Privacy Policy

Pursuant to Article 13 of Regulation (EU) 2016/679 (hereinafter "GDPR"), Legislative Decree 196/2003 (Italian Data Protection Code), and Directive 2002/58/EC (ePrivacy), we inform you that your personal data will be processed by the following Data Controller:

• Controller: DOJO TRADING GROUP SOCIEDAD DE RESPONSABILIDAD LIMITADA
• Registered office: POZOS, Forum Uno, Edificio G, Primer Piso, Oficinas NCC Law, Costa Rica
• Tax ID: [DA FORNIRE]
• Email: official.comunication@tradingdojo.org
• Platform: Trading Dojo (tradingdojo.org)

EU Representative (Art. 27 GDPR):

• Name: Alex Solignani
• Address: Marano sul Panaro (MO), Italy
• Email: official.comunication@tradingdojo.org

In the course of providing its services, Trading Dojo collects and processes the following categories of personal data:

Identification and contact data

• Name, email address, phone number, country of residence, address

Authentication data

• Password (stored exclusively as a cryptographic hash), multi-factor authentication (MFA) backup codes

Application data

• Name, date of birth, email, phone number, residence, profession, trading experience level, difficulties encountered, learning objectives, investment availability, salary range

Payment data

• Amount, currency, payment method, bank transfer reference or blockchain transaction ID

Course data

• Course access records, lesson completion status, visibility settings

Trading journal data

• Emotional state (mood), currency pair, trade direction, result, amount, personal notes

Messaging data

• Text messages, attachments exchanged through the internal chat system

Device data

• Device fingerprint, user agent, device type, browser, operating system

Analytics data

• Anonymized visitor ID, pages visited, scroll depth, session duration, referrer, UTM parameters

Bug report data

• Title, problem description, screenshots

Your personal data is processed for the following purposes, each supported by an appropriate legal basis under Article 6 GDPR:

Performance of a contract (Art. 6(1)(b) GDPR)

• Account registration: creation and management of your account on the platform
• Payments: processing of payments via bank transfer or cryptocurrency
• Courses and progress: delivery of the educational service and progress tracking
• Chat and messaging: communication between student and instructor
• Trading journal: provision of the personalized educational tool
• Transactional emails: sending of service-related communications (confirmations, notifications, updates)

Pre-contractual measures (Art. 6(1)(b) GDPR)

• Application: evaluation of your application for admission to educational programs

Legal obligation (Art. 6(1)(c) GDPR)

• Payment data: compliance with tax and accounting obligations under applicable law

Legitimate interest of the Controller (Art. 6(1)(f) GDPR)

• Device fingerprinting: access control and device limit management to protect the integrity of the service
• reCAPTCHA v3: protection of the platform from bots and abusive behavior
• Video watermark: overlay of email address on video content to protect intellectual property
• Bug reports: improvement of service quality and reliability

Consent of the data subject (Art. 6(1)(a) GDPR)

• Analytics (custom internal system): anonymized analysis for service and user experience improvement
• Newsletter: sending of promotional and informational communications. Consent may be withdrawn at any time via the unsubscribe link in each communication or by contacting the Controller

To provide its services, the Controller engages the following sub-processors (Art. 28 GDPR), with whom appropriate data processing agreements have been executed:

• Supabase Inc. (USA) — Database, authentication, realtime functionality, and storage. Safeguards for extra-EU transfers: EU-US Data Privacy Framework (DPF) and Standard Contractual Clauses (SCCs).
• VdoCipher (VdoTok Tech Pvt. Ltd.) (India) — DRM-protected video hosting with watermark. Safeguards: Standard Contractual Clauses pursuant to Commission Implementing Decision (EU) 2021/914.
• Vercel Inc. (USA) — Web application hosting. Safeguards: DPF + SCCs.
• Amazon Web Services EMEA SARL (registered office Luxembourg; primary data centers in Ireland — eu-west-1 region) — Cloud infrastructure (S3 storage, CloudFront CDN distribution) used by the sub-processors Supabase, Vercel, and VdoCipher to host data and deliver video and static content. The data subject’s browser may communicate directly with AWS servers when loading resources (e.g., files from Supabase Storage or VdoCipher videos). Safeguards: EU-US Data Privacy Framework (DPF) and Standard Contractual Clauses pursuant to Commission Implementing Decision (EU) 2021/914. Privacy: aws.amazon.com/privacy.
• Google LLC (USA) — reCAPTCHA v3 anti-bot service. Safeguards: DPF + SCCs.

Personal data is not disclosed to third parties for marketing purposes. Data may be communicated to competent authorities in cases required by law.

The list of data processors may be updated periodically. The latest version is always available on this page.

Some of the sub-processors listed in the previous section are established outside the European Economic Area (EEA). Transfers of personal data to such third countries are carried out in compliance with Chapter V of the GDPR (Articles 44–49), based on the following appropriate safeguards:

United States of America (Supabase, Vercel, Google, and Amazon Web Services for U.S. endpoints)

• European Commission adequacy decision regarding the EU-US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795 of 10 July 2023)
• Standard Contractual Clauses (SCCs) adopted pursuant to Commission Implementing Decision (EU) 2021/914, as an additional safeguard

Luxembourg / Ireland (Amazon Web Services EMEA SARL)

• Processing within the European Economic Area (EEA), with the safeguards of the GDPR directly applicable
• Standard Contractual Clauses (SCCs) for any technical transfers to other AWS regions, pursuant to Commission Implementing Decision (EU) 2021/914

India (VdoCipher)

• Standard Contractual Clauses (SCCs) pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021

You have the right to obtain a copy of the appropriate safeguards in place by contacting the Controller at official.comunication@tradingdojo.org.

