Privacy Policy
Last updated: February 6, 2026
This Privacy Policy explains how Candleflow ("we," "us," or "our") collects, uses, and protects your personal data when you use the CandleFlow platform and website ("Service"). We are committed to protecting your privacy and complying with applicable data protection laws, including the EU General Data Protection Regulation (GDPR).
1. Data Controller
The data controller responsible for your personal data is:
Candleflow
Email: hello@candleflow.trade
Website: https://candleflow.trade
2. Data We Collect
| Data Type | Purpose | Legal Basis |
|---|---|---|
| Email address | Account creation, waitlist, communication | Consent / Contract |
| Usage data | Service improvement, debugging | Legitimate interest |
| Payment data | Subscription billing (processed by Stripe) | Contract |
| Trading configuration | Service functionality (risk settings, preferences) | Contract |
| IP address | Security, fraud prevention | Legitimate interest |
We do NOT collect or store:
- Your MT5 broker login credentials (these stay on your device)
- Your trading account balances or positions
- Your trade history beyond what's needed for the Service's functionality
- Any financial data from your broker account
3. How We Use Your Data
- Provide the Service: To operate CandleFlow and deliver the features you've subscribed to.
- Communication: To send you important updates about the Service, including beta invitations, security alerts, and billing information.
- Improvement: To analyze usage patterns and improve the Service (aggregated, anonymized data only).
- Legal compliance: To meet our legal obligations under applicable law.
We will never sell your personal data to third parties. We do not use your data for advertising or profiling.
4. Third-Party Services
We use the following third-party services that may process your data:
- Supabase (database hosting) — EU-hosted, GDPR-compliant. Stores account and waitlist data.
- Cloudflare (website hosting, CDN) — Processes IP addresses for content delivery and security.
- Stripe (payment processing) — Processes payment data. See Stripe's Privacy Policy.
5. Data Retention
- Active accounts: Data is retained for the duration of your subscription plus 30 days.
- Waitlist signups: Email addresses are retained until the beta launch or until you request removal.
- Cancelled accounts: Personal data is deleted within 90 days of account termination, except where retention is required by law (e.g., billing records for tax purposes — up to 10 years).
6. Your Rights (GDPR)
Under the GDPR, you have the following rights:
- Access: Request a copy of your personal data.
- Rectification: Request correction of inaccurate data.
- Erasure: Request deletion of your personal data ("right to be forgotten").
- Portability: Receive your data in a structured, machine-readable format.
- Restriction: Request restriction of processing in certain circumstances.
- Objection: Object to processing based on legitimate interests.
- Withdraw consent: Withdraw consent at any time where processing is based on consent.
To exercise any of these rights, contact us at hello@candleflow.trade. We will respond within 30 days.
7. Cookies
The CandleFlow website uses only essential cookies required for the Service to function (e.g., authentication tokens). We do not use tracking cookies, analytics cookies, or advertising cookies.
8. Data Security
We implement appropriate technical and organizational measures to protect your data, including:
- Encryption in transit (TLS/HTTPS) and at rest
- Access controls and authentication
- Regular security reviews
- Minimal data collection principle
9. International Transfers
Your data is primarily processed within the European Union. Where data is transferred outside the EU (e.g., through third-party services), we ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) or adequacy decisions.
10. Children
The Service is not intended for use by anyone under 18 years of age. We do not knowingly collect data from minors.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes via email or through the Service. The "Last updated" date at the top indicates when this policy was last revised.
12. Contact & Complaints
For privacy-related questions or to exercise your rights:
Email: hello@candleflow.trade
If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. In Germany, this is the relevant state data protection authority (Landesdatenschutzbehörde).