Sovereign Trader

Privacy Policy

Effective Date: March 16, 2026 · Version 1.2

Plain-Language Summary

What we collect: Your Telegram user ID, the text you type or speak into the bot, your Zen Check answers, journal entries, and basic usage data.

Why: To generate personalised AI coaching, session summaries, and weekly reviews — the core function of the Service.

Who sees it: Your data is sent to OpenAI's API and Anthropic's API for AI response generation. Neither provider uses API data for model training. We do not sell, share, or monetise your data.

Your control: You can download all your data or delete your account at any time via Settings in the web dashboard.

Section 1 Controller and Contact Information

1.1 The data controller responsible for the processing of your personal data within the meaning of Article 4(7) of the General Data Protection Regulation (EU) 2016/679 ("GDPR") is:

Sovereign Trader Software - Rainer Arnst
Waldstr. 2
12621 Berlin, Germany
Email: legal@sovereigntrader.net

1.2 Given the current scope of data processing, the appointment of a Data Protection Officer (DPO) is not legally required under Article 37 GDPR. Should this change, this section will be updated accordingly.

Section 2 Data We Collect

We collect and process the following categories of personal data:

Data Category Specific Data Source
Account & Identity Telegram user ID, Telegram username (if public), display name; web dashboard login credentials (email, hashed password) Provided by you upon registration / Telegram interaction
Zen Check Data Answers to psychological readiness questions, composite scores, Go/Caution/No-Trade verdicts, timestamps Provided by you during pre-session check-ins
Session & Journal Data Session preparation notes, free-text journal entries, session reflections, trading rules you define, AI coaching conversation logs Provided by you through Telegram or web dashboard
Voice Data Voice messages submitted via Telegram (temporarily); text transcriptions of voice messages (retained) Provided by you via Telegram voice notes
Strategize Data Economic calendar events, market overview data retrieved on your behalf from public sources Third-party public data sources (Investing.com, ForexFactory, etc.)
Usage & Technical Data Timestamps of interactions, feature usage patterns, error logs, IP addresses (web dashboard only), browser type (web dashboard only) Automatically collected through system logs
Weekly Review Data AI-generated weekly summaries, pattern analyses, rule adherence metrics derived from the above data categories Generated by the Service from your existing data

2.2 Special Category Data. We do not intentionally collect special category data as defined in Article 9 GDPR (racial or ethnic origin, political opinions, religious beliefs, health data, biometric data for identification, etc.). However, the free-text nature of journal entries and voice transcriptions means you may voluntarily include information about your emotional or psychological state. Such information is processed solely for providing the AI coaching service and is treated with the same protections as all other User Content.

2.3 Voice recordings. When you send a voice message via Telegram, the audio file is received by the Service, transcribed to text using a speech-to-text API, and then the original audio file is deleted. Only the text transcription is retained. Voice data is used for transcription purposes only and is not used for biometric identification.

Section 3 Purposes and Legal Bases for Processing

We process your personal data for the following purposes, on the following legal bases under Article 6(1) GDPR:

Purpose Legal Basis
Providing the core Service: Zen Check, Prepare phase, AI coaching, journaling, weekly reviews Art. 6(1)(b) — Performance of a contract (the Terms of Service)
Transmitting input text to OpenAI and Anthropic APIs for AI response generation Art. 6(1)(b) — Performance of a contract; Art. 6(1)(a) — Consent (you are informed upon onboarding that AI processing involves third-party APIs)
Transcribing voice messages to text Art. 6(1)(b) — Performance of a contract
Generating aggregated and anonymised usage analytics to improve the Service Art. 6(1)(f) — Legitimate interest (product improvement)
Maintaining system security, preventing abuse, and troubleshooting errors Art. 6(1)(f) — Legitimate interest (security and operational integrity)
Sending you service-related communications (e.g., feature updates, Terms changes) Art. 6(1)(b) — Performance of a contract
Complying with legal obligations (e.g., responding to lawful data access requests) Art. 6(1)(c) — Legal obligation

3.2 We do not process your data for profiling, automated decision-making with legal or similarly significant effects, advertising, or marketing to third parties.

