1. Who We Are & Scope
Nister Finance is the controller of personal data processed in connection with the Service unless stated otherwise (e.g., where a payment processor acts as independent controller). This Policy applies to visitors, registered users, and customers who access our websites, EAs, APIs, and related services.
Address: —
Privacy/DPO Email: [email protected]
2. Data We Collect
| Category | Examples | Source |
|---|---|---|
| Account & Profile | Name, username, email, password (hashed), country, plan, preferences. | You |
| Billing | Billing address, last4 of card, payment tokens, transaction metadata (stored primarily by payment processor). | You / Payment processor |
| Device & Logs | IP address (stored or hashed), user-agent, timestamps, referrer/UTM, pages, error logs. | Automatic |
| EA/API Usage | License or API token hash, request counts, rate-limit hits, endpoint metadata (e.g., symbol/timeframe), success/error codes. | Automatic |
| Support | Contact messages, attachments, screenshots, ticket history. | You |
| Analytics (consented) | Aggregated feature usage, session events, coarse location (city/region), A/B test buckets. | Automatic (with consent) |
We do not collect or store your full payment card number; our payment processor handles that directly.
3. How We Use Data (Purposes & Legal Bases)
| Purpose | Examples | Legal Basis (GDPR/UK-GDPR) |
|---|---|---|
| Provide the Service | Account creation, login, EA/API token issuance, rate limiting, feature delivery. | Contract performance; Legitimate interests |
| Security & Abuse Prevention | Detect fraud, DDoS mitigation, token misuse, IP reputation, incident response. | Legitimate interests; Legal obligation |
| Billing & Account Management | Charge fees, handle invoices, send service notices. | Contract performance; Legal obligation |
| Support & Comms | Respond to tickets, product updates, critical alerts. | Legitimate interests; Consent (where required) |
| Analytics & Improvement | Aggregate usage trends, UX research, A/B tests. | Consent (where required); Legitimate interests |
| Compliance | Tax, accounting, regulatory requests, sanctions screening. | Legal obligation |
Model/Training: We do not use your private EA/API content or support attachments to train public models without your express consent.
5. EA/API Signals & Telemetry
When our EA or your integration calls the API, we log minimal metadata to operate and secure the Service. This may include a token or license hash, request time, endpoint, anonymized IP (e.g., hashed), user-agent, and basic request metadata such as symbol/timeframe or feature flags. We do not collect your broker credentials.
We may apply automated protections (rate limits, anomaly detection) to prevent abuse and ensure fair access.
7. International Transfers
We may transfer data across borders (e.g., to the EU/EEA, UK, US, or other regions). Where required, we use safeguards such as the EU Standard Contractual Clauses (SCCs), UK IDTA/Addendum, and risk assessments.
8. Security
- Transport encryption (HTTPS/TLS) and encrypted secrets storage where applicable.
- Role-based access, credential hashing, least-privilege defaults, periodic key rotation.
- Network protections (WAF/DDoS), automated alerting, and vulnerability management.
- Vendor DPAs and reviews; logging and audit trails proportionate to risk.
No system is 100% secure. If you suspect an issue, contact us immediately at [email protected].
9. Retention
| Data Type | Typical Retention | Rationale |
|---|---|---|
| Account records | Life of account + up to 2 years | Support, disputes, compliance |
| Billing/tax records | 5–7 years (jurisdiction dependent) | Legal obligations |
| EA/API logs (metadata) | 90–180 days | Security & abuse prevention |
| Support tickets | Up to 3 years | Customer service & audit |
| Analytics (aggregated) | Up to 24 months | Product improvement |
10. Your Rights
Depending on your location, you may have rights to access, correct, delete, restrict, or port your data; to object to certain processing; and to withdraw consent at any time. You also have the right to lodge a complaint with a supervisory authority.
- GDPR/UK-GDPR: Access (Art. 15), Rectification (Art. 16), Erasure (Art. 17), Restriction (Art. 18), Portability (Art. 20), Objection (Art. 21), and rights related to automated decisions (Art. 22).
- CPRA/CCPA: Right to know, delete, correct, and limit use of sensitive personal information; opt-out of “selling”/“sharing”.
- LGPD/NDPR/POPIA: Analogous rights as applicable under local law.
Use the “Start a Privacy Request” button above or visit https://nister.org/contact-us/.
11. Do Not Sell/Share & GPC
We do not sell your personal information for money. Where “share” is defined (e.g., CPRA cross-context behavioral ads), we provide opt-out controls and honor the Global Privacy Control (GPC) signal as a valid request to opt out of “sale”/“sharing” where required.
GPC status: detecting…
12. Children
The Service is not directed to children under 16 (or higher age where local law defines a child). We do not knowingly collect data from children. If you believe a child has provided personal data, contact us to remove it.
13. Submitting Requests
Submit requests through our portal or email. We will verify your identity and respond within the timelines required by law.
Request portal: https://nister.org/contact-us/
Email: [email protected]
14. Incidents & Breach Notification
We maintain an incident response process. Where required by law, we will notify affected users and/or authorities of a personal data breach without undue delay.
15. Changes to this Policy
We may update this Policy to reflect changes to our practices or the law. We will post the updated version with a new “Last updated” date and, where appropriate, provide additional notice.
16. Contact
Questions or concerns about privacy?
- Privacy/DPO: [email protected]
- Support: [email protected]
- Contact page: Contact Us
© 2025 Nister Finance. All rights reserved.