Privacy Policy
Last updated: 15 May 2026
1. Who We Are (Data Controller)
EasySwing.trading is operated by Sofus, a sole proprietorship (eenmanszaak) registered with the Dutch Chamber of Commerce in Amsterdam, the Netherlands (KvK: 50937782). Sofus is the data controller responsible for your personal data under the GDPR / Dutch Algemene Verordening Gegevensbescherming (AVG).
Contact for any privacy matter: privacy@easyswing.trading.
No Data Protection Officer (DPO). Sofus does not meet the GDPR Art. 37(1) criteria for mandatory DPO designation (no large-scale monitoring, no special-category data processing as a core activity). Privacy queries are handled directly by the operator via the address above.
Entity transition. Sofus intends to incorporate into a Dutch besloten vennootschap (B.V.) before commercial launch. When that occurs, the successor B.V. will become the data controller for your personal data on the same terms set out in this Policy, by operation of Section 16 of our Terms of Service. We will post a notice on transition.
2. What Personal Data We Collect
We collect the following categories of personal data:
| Category | Examples | Source |
|---|---|---|
| Account data | Email address, name, profile photo | You, via Clerk authentication |
| Trading content | Watchlists, journal entries, alert configurations, trade cycles | You |
| AI chat content | Messages you send to Soren and Soren's replies in your account | You |
| Usage data | Pages visited, features used, timestamps | Automatically collected |
| Behavioural analytics | Clicks, scrolls, mouse movements, session recordings, heatmaps | Microsoft Clarity (with your consent) |
| Technical data | IP address, browser type, device info | Automatically collected |
| Preferences | Scanner settings, theme, onboarding state | You |
| Payment data | Subscription plan, billing status (no card numbers) | Clerk Billing |
| Waitlist data | Email address, interest category | Clerk |
3. Legal Basis for Processing (GDPR Art. 6)
| Processing activity | Legal basis |
|---|---|
| Account creation and authentication | Performance of a contract (Art. 6(1)(b)) |
| Providing the screener and AI assistant | Performance of a contract (Art. 6(1)(b)) |
| Billing and subscription management | Performance of a contract (Art. 6(1)(b)) |
| Telegram alerts (opt-in) | Consent (Art. 6(1)(a)) |
| Waitlist email communications | Consent (Art. 6(1)(a)) |
| Behavioural analytics (Clarity, GTM) | Consent (Art. 6(1)(a)) |
| Security logging and fraud prevention | Legitimate interest (Art. 6(1)(f)) |
| Product improvement from aggregated usage | Legitimate interest (Art. 6(1)(f)) |
| Tax records, accounting, legal claims | Legal obligation (Art. 6(1)(c)) / legitimate interest |
4. How We Use Your Data
- To create and manage your account, and authenticate you
- To operate the screener, watchlists, journal, alerts, and the AI assistant Soren
- To process payments and manage your subscription via Clerk Billing
- To send Telegram or email notifications you have opted into
- To answer your support and privacy queries
- To improve the Service based on aggregated usage analytics
- To detect, investigate, and prevent fraud, abuse, and security incidents
- To comply with legal, tax, accounting, and regulatory obligations
We do not sell your personal data, share it with advertisers, use your account content for cross-customer profiling, or use your AI chat content to train third-party AI models. See the AI Usage Policy for the specifics of AI data handling.
5. Sub-Processors and Third Parties
We share personal data with the following third-party providers, each acting as a data processor or, where indicated, an independent controller. Each provider operates under a data processing agreement (DPA) and, where data leaves the EEA, under Standard Contractual Clauses (SCCs) and/or the EU–US Data Privacy Framework.
| Provider | Purpose | Location | Safeguard |
|---|---|---|---|
| Clerk, Inc. | Authentication, user management, billing | United States | SCCs + Clerk DPA |
| Cloudflare, Inc. | Hosting, CDN, Workers, D1 database, KV cache | US / global edge | SCCs + Cloudflare DPA |
| Telegram Messenger LP | Alert delivery (opt-in) | US / Dubai | User-initiated; you provide your chat ID |
| AI model providers (Anthropic and/or OpenAI / OpenRouter) | Powers Soren's natural-language responses. Inputs are not used by the providers to train their models under the API agreements we use. | United States | SCCs + provider DPA; zero-retention or 30-day API logging per provider |
| Microsoft Corporation (Clarity) | Behavioural analytics — session recordings, heatmaps | United States | SCCs + Microsoft DPA |
| Google LLC (Tag Manager) | Tag management for analytics | United States | SCCs + Google DPA |
International transfers. Most of our processors are based in the United States. Transfers from the EEA to the US are protected by (a) the European Commission's Standard Contractual Clauses (Decision 2021/914) and (b) where the recipient is certified, by the EU–US Data Privacy Framework adopted by Commission adequacy decision of 10 July 2023. The adequacy decision was upheld by the EU General Court in Latombe v Commission (Case T-553/23, judgment of 3 September 2025); a Schrems-III challenge has been threatened but not yet filed. We monitor the framework's status and will switch to additional safeguards (such as supplementary technical measures or alternative processors) if it is invalidated. We document our Transfer Impact Assessments (TIAs) for each US sub-processor under EDPB Recommendations 01/2020 and will provide them on request. You may request a copy of the SCCs we rely on by emailing privacy@easyswing.trading.
