Privacy Policy
Version 1.1Last updated: 2026-05-31
This Privacy Notice describes how HeliconTrade Ltd. ("HeliconTrade", "we", "us") collects, uses, and protects personal data when you visit helicontrade.com, create an account, or use our product. It applies to users of our services worldwide and is supplemented by region-specific information where required by local law, including the EU/EEA, the United Kingdom, and California. Please read this notice together with our Cookie Policy and Terms of Service.
Information we collect
We collect three categories of personal data. Account information you provide directly, including your email address, name, country, preferred language, and authentication credentials. Product data generated as you use the service, including the questions you submit to the AI, the responses returned, the alerts and strategies you configure, and your interaction history. Technical data collected automatically, including IP address, device and browser information, approximate location derived from IP, timestamps, and diagnostics necessary to operate the service and prevent abuse. Where cookies are used for analytics or marketing, those are governed by our Cookie Policy and are set only with your consent.
Why we process your data and the legal basis
We process personal data to provide the service under our contract with you, including delivering alerts, maintaining your account, processing payments, and retaining your preferences (Art. 6(1)(b) GDPR); to secure and improve the service on the basis of our legitimate interest in protecting users from fraud and abuse, monitoring performance, and enhancing product quality (Art. 6(1)(f) GDPR); to comply with legal obligations such as tax, accounting, and lawful disclosure to authorities (Art. 6(1)(c) GDPR); and for analytics or marketing only with your consent expressed through the cookie preference panel (Art. 6(1)(a) GDPR). We do not sell personal data and we do not use your product data to train third-party models without your consent.
Device fingerprinting and fraud prevention
To keep our free tier usable and to protect every user, we use device fingerprinting. When you visit the site or use the product, we derive a pseudonymous identifier from stable characteristics of your browser and device — such as canvas and WebGL rendering, installed fonts, screen attributes, platform, and timezone — and we record the IP address our servers observe. We use this in two distinct ways. A lean, stable set of these signals is used at all times to detect and prevent fraud and abuse — principally automated sign-ups and the creation of multiple accounts to exploit free usage — and to secure the service. This security use rests on our legitimate interest (Art. 6(1)(f) GDPR), is not used to build an advertising profile, and therefore operates independently of your cookie choices, as the law permits for processing necessary to prevent fraud (Recital 47). A richer set of signals is used for product analytics only where you have given consent. We deliberately do not enumerate your browser extensions, do not probe your local network addresses, and do not infer special-category information. Where these signals contribute to an automated decision that restricts an account, that decision is subject to human review and you may contest it by contacting [email protected]. We retain raw fraud signals for twelve months, after which they are deleted or aggregated into a non-identifying form, and we honour Global Privacy Control and Do-Not-Track signals for the consent-based analytics use.
How we share data
We share personal data only as necessary to deliver the service or comply with the law. Recipients include sub-processors that operate our infrastructure (cloud hosting, transactional email, error and performance monitoring, payment processing), each bound by contractual data-protection terms; professional advisers such as auditors, lawyers, and accountants, bound by professional confidentiality; authorities where we are legally compelled to disclose, with notice to affected users unless prohibited by law; and successors in the event of a merger, acquisition, or reorganisation, with prior notice before your data becomes subject to a different privacy notice. The current sub-processor list will be maintained at /legal/subprocessors upon commercial launch. We do not share personal data with advertisers or data brokers.
International transfers
Our infrastructure is operated primarily within the European Economic Area and the United Kingdom. Where personal data is transferred outside the EEA or the UK — for example to a sub-processor located in another jurisdiction — we rely on the European Commission's Standard Contractual Clauses, the UK International Data Transfer Addendum, or another transfer mechanism recognised under applicable law, together with supplementary technical and organisational measures where appropriate. A copy of the safeguards in place is available on request.
How long we keep data
We retain personal data only for as long as necessary for the purposes set out in this notice or to comply with our legal obligations. Account data is retained for the lifetime of your account plus ninety days in encrypted backups. Product data, including AI conversations and alert history, is retained until you delete it from settings and is purged from active systems within thirty days of deletion. Aggregated and de-identified analytics may be retained for longer because they no longer identify you. Where retention is required by law — for example tax or accounting records — we keep the minimum data necessary for the statutory period.
Security
We apply technical and organisational measures appropriate to the risk, including encryption in transit and at rest, least-privilege access controls, secret rotation, vulnerability monitoring, audit logging, and routine review of our security posture. No system is completely secure. In the event of a personal-data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority and, where required, affected users without undue delay and in accordance with applicable law.
Your rights
Subject to applicable law, you have the right to access the personal data we hold about you, to correct it, to delete it, to restrict or object to certain processing, to receive a portable copy, and to withdraw any consent you have given. Account holders can exercise most of these rights directly in product settings. For any other request, contact [email protected]. In the EEA and the United Kingdom you may lodge a complaint with your local supervisory authority — for example the Information Commissioner's Office in the UK or your national Data Protection Authority in the EU. In California, residents have additional rights under the CCPA/CPRA, including the right to know, delete, correct, opt out of any sale or sharing of personal information (HeliconTrade does not sell or share personal information as those terms are defined in the CCPA), and to non-discrimination for exercising these rights.
Children
HeliconTrade is not directed to children under the age of sixteen, and we do not knowingly collect personal data from anyone under that age. If you believe that a child has provided us with personal data, please contact [email protected] and we will take appropriate steps to delete it.
Changes to this notice
We may update this notice from time to time to reflect changes in our practices, applicable law, or the services we offer. Material changes will be notified in-product or by email where appropriate. The version date at the top of this page indicates when the current notice took effect. Continued use of the service after the effective date constitutes acceptance of the updated notice.
Contact
HeliconTrade Ltd. is the controller of the personal data described in this notice. For any privacy question, to exercise your rights, or to reach our Data Protection contact, write to [email protected]. We respond to verified requests within thirty days, or sooner where required by law.