed consent, or rely on other transfer mechanisms authorised under Article 33 of the LGPD. We cooperate with the ANPD in relation to any enquiries concerning international data transfers involving Brazilian data subjects.

Account and identity data: retained for the duration of your account and for 2 years following account closure, unless longer retention is required by law.

Financial and billing data: retained for 7 years from the date of the transaction, in compliance with HMRC requirements under the Taxes Management Act 1970 and equivalent Brazilian tax legislation.

Trading data: retained for the duration of your account and for 5 years following account closure, in accordance with financial services record-keeping requirements and to support any regulatory enquiries.

Technical and usage data: retained for 24 months from the date of collection. Aggregated and anonymised usage analytics may be retained indefinitely as they do not constitute personal data.

Communications data: retained for 3 years from the date of the communication, or longer where the communication relates to an unresolved complaint or legal matter.

Marketing consent records: retained for the duration of the consent and for 2 years following withdrawal of consent, to demonstrate compliance with consent requirements.

At the end of the applicable retention period, personal data is securely deleted or irreversibly anonymised. Anonymised data, which cannot be used to identify any individual, may be retained indefinitely for statistical and analytical purposes. If you request deletion of your personal data, we will action your request in accordance with the applicable retention periods and legal obligations described above. Where we are required by law to retain certain data beyond the date of your deletion request, we will inform you of the specific retention obligation and restrict processing of that data to compliance purposes only.

You have the right to request a copy of the personal data we hold about you, together with information about the purposes of processing, the categories of data processed, the recipients or categories of recipients to whom data has been disclosed, the retention periods, and the existence of any automated decision-making. This is commonly known as a "data subject access request" (DSAR). We will provide the first copy free of charge; subsequent copies may be subject to a reasonable administrative fee.

You have the right to request the correction of inaccurate personal data and the completion of incomplete personal data. You may also update your personal data directly through the Platform's account settings. Where we have disclosed inaccurate data to third parties, we will inform them of the rectification where reasonably practicable.

You have the right to request the deletion of your personal data in certain circumstances, including where the data is no longer necessary for the purpose for which it was collected, where you withdraw consent (and there is no other legal basis for processing), where you object to processing and there are no overriding legitimate grounds, or where the data has been unlawfully processed. This right is not absolute, and we may be required to retain certain data to comply with legal obligations, establish or defend legal claims, or for other reasons permitted by law.

You have the right to request that we restrict the processing of your personal data in certain circumstances, including where you contest the accuracy of the data, where processing is unlawful but you oppose erasure, where we no longer need the data but you require it for legal claims, or where you have objected to processing pending verification of our legitimate grounds. Where processing is restricted, we may continue to store the data but will not process it further without your consent, except for the establishment, exercise, or defence of legal claims, for the protection of the rights of another person, or for reasons of important public interest.

You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance, where the processing is based on consent or the performance of a contract and is carried out by automated means. You may also request that we transmit your data directly to another controller where this is technically feasible. This right applies to personal data you have provided to us and does not extend to data that has been derived or inferred from your personal data.

You have the right to object at any time to the processing of your personal data based on legitimate interests, including profiling based on legitimate interests. Upon receiving an objection, we will cease processing your personal data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights, and freedoms, or the processing is necessary for the establishment, exercise, or defence of legal claims. You also have the absolute right to object to processing for direct marketing purposes at any time, without the need to provide any justification.

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. The Platform's AI engines and trading algorithms operate under your direct configuration and supervision; they do not make autonomous decisions that produce legal effects on you without your instruction. Where any automated processing is used in administrative contexts (such as fraud detection), you have the right to obtain human intervention, to express your point of view, and to contest the decision.

You have the right to obtain confirmation from us as to whether or not your personal data is being processed. Upon request, we will confirm the existence of processing and provide you with a summary of the data processing activities that involve your personal data.

You have the right to access your personal data that is held by us. Upon request, we will provide you with a complete and up-to-date copy of your personal data in a clear, adequate, and accessible format, in accordance with applicable ANPD regulations.

You have the right to request the correction of incomplete, inaccurate, or outdated personal data. You may also update certain personal data directly through the Platform's account settings.

You have the right to request the anonymisation, blocking, or deletion of unnecessary or excessive personal data, or personal data processed in violation of the LGPD. We will evaluate each request on its merits and will comply where the conditions set out in the LGPD are satisfied, subject to any overriding legal obligation to retain the data.

You have the right to request the portability of your personal data to another service provider or product, in accordance with regulations issued by the ANPD. We will facilitate the transfer of your data in a structured, commonly used, and machine-readable format.

You have the right to request the deletion of personal data processed on the basis of your consent. Upon receiving such a request, we will delete the relevant data unless we are required to retain it under another legal basis or by virtue of a legal or regulatory obligation.

