Privacy Policy

Pursuant to Article 13 of Regulation (EU) 2016/679 (hereinafter "GDPR"), Legislative Decree 196/2003 (Italian Data Protection Code), and Directive 2002/58/EC (ePrivacy), we inform you that your personal data will be processed by the following Data Controller:

• Controller: DOJO TRADING GROUP SOCIEDAD DE RESPONSABILIDAD LIMITADA
• Registered office: POZOS, Forum Uno, Edificio G, Primer Piso, Oficinas NCC Law, Costa Rica
• Email: official.comunication@tradingdojo.org
• Platform: Trading Dojo (tradingdojo.org)

EU Representative (Art. 27 GDPR):

• Name: Alex Solignani
• Address: Marano sul Panaro (MO), Italy
• Email: official.comunication@tradingdojo.org

In the course of providing its services, Trading Dojo collects and processes the following categories of personal data:

Identification and contact data

• Name, email address, phone number, country of residence, address

Authentication data

• Password (stored exclusively as a cryptographic hash), multi-factor authentication (MFA) backup codes

Application data

• Name, date of birth, email, phone number, residence, profession, trading experience level, difficulties encountered, learning objectives, investment availability, salary range

Payment data

• Amount, currency, payment method, bank transfer reference or blockchain transaction ID

Course data

• Course access records, lesson completion status, visibility settings

Trading journal data

• Emotional state (mood), currency pair, trade direction, result, amount, personal notes

Messaging data

• Text messages, attachments exchanged through the internal chat system

Device data

• Device fingerprint, user agent, device type, browser, operating system

Analytics data

• Anonymized visitor ID, pages visited, scroll depth, session duration, referrer, UTM parameters

Bug report data

• Title, problem description, screenshots

Your personal data is processed for the following purposes, each supported by an appropriate legal basis under Article 6 GDPR:

Performance of a contract (Art. 6(1)(b) GDPR)

• Account registration: creation and management of your account on the platform
• Payments: processing of payments via bank transfer or cryptocurrency
• Courses and progress: delivery of the educational service and progress tracking
• Chat and messaging: communication between student and instructor
• Trading journal: provision of the personalized educational tool
• Transactional emails: sending of service-related communications (confirmations, notifications, updates)

Pre-contractual measures (Art. 6(1)(b) GDPR)

• Application: evaluation of your application for admission to educational programs

Legal obligation (Art. 6(1)(c) GDPR)

• Payment data: compliance with tax and accounting obligations under applicable law

Legitimate interest of the Controller (Art. 6(1)(f) GDPR)

• Device fingerprinting: access control and device limit management to protect the integrity of the service
• reCAPTCHA v3 and Cloudflare Turnstile: protection of the platform from bots and abusive behavior
• Cloudflare (CDN, DNS and reverse proxy): anti-DDoS protection, TLS termination and content delivery optimization
• Video watermark: overlay of email address on video content to protect intellectual property
• Bug reports: improvement of service quality and reliability

Consent of the data subject (Art. 6(1)(a) GDPR)

• Analytics (custom internal system): anonymized analysis for service and user experience improvement
• Newsletter: sending of promotional and informational communications. Consent may be withdrawn at any time via the unsubscribe link in each communication or by contacting the Controller

To provide its services, the Controller engages the following sub-processors (Art. 28 GDPR), with whom appropriate data processing agreements have been executed:

• Supabase Inc. (USA) — Database, authentication, realtime functionality, and storage. Safeguards for extra-EU transfers: EU-US Data Privacy Framework (DPF) and Standard Contractual Clauses (SCCs). Privacy: supabase.com/privacy.
• VdoCipher (VdoTok Tech Pvt. Ltd.) (India) — DRM-protected video hosting with watermark. Safeguards: Standard Contractual Clauses pursuant to Commission Implementing Decision (EU) 2021/914. Privacy: vdocipher.com/privacy.
• Vercel Inc. (USA) — Web application hosting. Safeguards: DPF + SCCs. Privacy: vercel.com/legal/privacy-policy.
• Amazon Web Services EMEA SARL (registered office Luxembourg; primary data centers in Ireland — eu-west-1 region) — Cloud infrastructure (S3 storage, CloudFront CDN distribution) used by the sub-processors Supabase, Vercel, and VdoCipher to host data and deliver video and static content. The data subject’s browser may communicate directly with AWS servers when loading resources (e.g., files from Supabase Storage or VdoCipher videos). Safeguards: EU-US Data Privacy Framework (DPF) and Standard Contractual Clauses pursuant to Commission Implementing Decision (EU) 2021/914. Privacy: aws.amazon.com/privacy.
• Google LLC (USA) — reCAPTCHA v3 anti-bot service. Safeguards: DPF + SCCs. Privacy: policies.google.com/privacy.
• Cloudflare, Inc. (USA) — CDN, DNS, reverse proxy with TLS termination, anti-DDoS protection and Turnstile service for anti-bot verification on authentication forms. Cloudflare processes IP address, HTTP headers, User-Agent and behavioral signals necessary for the service to operate. Safeguards: DPF + SCCs. Privacy: cloudflare.com/privacypolicy.

Personal data is not disclosed to third parties for marketing purposes. Data may be communicated to competent authorities in cases required by law.

The list of data processors may be updated periodically. The latest version is always available on this page.