Section 4 Third-Party Processors and Data Transfers

The following third-party service providers process personal data on our behalf:

Provider Purpose Data Transferred Location Safeguards
OpenAI, Inc. AI response generation via API Input text (including transcribed voice), conversation context USA EU-US Data Privacy Framework; OpenAI DPA; API data not used for training
OpenAI, Inc. (Whisper) Speech-to-text transcription Voice audio files (deleted after transcription) USA EU-US Data Privacy Framework; OpenAI DPA
Anthropic, Inc. AI response generation via Claude API (coaching, weekly reviews, session scoring) Input text, conversation context USA EU-US Data Privacy Framework; Anthropic DPA; API data not used for training
Telegram FZ-LLC Message delivery platform Telegram user ID, message content in transit UAE / Global Telegram's own Privacy Policy; messages processed via Bot API
Hetzner Online GmbH Server hosting and backups All stored data (encrypted at rest) Germany (EU) GDPR-compliant EU hosting; ISO 27001 certified data centres
Stripe, Inc. Payment processing and subscription management Email address, payment card details (not stored by us), billing address; Stripe customer and subscription IDs stored on our servers USA / Global EU-US Data Privacy Framework; Stripe DPA; PCI DSS Level 1 certified; card data stored by Stripe only
Brevo (Sendinblue SAS) Transactional email delivery (subscription notifications, billing alerts) Email address, display name France (EU) GDPR-compliant EU processor; Brevo DPA; ISO 27001 certified
Sentry (Functional Software, Inc.) Error monitoring and logging Error logs, stack traces (may incidentally contain user IDs or request metadata) USA EU-US Data Privacy Framework; Sentry DPA; data scrubbing configured to minimise personal data in error reports

4.2 International Transfers. Some of the above providers are located outside the European Economic Area (EEA), specifically in the United States. These transfers are protected by the EU-US Data Privacy Framework (adequacy decision of the European Commission, July 2023) and, where applicable, by Standard Contractual Clauses (SCCs) as a supplementary safeguard. If the EU-US Data Privacy Framework is invalidated or modified, we will implement alternative transfer mechanisms as required by law.

4.3 We do not sell, rent, or share your personal data with any third parties for their own marketing or commercial purposes.

4.4 We have entered into Data Processing Agreements (DPAs) with our processors in accordance with Article 28 GDPR. Copies are available upon request.

Section 5 Data Retention

Data Type Retention Period
Voice audio files Deleted immediately after successful transcription (typically within seconds)
Voice transcriptions Retained for the duration of your account
Zen Check data, journal entries, session data Retained for the duration of your account
AI coaching conversation logs Retained for the duration of your account
Weekly review summaries Retained for the duration of your account
Account credentials & identity data Retained for the duration of your account; deleted within 30 days of account closure
Server access logs (IP, browser) 90 days, then automatically purged
Error logs (Sentry) 90 days (Sentry default retention), then automatically purged
Database backups (Hetzner) Rolling 7-day backup cycle; older backups automatically overwritten

5.2 When you request data deletion (via /deletedata or email), all personal data associated with your account is permanently deleted from the production database within 7 days. Data in automated backups will be overwritten within the backup rotation cycle (up to 7 additional days). Data that has already been transmitted to OpenAI's API is subject to OpenAI's own retention policies; under their current API terms, API input and output data is retained for up to 30 days for abuse monitoring purposes and then deleted.

Section 6 Your Rights Under GDPR

As a data subject under GDPR, you have the following rights. To exercise any of these rights, contact us at legal@sovereigntrader.net or use the /deletedata command in Telegram for deletion requests.

Right of Access (Art. 15)
Request a copy of all personal data we hold about you, including AI conversation logs and Zen Check history.
Right to Rectification (Art. 16)
Request correction of inaccurate or incomplete personal data.
Right to Erasure (Art. 17)
Request deletion of all your personal data. Use /deletedata for self-service deletion.
Right to Restrict Processing (Art. 18)
Request that we limit how we process your data in certain circumstances.
Right to Data Portability (Art. 20)
Receive your data in a structured, commonly used, machine-readable format (CSV). Use Settings → Data Export in the web dashboard for a self-service ZIP download.
Right to Object (Art. 21)
Object to processing based on legitimate interest. We will cease processing unless we have compelling grounds.
Right to Withdraw Consent (Art. 7(3))
Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing.
Right to Lodge a Complaint (Art. 77)
File a complaint with a supervisory authority. For Germany: your state data protection authority (Landesdatenschutzbeauftragter).

6.2 We will respond to data subject requests within 30 days of receipt, as required by GDPR. If a request is complex or we receive a high volume of requests, we may extend this period by an additional 60 days, in which case we will notify you of the extension and the reasons for it.

