PRE-LAUNCH DRAFT  ·  covers an essential-only site  ·  re-review if you add analytics, marketing pixels, or third-party fonts
Navrox

Privacy Policy

GDPR (EU) 2016/679 BDSG · TTDSG Version 2026-05-24

01 Controller

The controller responsible for processing personal data on this website and in the Navrox product, within the meaning of Art. 4 (7) GDPR, is:

Controller
Navrox, Munich, Germany — see Legal Notice for the full address.
Privacy contact
privacy@navrox.io
Data Protection Officer
TODO appoint a DPO only if required under Art. 37 GDPR / § 38 BDSG. For a small SaaS team this usually is not mandatory; remove this line if so.

02 What we do (in plain words)

Navrox is a self-hosted trading-infrastructure platform. The marketing website you are reading right now is intentionally minimal: it loads no analytics, no marketing pixels, no chat widgets, and no third-party social embeds. It does not set cookies for tracking purposes.

We process personal data only when (a) your browser fetches a page and our hosting provider records the request, (b) you create an account or sign in, (c) you pay for a subscription, or (d) you contact us by email. Each of those is detailed below.

03 Hosting & server logs

This site is hosted by TODO hosting provider (TODO legal entity + country). When you load a page, our host receives standard request data which is necessary for the site to function and for security:

  • IP address (truncated where feasible)
  • Date and time of the request
  • Requested URL, HTTP status, transferred bytes
  • Referrer, user-agent string

Legal basis: Art. 6 (1) (f) GDPR — legitimate interest in operating a stable, secure website. Retention: server logs are kept for up to 14 days for abuse and incident response, then deleted or fully anonymized.

04 Account data

When you create a Navrox account we store: your email address, a hashed password, your chosen display name, your account tier, and an audit trail of security-relevant events (logins, key rotations, plan changes).

Legal basis: Art. 6 (1) (b) GDPR — performance of the subscription contract. Retention: for the duration of the account, plus statutory retention periods after closure (see § 09).

Strategies, backtests, broker credentials, and account balances live on your own machine. Navrox is designed so that your trading data never has to touch our servers. If a future feature requires it (e.g. cloud sync), it will be opt-in and this policy will be updated.

05 Payments

Subscriptions are processed by TODO payment processor (likely Stripe Payments Europe Ltd., Ireland — confirm before launch). When you pay, the processor receives the data necessary to charge the card or SEPA mandate, and returns to us a customer reference, billing country, last-four card digits, and the line items. We do not see the full card number.

Legal basis: Art. 6 (1) (b) GDPR (contract) and Art. 6 (1) (c) (tax / accounting obligations under § 147 AO).

06 Support & email correspondence

If you write to us, your message and the metadata around it (email address, time, IP of the sending server) is stored in our mail provider (TODO mail provider) and our ticket system, so we can answer you and refer back to the thread.

Legal basis: Art. 6 (1) (b) or (f) GDPR depending on whether you are a customer or a prospect. Retention: 24 months after last contact, unless tax law requires longer.

07 Cookies & local storage

The website uses only strictly necessary storage: a session cookie if you sign in, and one or two localStorage keys for UI preferences (e.g. theme, dismissed banners). These are exempt from consent under § 25 (2) TTDSG because they are required for a service you have explicitly requested.

We do not use analytics cookies, ad cookies, or fingerprinting. If we ever add anything in those categories, we will load it behind a consent banner with a clearly visible “Reject all” button.

08 International transfers

Where one of our processors (payments, email, hosting) is based outside the EU/EEA, we rely on the EU Standard Contractual Clauses (Art. 46 (2) (c) GDPR) and, for US providers, the EU–US Data Privacy Framework where the provider is certified. The list of subprocessors and their locations is available on request at privacy@navrox.io.

09 Retention

  • Server logs: up to 14 days.
  • Account data: duration of account.
  • Invoices and tax-relevant records: 10 years (§ 147 AO).
  • Other business correspondence: 6 years (§ 257 HGB).
  • Support emails: 24 months after last contact.

10 Your rights

You have the following rights under the GDPR:

  • Right of access (Art. 15)
  • Right to rectification (Art. 16)
  • Right to erasure (Art. 17)
  • Right to restriction (Art. 18)
  • Right to data portability (Art. 20)
  • Right to object (Art. 21)
  • Right to withdraw any consent (Art. 7 (3))

To exercise any of these, write to privacy@navrox.io. You also have the right to lodge a complaint with the supervisory authority — for Munich-based customers this is the Bayerisches Landesamt für Datenschutzaufsicht (BayLDA), Ansbach.

11 Changes

We will update this policy when our processing changes — for example if we add a new subprocessor or a new product feature that handles personal data. The version date at the top of the page reflects the last material change.