Some of the sub-processors listed in the previous section are established outside the European Economic Area (EEA). Transfers of personal data to such third countries are carried out in compliance with Chapter V of the GDPR (Articles 44–49), based on the following appropriate safeguards:

United States of America (Supabase, Vercel, Google, Cloudflare, and Amazon Web Services for U.S. endpoints)

• European Commission adequacy decision regarding the EU-US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795 of 10 July 2023)
• Standard Contractual Clauses (SCCs) adopted pursuant to Commission Implementing Decision (EU) 2021/914, as an additional safeguard

Luxembourg / Ireland (Amazon Web Services EMEA SARL)

• Processing within the European Economic Area (EEA), with the safeguards of the GDPR directly applicable
• Standard Contractual Clauses (SCCs) for any technical transfers to other AWS regions, pursuant to Commission Implementing Decision (EU) 2021/914

India (VdoCipher)

• Standard Contractual Clauses (SCCs) pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021

You have the right to obtain a copy of the appropriate safeguards in place by contacting the Controller at official.comunication@tradingdojo.org.

Personal data is retained for the time strictly necessary to fulfill the purposes for which it was collected, in accordance with the principle of storage limitation (Art. 5(1)(e) GDPR):

• Profile data (name, email, preferences, account): for the duration of the contractual relationship, plus 30 days after termination (subject to earlier deletion upon request by the data subject)
• Administrative, tax and payment data (invoice headers, transaction records, receipts): 10 years from the date of the transaction (Art. 2220 of the Italian Civil Code and Italian Presidential Decree 633/72)
• Application data: 2 years from the date of the decision regarding the application
• Course progress: for the duration of course access, plus 1 year after termination
• Chat messages: for the duration of the contractual relationship, plus 6 months after termination
• Trading journal data: for the duration of the contractual relationship, plus 30 days after termination
• Device fingerprints: 6 months from the last access with the device
• Analytics data: 26 months from collection
• Bug reports: 1 year from the resolution of the reported issue
• Email logs: 2 years from dispatch
• Cookie consent log: 13 months from the date of consent (Italian Garante guidelines 10/06/2021)

Personal data may be retained beyond the above periods only insofar as strictly necessary for the establishment, exercise, or defense of a legal claim, pursuant to Art. 17(3)(e) GDPR (ordinary ten-year limitation period under Art. 2946 of the Italian Civil Code).

Upon expiration of the above periods, data will be securely deleted or irreversibly anonymized.

As a data subject, you have the right to exercise the following rights under Articles 15–22 of the GDPR:

• Right of access (Art. 15 GDPR): obtain confirmation as to whether your personal data is being processed and access its content
• Right to rectification (Art. 16 GDPR): obtain the correction of inaccurate personal data or the completion of incomplete data
• Right to erasure (Art. 17 GDPR): obtain the deletion of your personal data, unless processing is necessary for compliance with legal obligations (e.g., tax requirements) or for the establishment, exercise, or defense of legal claims
• Right to restriction of processing (Art. 18 GDPR): obtain restriction of processing in the circumstances provided by law
• Right to data portability (Art. 20 GDPR): receive your personal data in a structured, commonly used, and machine-readable format, and transmit it to another controller
• Right to object (Art. 21 GDPR): object at any time to the processing of your personal data based on legitimate interest, including profiling
• Right not to be subject to automated decision-making (Art. 22 GDPR): not to be subject to a decision based solely on automated processing that produces legal effects concerning you or similarly significantly affects you

To exercise your rights, you may contact the Controller at official.comunication@tradingdojo.org.

Right to lodge a complaint: You also have the right to lodge a complaint with the Italian Data Protection Authority (Garante per la Protezione dei Dati Personali), Piazza Venezia 11, 00187 Rome, Italy, email: garante@gpdp.it, website: www.garanteprivacy.it.

Pursuant to Article 22 GDPR, we inform you that Trading Dojo does not employ any automated decision-making process, including profiling, that produces legal effects concerning you or similarly significantly affects you.

In particular:

• Applications for admission to educational programs are evaluated manually by the Trading Dojo team
• No automated profiling is carried out for decision-making purposes
• Device fingerprinting is used exclusively for security purposes (device limits) and not for user profiling

Trading Dojo uses cookies and similar technologies in compliance with Directive 2002/58/EC (ePrivacy) and the GDPR.

For detailed information about the cookies used, their purposes, duration, and consent management, please refer to our Cookie Policy.

Trading Dojo’s analytics system is a custom internal system, not based on third-party services such as Google Analytics. Analytics data collection occurs exclusively with your prior consent (Art. 6(1)(a) GDPR).

The Controller implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, pursuant to Article 32 GDPR, including:

• Encryption of data in transit (TLS/HTTPS) and at rest
• Passwords stored exclusively as cryptographic hashes (bcrypt)
• Role-based access control (RBAC)
• Authorized device control and limitation through device fingerprinting
• Anti-bot protection via reCAPTCHA v3 and Cloudflare Turnstile
• DRM protection and watermarking on video content
• Periodic security monitoring and audits
• Retention of a cookie consent audit log for accountability purposes (Art. 5(2) GDPR), stored for 13 months from collection

The Controller reserves the right to amend this privacy policy at any time, notifying users via the platform and, where possible, by email.

Changes shall take effect from the date of publication on the platform. You are therefore encouraged to consult this page periodically to review the latest updated version.

Where changes concern processing activities whose legal basis is consent, the Controller will obtain new consent from the data subject where necessary.

Regulatory references: Regulation (EU) 2016/679 (GDPR), Legislative Decree 196/2003 (Italian Data Protection Code), Directive 2002/58/EC (ePrivacy).

The provision of personal data marked as mandatory is necessary for the following reasons:

• Registration data (name, email, password): failure to provide this data makes it impossible to create an account and access the platform’s services
• Application data: failure to provide this data makes it impossible to evaluate the application and grant access to educational programs
• Payment data: failure to provide this data makes it impossible to process the payment and activate paid services

The provision of data for consent-based purposes (analytics and newsletter) is optional: refusal to give consent does not in any way affect access to or use of the platform’s services.