Personal data is retained for the time strictly necessary to fulfill the purposes for which it was collected, in accordance with the principle of storage limitation (Art. 5(1)(e) GDPR):

• User account data: for the duration of the contractual relationship, plus 10 years after termination (to fulfill tax and accounting obligations)
• Payment data: 10 years from the date of the transaction (Art. 2220 of the Italian Civil Code)
• Application data: 2 years from the date of the decision regarding the application
• Course progress: for the duration of course access, plus 1 year after termination
• Chat messages: for the duration of the contractual relationship, plus 6 months after termination
• Trading journal data: for the duration of the contractual relationship
• Device fingerprints: 6 months from the last access with the device
• Analytics data: 26 months from collection
• Bug reports: 1 year from the resolution of the reported issue
• Email logs: 2 years from dispatch

Upon expiration of the above periods, data will be securely deleted or irreversibly anonymized.

As a data subject, you have the right to exercise the following rights under Articles 15–22 of the GDPR:

• Right of access (Art. 15 GDPR): obtain confirmation as to whether your personal data is being processed and access its content
• Right to rectification (Art. 16 GDPR): obtain the correction of inaccurate personal data or the completion of incomplete data
• Right to erasure (Art. 17 GDPR): obtain the deletion of your personal data, unless processing is necessary for compliance with legal obligations (e.g., tax requirements) or for the establishment, exercise, or defense of legal claims
• Right to restriction of processing (Art. 18 GDPR): obtain restriction of processing in the circumstances provided by law
• Right to data portability (Art. 20 GDPR): receive your personal data in a structured, commonly used, and machine-readable format, and transmit it to another controller
• Right to object (Art. 21 GDPR): object at any time to the processing of your personal data based on legitimate interest, including profiling
• Right not to be subject to automated decision-making (Art. 22 GDPR): not to be subject to a decision based solely on automated processing that produces legal effects concerning you or similarly significantly affects you

To exercise your rights, you may contact the Controller at official.comunication@tradingdojo.org.

Right to lodge a complaint: You also have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali), Piazza Venezia 11, 00187 Rome, Italy, email: garante@gpdp.it, website: www.garanteprivacy.it.

Pursuant to Article 22 GDPR, we inform you that Trading Dojo does not employ any automated decision-making process, including profiling, that produces legal effects concerning you or similarly significantly affects you.

In particular:

• Applications for admission to educational programs are evaluated manually by the Trading Dojo team
• No automated profiling is carried out for decision-making purposes
• Device fingerprinting is used exclusively for security purposes (device limits) and not for user profiling

Trading Dojo uses cookies and similar technologies in compliance with Directive 2002/58/EC (ePrivacy) and the GDPR.

For detailed information about the cookies used, their purposes, duration, and consent management, please refer to our Cookie Policy, available on the dedicated page accessible from the website footer.

Trading Dojo’s analytics system is a custom internal system, not based on third-party services such as Google Analytics. Analytics data collection occurs exclusively with your prior consent (Art. 6(1)(a) GDPR).

The Controller implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, pursuant to Article 32 GDPR, including:

• Encryption of data in transit (TLS/HTTPS) and at rest
• Passwords stored exclusively as cryptographic hashes (bcrypt)
• Multi-factor authentication (MFA) available to users
• Role-based access control (RBAC)
• Authorized device control and limitation through device fingerprinting
• Anti-bot protection via reCAPTCHA v3
• DRM protection and watermarking on video content
• Payments processed via bank transfer or cryptocurrency without storing sensitive financial data
• Periodic security monitoring and audits

The Trading Dojo platform is developed with the assistance of Artificial Intelligence technologies (Claude by Anthropic).

Please note the following:

• No student personal data is sent to Artificial Intelligence models. AI is used exclusively in the platform development phase, not in the processing of user data.
• Educational content assisted by AI is always validated and approved by qualified instructors before publication.
• No automated decisions based on AI model outputs are made concerning data subjects.

The Controller reserves the right to amend this privacy policy at any time, notifying users via the platform and, where possible, by email.

Changes shall take effect from the date of publication on the platform. You are therefore encouraged to consult this page periodically to review the latest updated version.

Where changes concern processing activities whose legal basis is consent, the Controller will obtain new consent from the data subject where necessary.

Regulatory references: Regulation (EU) 2016/679 (GDPR), Legislative Decree 196/2003 (Italian Data Protection Code), Directive 2002/58/EC (ePrivacy).

The provision of personal data marked as mandatory is necessary for the following reasons:

• Registration data (name, email, password): failure to provide this data makes it impossible to create an account and access the platform’s services
• Application data: failure to provide this data makes it impossible to evaluate the application and grant access to educational programs
• Payment data: failure to provide this data makes it impossible to process the payment and activate paid services

The provision of data for consent-based purposes (analytics and newsletter) is optional: refusal to give consent does not in any way affect access to or use of the platform’s services.