6. Data Retention
| Data category | Retention period |
|---|---|
| Account data | For the duration of your account + 90 days after deletion request |
| Trading content (journal, watchlists, alerts) | For the duration of your account + 90 days |
| AI chat history with Soren | 90 days rolling, then deleted (you can clear it on-demand) |
| Server logs | 30 days (rolling) |
| Security incident logs | Up to 12 months |
| Billing records and invoices | 7 years (mandatory under Dutch tax law — Wet op de omzetbelasting / AWR) |
| Records of consent | 3 years from withdrawal of consent |
7. Your Rights Under the GDPR
As a data subject in the EEA, UK, or Switzerland you have the following rights:
- Right of access (Art. 15) — a copy of the data we hold about you.
- Right to rectification (Art. 16) — correction of inaccurate data.
- Right to erasure (Art. 17) — deletion of your data ("right to be forgotten"), subject to retention obligations like the 7-year tax record requirement.
- Right to restriction (Art. 18) — restrict processing in certain circumstances.
- Right to data portability (Art. 20) — receive your data in a structured, machine-readable format (we provide JSON/CSV exports).
- Right to object (Art. 21) — object to processing based on legitimate interest, including any profiling.
- Right to withdraw consent (Art. 7(3)) — withdraw consent at any time without affecting the lawfulness of prior processing.
- Right not to be subject to a decision based solely on automated processing (Art. 22) — see Section 9 below.
- Right to lodge a complaint with the Dutch supervisory authority, the Autoriteit Persoonsgegevens, or with your local supervisory authority.
How to exercise your rights. Email privacy@easyswing.trading. We respond within 30 days (extendable by up to 60 days for complex requests, with notice to you). We may ask you to verify your identity. There is no fee unless the request is manifestly unfounded or excessive.
California residents (CCPA/CPRA): the rights above are functionally equivalent to your rights of access, correction, deletion, portability, and to opt out of "sale" or "sharing." We do not sell or share personal information as those terms are defined under California law.
8. Cookies and Similar Technologies
Strictly necessary cookies (e.g. Clerk authentication) are required for the Service. Analytics and behavioural-analytics cookies require your consent and can be withdrawn at any time via the Cookie Settings link in the footer. See our Cookie Policy for full detail.
9. Automated Decision-Making and AI Features
The Service uses algorithms to filter, rank, and surface stock setups, and uses large language models to power our AI assistant Soren. None of these features constitute a decision producing legal effects or similarly significantly affecting you within the meaning of GDPR Art. 22. Specifically:
- The screener produces a list of stocks meeting numeric criteria; it does not make decisions about you.
- Soren produces informational responses to your questions; it does not place trades, manage money, or make binding decisions on your behalf.
- No automated decisions are made about access, pricing, or eligibility based on profiling.
You can opt out of optional AI features at any time without losing access to the screener. Full handling of AI inputs and outputs is described in the AI Usage Policy.
10. Security
We implement appropriate technical and organisational measures to protect your data: HTTPS everywhere, encryption at rest in Cloudflare D1, scoped access controls, least-privilege authentication, dependency monitoring, and rate limiting. We are a small operation and we prioritise minimising the data we collect over hardening data we don't need.
If you believe you have found a security issue, please report it responsibly to privacy@easyswing.trading. We commit to acknowledging your report within 72 hours.
11. Data Breach Notification
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:
- Notify the Dutch supervisory authority (Autoriteit Persoonsgegevens) without undue delay and, where feasible, within 72 hours of becoming aware of the breach (GDPR Art. 33).
- Notify affected users without undue delay where the breach is likely to result in a high risk to your rights and freedoms (GDPR Art. 34).
- Document the nature, effects, and remediation of the breach in our internal incident log.
12. Children
The Service is intended for adults aged 18 or older and is not directed at children. We do not knowingly collect personal data from anyone under 18. If you believe a minor has provided us with personal data, please email privacy@easyswing.trading and we will delete it.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify registered users by email of material changes at least 14 days before they take effect. The date at the top of this page reflects the most recent update. Continued use of the Service after the effective date constitutes acceptance of the updated Policy.
14. Contact
For any privacy matter:
Sofus (trading as EasySwing.trading)
Amsterdam, Netherlands
privacy@easyswing.trading
Supervisory authority: Autoriteit Persoonsgegevens, The Hague, Netherlands.