Legal
Privacy policy.
This policy explains what personal data XCopier collects, why we collect it, how we store it and what rights you have over it.
Last updated: 1 July 2026 · Effective immediately.
1. Who we are
"XCopier", "we", "us" and "our" refer to XCopier Labs and its affiliates. This policy applies to the website, dashboards and APIs operated by us. Contact for privacy matters: privacy@xcopier.app.
2. Data we collect
We only collect what we need to operate the platform:
- Account data: email address, display name, hashed password (bcrypt), optional profile image, role (COPIER/TRADER).
- Trader profile (traders only): bio, country, strategy, risk level, monthly price, avatar.
- Solana wallet addresses: any public address you connect for payments and the deposit address we generate for you. We never store or ask for your private keys or seed phrase.
- Payment records: on-chain transaction signatures, amount in SOL and USD equivalent at settlement, sender and recipient addresses. This data is by nature public on the Solana blockchain.
- MetaTrader account metadata (if you connect one): broker, server, login ID, label. We do not receive or store your MT4/MT5 password.
- Session data: NextAuth session token stored in an HTTP-only cookie.
- Technical logs: request IP, user agent, timestamp, endpoint. Kept for security and abuse prevention.
3. Why we collect it
- Provide the core service (authentication, subscription management, payment verification, notifications).
- Comply with legal obligations, including anti-fraud and sanctions screening.
- Improve reliability and prevent abuse (rate limiting, security monitoring).
- Communicate essential updates: account, billing, security notices.
We do not sell your personal data. We do not use it for third-party advertising.
4. Legal basis (GDPR / equivalents)
Where GDPR or an equivalent law applies, we rely on:
- Contract performance for account creation, subscription and payment processing.
- Legitimate interest for logging, fraud prevention and platform security.
- Legal obligation for tax, sanctions and financial-crime compliance.
- Consent for optional communications (you can withdraw at any time from your settings).
5. Cookies and local storage
We use a single strictly-necessary session cookie set by NextAuth to keep you signed in. It is HTTP-only, secure and same-site. We do not use tracking cookies or third-party analytics that require consent under the GDPR ePrivacy directive.
6. On-chain data
Payments happen on the Solana network. Once a payment leaves your wallet, its details (sender, recipient, amount, timestamp, signature) become part of the public Solana ledger and are outside our control. We store the transaction signature and a snapshot of the settlement price in our own database for accounting and dispute resolution.
7. Sharing with third parties
We share data only with providers that help us run the service. Current processors:
- Vercel Inc. — hosting and CDN (USA).
- Neon Postgres — managed database (USA, EU regions available).
- CoinGecko — SOL/USD price oracle. We do not send them personal data.
- Solana Foundation RPC endpoints — read/write to the blockchain.
- Email provider (Resend or equivalent) — transactional email delivery.
All processors are bound by written agreements requiring appropriate technical and organisational safeguards.
8. Data retention
We keep account data for as long as your account is active. Once you delete your account we remove personal data within 30 days, except records we must retain for legal reasons (typically 5–7 years for financial transactions).
9. Your rights
Depending on where you live you may have the right to:
- Access the personal data we hold about you.
- Correct inaccurate data.
- Delete your account and associated data (except records we must legally retain).
- Object to or restrict certain processing.
- Data portability in a machine-readable format.
- Lodge a complaint with your local supervisory authority.
Reach us at privacy@xcopier.app. We respond within 30 days.
10. Security
We use TLS in transit, encryption at rest for deposit key material (AES-256-GCM with HKDF-derived keys), least-privilege database access, and rate limiting on public endpoints. No system is perfectly secure — if we detect a breach that affects you, we will notify you and the relevant supervisory authority as required by law.
11. Children
XCopier is not directed to children under 18. We do not knowingly collect data from children. If you believe we have, contact us and we will delete the record.
12. International transfers
Our infrastructure is primarily hosted in the United States. If you access XCopier from outside the USA your data will be transferred there. Where required we use standard contractual clauses or equivalent safeguards.
13. Changes to this policy
We may update this policy from time to time. Material changes are notified by email or in-product notice at least 14 days before they take effect. Continued use of the platform after that date constitutes acceptance.