Sovereign Trader

Privacy Policy

Effective Date: April 12, 2026 · Version 1.4

Plain-Language Summary

What we collect: Your Telegram user ID, the text you type or speak into the bot, your Zen Check answers, journal entries, and basic usage data.

Why: To generate personalised AI coaching, session summaries, and weekly reviews — the core function of the Service.

Who sees it: Your data is sent to OpenAI's API and Anthropic's API for AI response generation. Neither provider uses API data for model training. We do not sell, share, or monetise your data.

Your control: You can download all your data or delete your account at any time via Settings in the web dashboard.

Section 1 Controller and Contact Information

1.1 The data controller responsible for the processing of your personal data within the meaning of Article 4(7) of the General Data Protection Regulation (EU) 2016/679 ("GDPR") is:

Rainer Arnst Software
Waldstr. 2
12621 Berlin, Germany
Email: legal@sovereigntrader.net

1.2 Given the current scope of data processing, the appointment of a Data Protection Officer (DPO) is not legally required under Article 37 GDPR. Should this change, this section will be updated accordingly.

Section 2 Data We Collect

We collect and process the following categories of personal data:

Data Category Specific Data Source
Account & Identity Telegram user ID, Telegram username (if public), display name; web dashboard login credentials (email, hashed password) Provided by you upon registration / Telegram interaction
Zen Check Data Answers to psychological readiness questions, composite scores, Go/Caution/No-Trade verdicts, timestamps Provided by you during pre-session check-ins
Session & Journal Data Session preparation notes, free-text journal entries, session reflections, trading rules you define, AI coaching conversation logs Provided by you through Telegram or web dashboard
Voice Data Voice messages submitted via Telegram (temporarily); text transcriptions of voice messages (retained) Provided by you via Telegram voice notes
Strategize Data Economic calendar events, market overview data retrieved on your behalf from public sources Third-party public data sources (Investing.com, ForexFactory, etc.)
Usage & Technical Data Timestamps of interactions, feature usage patterns, error logs, IP addresses (web dashboard only), browser type (web dashboard only) Automatically collected through system logs
Weekly Review Data AI-generated weekly summaries, pattern analyses, rule adherence metrics derived from the above data categories Generated by the Service from your existing data

2.2 Special Category Data. The free-text nature of journal entries, Zen Check answers, and coaching conversations means you may voluntarily share information about your emotional state, stress level, psychological readiness, or mental well-being. Under Article 9(1) GDPR, such information constitutes a special category of personal data. We process it only on the basis of your explicit consent (Article 9(2)(a) GDPR), which you provide at account creation. See Section 2.4 for full details.

2.3 Voice recordings. When you send a voice message via Telegram, the audio file is received by the Service, transcribed to text using a speech-to-text API, and then the original audio file is deleted. Only the text transcription is retained. Voice data is used for transcription purposes only and is not used for biometric identification.

2.4 Processing of Special Categories of Personal Data (Article 9 GDPR). Sovereign Trader is a trading psychology tool. You may voluntarily share information about your emotional state, stress level, psychological readiness, or mental well-being in your journal entries, Zen Check answers, and conversations with the AI coach. Under Article 9(1) GDPR, this constitutes a special category of personal data requiring a heightened legal basis.

Legal Basis: We process this data solely on the basis of your explicit consent pursuant to Article 9(2)(a) GDPR. You provide this consent during account creation by actively ticking the corresponding checkbox. You may withdraw this consent at any time via Settings → Privacy & Consents in the web dashboard or by contacting legal@sovereigntrader.net. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

Consequences of Withdrawal: Because the core coaching functionality depends on processing psychological-state data, withdrawing this consent will effectively terminate your ability to use the Service. We will delete the corresponding data in accordance with our retention schedule.

Purpose Limitation: We use this data exclusively for delivering the coaching and accountability features you have subscribed to. We do not profile you, sell this data, use it for advertising, or share it with third parties other than the sub-processors listed in Section 4, which act strictly on our instructions under Article 28 GDPR.