You have the right to be informed about the public and private entities with which we share your personal data. Upon request, we will provide you with a list of the categories of recipients and, where possible, the specific entities to which your data has been disclosed.

You have the right to be informed about the possibility of not providing consent and the consequences of such refusal. We will clearly explain the implications of withholding or withdrawing consent at the point of collection and upon request.

You have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal. You may withdraw consent by contacting us at privacy@rigelnexus.com or by using the relevant controls within the Platform's privacy settings.

You have the right to oppose the processing of your personal data where you believe the processing is not in compliance with the LGPD. We will review your objection and will cease processing where we determine that the processing does not comply with applicable law, unless we have a legitimate and overriding ground to continue processing.

You have the right to request the review of decisions made solely on the basis of automated processing of personal data that affect your interests. This includes any profiling or scoring activities. Upon request, we will provide meaningful information about the logic involved in the automated decision and, where applicable, arrange for a human review of the decision.

Essential cookies are strictly necessary for the operation of our website and the Platform. They enable core functionality such as user authentication, session management, security protections (including CSRF token validation), and load balancing. Without these cookies, the Services cannot function properly. Essential cookies do not require your consent as they are necessary for the provision of the Services you have requested. They are typically set in response to actions you take, such as logging in, setting your privacy preferences, or completing a form.

Analytics cookies help us understand how users interact with our website and the Platform by collecting and reporting information about usage patterns, page visits, session duration, and feature engagement. We use this information in aggregated form to improve the Services, identify performance issues, and prioritise development efforts. Analytics cookies are set only with your consent. You may decline analytics cookies without any impact on the core functionality of the Services.

Preference cookies (also known as functionality cookies) remember choices you make to improve your experience, such as your preferred language (English or Portuguese), theme settings, display preferences, and regional configurations. These cookies are set only with your consent and enhance your user experience but are not strictly necessary for the operation of the Services.

You may manage your cookie preferences at any time through the cookie consent banner displayed when you first visit our website, through the Platform's privacy settings, or through your browser's cookie management features. Most web browsers allow you to control cookies through their settings, including the ability to delete existing cookies, block all cookies, or receive a warning before a cookie is stored. Please note that disabling essential cookies may impair the functionality of the Services. For detailed information about managing cookies in your specific browser, please refer to your browser's help documentation.

The Gladiator platform employs a proprietary 7-layer security architecture that encompasses network security (firewalls, intrusion detection and prevention systems, DDoS mitigation), transport security (TLS 1.3 for all data in transit), application security (input validation, output encoding, CSRF protection, rate limiting), authentication security (multi-factor authentication, JWT token management, session controls), data security (encryption at rest using AES-256, field-level encryption for sensitive data), infrastructure security (hardened containers, least-privilege access, network segmentation), and monitoring security (real-time threat detection, anomaly analysis, comprehensive audit logging).

In addition to conventional cryptographic protections, the Platform implements post-quantum cryptographic algorithms, including CRYSTALS-Kyber for key encapsulation and CRYSTALS-Dilithium for digital signatures. These algorithms are designed to be resistant to attacks from both classical and quantum computers, ensuring that your data remains protected against future quantum computing threats. This forward-looking approach to cryptography reflects our commitment to long-term data security.

All personal data stored on our servers is encrypted at rest using AES-256 encryption. All data transmitted between your device and our servers, and between our internal services, is encrypted in transit using TLS 1.3. Broker API credentials are encrypted using dedicated key management infrastructure and are never stored in plaintext. Database backups are encrypted using separate encryption keys. We employ a robust key management system with regular key rotation and strict access controls.

Our security practices are aligned with SOC 2 Type II principles (security, availability, processing integrity, confidentiality, and privacy), ISO 27001 information security management standards, and OWASP security guidelines. We conduct regular security assessments, including vulnerability scanning, penetration testing, and code security reviews, to identify and remediate potential weaknesses. Our development practices follow a secure software development lifecycle (SSDLC) that incorporates security considerations at every stage.

We maintain a comprehensive incident response plan that defines procedures for detecting, containing, investigating, and remediating security incidents. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours of becoming aware of the breach, as required by UK GDPR. We will also notify the ANPD within a reasonable period as required by the LGPD. Where the breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay, providing details of the breach, its likely consequences, and the measures we have taken or propose to take to address the breach and mitigate its effects.

Access to personal data is restricted to employees, contractors, and agents of Rigel Nexus who have a legitimate business need to access the data and who are bound by contractual obligations of confidentiality. All personnel with access to personal data receive regular data protection and information security training. We enforce the principles of least privilege and segregation of duties across all systems and processes.