6.3 We may ask you to verify your identity before processing a request, to ensure we do not disclose personal data to an unauthorised person.

Section 7 Data Security

7.1 We implement the following technical and organisational measures to protect your data:

  • All data in transit is encrypted using TLS 1.2 or higher (HTTPS);
  • Database contents are encrypted at rest on the hosting server;
  • Passwords are hashed using industry-standard algorithms (bcrypt) and are never stored in plaintext;
  • Server access is restricted via SSH key authentication with fail2ban intrusion prevention;
  • A firewall (UFW) restricts inbound connections to necessary ports only;
  • Error monitoring (Sentry) is configured with data scrubbing to minimise personal data in logs;
  • Automated daily backups with a 7-day retention cycle;
  • Access to production systems is limited to the Operator.

7.2 Despite these measures, no system is completely secure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours as required by Article 33 GDPR and will notify affected individuals without undue delay as required by Article 34 GDPR where the breach is likely to result in a high risk.

Section 8 Cookies and Tracking

8.1 The web dashboard uses only strictly necessary cookies required for authentication, session management, and temporary workflow state. These cookies are essential for the functioning of the Service and do not require consent under the ePrivacy Directive.

8.2 Cookies set by the Service:

  • access_token — Authentication JWT; httponly; expires after 7 days.
  • promo_code — Temporary promo/invite code entered before Telegram login; httponly; expires after 30 minutes. Cleared immediately after the Telegram callback.
  • promo_coupon — Stripe coupon ID derived from a promo code; httponly; expires after 1 hour. Cleared immediately after checkout.

8.3 We do not use analytics cookies, advertising cookies, tracking pixels, social media widgets, or any third-party tracking technologies on the web dashboard.

8.4 The Telegram bot interface does not set or read cookies.

Section 9 AI-Specific Disclosures

This section provides transparency about how AI is used in the Service, in accordance with the EU AI Act and GDPR.

9.1 The Service uses artificial intelligence (specifically, large language models) to generate coaching responses, session summaries, weekly reviews, and other textual outputs. You are interacting with an AI system, not a human.

9.2 How your data flows through the AI system:

  1. You submit text or a voice message via Telegram or the web dashboard.
  2. If voice, the audio is transcribed to text via OpenAI Whisper API. The original audio is then deleted.
  3. Your input text, together with relevant conversation context (recent messages, your Zen Check score, your defined trading rules), is assembled into a prompt.
  4. The prompt is sent to OpenAI's Chat Completions API or Anthropic's Claude API (depending on the feature), which returns an AI-generated response.
  5. The response is delivered to you and stored in your conversation history.
  6. Your conversation history is stored in our database on Hetzner servers in Germany.

9.3 Under OpenAI's current API data usage policy, data submitted through the API is not used to train OpenAI's models. OpenAI may retain API inputs and outputs for up to 30 days for abuse and misuse monitoring, after which it is deleted. For current details, see OpenAI's API Data Usage Policies.

9.4 Under Anthropic's current usage policy, data submitted via the API is not used to train Anthropic's models. Anthropic may retain API inputs and outputs for a limited period for trust and safety purposes. For current details, see Anthropic's Privacy Policy.

9.5 The AI system does not: make automated decisions with legal or similarly significant effects on you; access your brokerage account, live trading positions, or financial accounts; perform biometric identification or emotion recognition in the sense of the EU AI Act; or generate content that is represented as human-created.

9.6 AI-generated outputs may be inaccurate. The Service does not guarantee the accuracy, completeness, or appropriateness of any AI-generated content.

Section 10 Children's Privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that a minor has provided personal data to us, we will delete such data promptly.

Section 11 Changes to This Privacy Policy

11.1 We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or Service features. Material changes will be communicated to you via the Telegram bot or the web dashboard at least fourteen (14) days before they take effect.

11.2 The "Effective Date" at the top of this document will be updated to reflect the date of the most recent version.

11.3 We encourage you to review this Privacy Policy periodically.

Section 12 Contact and Complaints

For any questions, concerns, or requests related to this Privacy Policy or the processing of your personal data, contact:

Sovereign Trader Software - Rainer Arnst
Waldstr. 2
12621 Berlin, Germany
Email: legal@sovereigntrader.net

If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or the place of the alleged infringement. In Germany, this is the data protection authority (Datenschutzaufsichtsbehörde) of the federal state (Bundesland) in which the Operator is established.

This document was last updated on March 16, 2026 (v1.2). Please also review our Terms of Service.