Section 3 Purposes and Legal Bases for Processing

We process your personal data for the following purposes, on the following legal bases under Article 6(1) GDPR:

Purpose Legal Basis
Providing the core Service: Zen Check, Prepare phase, AI coaching, journaling, weekly reviews Art. 6(1)(b) — Performance of a contract (the Terms of Service)
Transmitting input text to OpenAI and Anthropic APIs for AI response generation Art. 6(1)(b) — Performance of a contract; Art. 6(1)(a) — Consent (you are informed upon onboarding that AI processing involves third-party APIs)
Transcribing voice messages to text Art. 6(1)(b) — Performance of a contract
Generating aggregated and anonymised usage analytics to improve the Service Art. 6(1)(f) — Legitimate interest (product improvement)
Maintaining system security, preventing abuse, and troubleshooting errors Art. 6(1)(f) — Legitimate interest (security and operational integrity)
Sending you service-related communications (e.g., feature updates, Terms changes) Art. 6(1)(b) — Performance of a contract
Complying with legal obligations (e.g., responding to lawful data access requests) Art. 6(1)(c) — Legal obligation
Special category data (psychological / emotional state voluntarily shared in journal entries, Zen Check answers, and coaching conversations) Art. 9(2)(a) GDPR — Explicit consent

3.2 We do not process your data for profiling, automated decision-making with legal or similarly significant effects, advertising, or marketing to third parties.

Section 4 Third-Party Processors and Data Transfers

The following third-party service providers process personal data on our behalf:

Provider Purpose Data Transferred Location Safeguards
OpenAI, Inc. AI response generation via API Input text (including transcribed voice), conversation context USA EU-US Data Privacy Framework; OpenAI DPA; API data not used for training
OpenAI, Inc. (Whisper) Speech-to-text transcription Voice audio files (deleted after transcription) USA EU-US Data Privacy Framework; OpenAI DPA
Anthropic, Inc. AI response generation via Claude API (coaching, weekly reviews, session scoring) Input text, conversation context USA EU-US Data Privacy Framework; Anthropic DPA; API data not used for training
Telegram FZ-LLC Message delivery platform Telegram user ID, message content in transit UAE / Global Telegram's own Privacy Policy; messages processed via Bot API
Hetzner Online GmbH Server hosting and backups All stored data (encrypted at rest) Germany (EU) GDPR-compliant EU hosting; ISO 27001 certified data centres
Stripe, Inc. Payment processing and subscription management Email address, payment card details (not stored by us), billing address; Stripe customer and subscription IDs stored on our servers USA / Global EU-US Data Privacy Framework; Stripe DPA; PCI DSS Level 1 certified; card data stored by Stripe only
Brevo (Sendinblue SAS) Transactional email delivery (subscription notifications, billing alerts) Email address, display name France (EU) GDPR-compliant EU processor; Brevo DPA; ISO 27001 certified
Sentry (Functional Software, Inc.) Error monitoring and logging Error logs, stack traces (may incidentally contain user IDs or request metadata) USA EU-US Data Privacy Framework; Sentry DPA; data scrubbing configured to minimise personal data in error reports

4.2 International Transfers. Some of the above providers are located outside the European Economic Area (EEA), specifically in the United States. These transfers are protected by the EU-US Data Privacy Framework (adequacy decision of the European Commission, July 2023) and, where applicable, by Standard Contractual Clauses (SCCs) as a supplementary safeguard. If the EU-US Data Privacy Framework is invalidated or modified, we will implement alternative transfer mechanisms as required by law.

4.3 We do not sell, rent, or share your personal data with any third parties for their own marketing or commercial purposes.

4.4 Sub-Processor Agreements. We work with the sub-processors listed above under Data Processing Agreements (Article 28 GDPR) where such agreements are provided by the sub-processor. The current status of these agreements is as follows:

  • Anthropic, Inc. — DPA auto-incorporated into Anthropic Commercial Terms of Service (accepted February 2026). Full text: anthropic.com/legal/data-processing-addendum
  • OpenAI, Inc. — DPA incorporated by reference into OpenAI Services Agreement (accepted at account creation). Full text: openai.com/policies/data-processing-addendum
  • Stripe, Inc. — DPA accepted via merchant terms
  • Hetzner Online GmbH — AV-Vertrag nach Art. 28 DSGVO digital akzeptiert am 11.04.2026 (Version 1.2, 16.02.2026). Verarbeitung ausschließlich in EU (Standort Nürnberg, nbg1-dc3).
  • Telegram FZ-LLC — Independent platform provider for message delivery; not a data processor under Article 28 GDPR. Telegram processes message delivery data under its own privacy policy. No Data Processing Agreement is applicable to this relationship. See Telegram Bot Developer Terms of Service.
  • Functional Software, Inc. (Sentry) — DPA pending — Sentry is not yet active. DPA (v5.1.0) will be accepted in Sentry account settings at service activation. Full text: sentry.io/legal/dpa
  • Sendinblue SAS (Brevo) — DPA auto-incorporated as Appendix 3 of Brevo Terms of Service (accepted at account creation). Full text: brevo.com/legal/termsofuse

Copies of executed DPAs are available upon request at legal@sovereigntrader.net.

Section 5 Data Retention

Data Type Retention Period
Voice audio files Deleted immediately after successful transcription (typically within seconds)
Voice transcriptions Retained for the duration of your account
Zen Check data, journal entries, session data Retained for the duration of your account
AI coaching conversation logs Retained for the duration of your account
Weekly review summaries Retained for the duration of your account
Account credentials & identity data Retained for the duration of your account; deleted within 30 days of account closure
Server access logs (IP, browser) 90 days, then automatically purged
Error logs (Sentry) 90 days (Sentry default retention), then automatically purged
Database backups (Hetzner) Rolling 7-day backup cycle; older backups automatically overwritten

5.2 When you request data deletion (via Settings → Delete Account in the web dashboard or by email to legal@sovereigntrader.net), all personal data associated with your account is permanently deleted from the production database within 7 days. Data in automated backups will be overwritten within the backup rotation cycle (up to 7 additional days). Data that has already been transmitted to OpenAI's API is subject to OpenAI's own retention policies; under their current API terms, API input and output data is retained for up to 30 days for abuse monitoring purposes and then deleted.

Section 6 Your Rights Under GDPR

As a data subject under GDPR, you have the following rights. To exercise any of these rights, contact us at legal@sovereigntrader.net or use Settings → Delete Account in the web dashboard for self-service deletion.

Right of Access (Art. 15)
Request a copy of all personal data we hold about you, including AI conversation logs and Zen Check history.
Right to Rectification (Art. 16)
Request correction of inaccurate or incomplete personal data.
Right to Erasure (Art. 17)
Request deletion of all your personal data. Use Settings → Delete Account in the web dashboard for self-service deletion.
Right to Restrict Processing (Art. 18)
Request that we limit how we process your data in certain circumstances.
Right to Data Portability (Art. 20)
Receive your data in a structured, commonly used, machine-readable format (CSV). Use Settings → Data Export in the web dashboard for a self-service ZIP download.
Right to Object (Art. 21)
Object to processing based on legitimate interest. We will cease processing unless we have compelling grounds.
Right to Withdraw Consent (Art. 7(3))
Withdraw consent at any time where processing is based on consent, without affecting the lawfulness of prior processing. To withdraw your Art. 9 GDPR consent for special category data, use Settings → Privacy & Consents in the web dashboard.
Right to Lodge a Complaint (Art. 77)
File a complaint with a supervisory authority. For Germany: your state data protection authority (Landesdatenschutzbeauftragter).

6.2 We will respond to data subject requests within 30 days of receipt, as required by GDPR. If a request is complex or we receive a high volume of requests, we may extend this period by an additional 60 days, in which case we will notify you of the extension and the reasons for it.

6.3 We may ask you to verify your identity before processing a request, to ensure we do not disclose personal data to an unauthorised person.

Section 7 Data Security

7.1 We implement the following technical and organisational measures to protect your data:

  • All data in transit is encrypted using TLS 1.2 or higher (HTTPS);
  • Database contents are encrypted at rest on the hosting server;
  • Passwords are hashed using industry-standard algorithms (bcrypt) and are never stored in plaintext;
  • Server access is restricted via SSH key authentication with fail2ban intrusion prevention;
  • A firewall (UFW) restricts inbound connections to necessary ports only;
  • Error monitoring (Sentry) is configured with data scrubbing to minimise personal data in logs;
  • Automated daily backups with a 7-day retention cycle;
  • Access to production systems is limited to the Operator.

7.2 Despite these measures, no system is completely secure. In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours as required by Article 33 GDPR and will notify affected individuals without undue delay as required by Article 34 GDPR where the breach is likely to result in a high risk.

Section 8 Cookies and Tracking

8.1 The web dashboard uses only strictly necessary cookies required for authentication, session management, and temporary workflow state. These cookies are essential for the functioning of the Service and do not require consent under the ePrivacy Directive.

8.2 Cookies set by the Service:

  • access_token — Authentication JWT; httponly; expires after 7 days.
  • promo_code — Temporary promo/invite code entered before Telegram login; httponly; expires after 30 minutes. Cleared immediately after the Telegram callback.
  • promo_coupon — Stripe coupon ID derived from a promo code; httponly; expires after 1 hour. Cleared immediately after checkout.

8.3 We do not use analytics cookies, advertising cookies, tracking pixels, social media widgets, or any third-party tracking technologies on the web dashboard.

8.4 The Telegram bot interface does not set or read cookies.

Section 9 AI-Specific Disclosures

This section provides transparency about how AI is used in the Service, in accordance with the EU AI Act and GDPR.

9.1 The Service uses artificial intelligence (specifically, large language models) to generate coaching responses, session summaries, weekly reviews, and other textual outputs. You are interacting with an AI system, not a human.

9.2 How your data flows through the AI system:

  1. You submit text or a voice message via Telegram or the web dashboard.
  2. If voice, the audio is transcribed to text via OpenAI Whisper API. The original audio is then deleted.
  3. Your input text, together with relevant conversation context (recent messages, your Zen Check score, your defined trading rules), is assembled into a prompt.
  4. The prompt is sent to OpenAI's Chat Completions API or Anthropic's Claude API (depending on the feature), which returns an AI-generated response.
  5. The response is delivered to you and stored in your conversation history.
  6. Your conversation history is stored in our database on Hetzner servers in Germany.

9.3 Under OpenAI's current API data usage policy, data submitted through the API is not used to train OpenAI's models. OpenAI may retain API inputs and outputs for up to 30 days for abuse and misuse monitoring, after which it is deleted. For current details, see OpenAI's API Data Usage Policies.

9.4 Under Anthropic's current usage policy, data submitted via the API is not used to train Anthropic's models. Anthropic may retain API inputs and outputs for a limited period for trust and safety purposes. For current details, see Anthropic's Privacy Policy.

9.5 The AI system does not: make automated decisions with legal or similarly significant effects on you; access your brokerage account, live trading positions, or financial accounts; perform biometric identification or emotion recognition in the sense of the EU AI Act; or generate content that is represented as human-created.

9.6 AI-generated outputs may be inaccurate. The Service does not guarantee the accuracy, completeness, or appropriateness of any AI-generated content.

Section 10 Children's Privacy

The Service is not directed at individuals under the age of 18. We do not knowingly collect personal data from minors. If we become aware that a minor has provided personal data to us, we will delete such data promptly.

Section 11 Information for United States Residents

Sovereign Trader is operated from Germany under German and European Union law. If you are a resident of the United States, this section provides additional information about how we handle your personal data under applicable US state privacy laws.

11.1 Your Rights (California, Virginia, Colorado, Connecticut, Utah). Regardless of whether the respective US state privacy laws formally apply to the Operator, we voluntarily extend the following rights to all US residents:

  • Right to Know / Right to Access — Request a copy of all personal data we hold about you
  • Right to Delete / Right to Erasure — Request that we delete your personal data, subject to limited legal exceptions
  • Right to Correct — Request correction of inaccurate data
  • Right to Data Portability — Receive your data in a portable, machine-readable format (CSV/ZIP)
  • Right to Opt Out of Sale or Sharing — We do not sell or share your personal data with third parties for cross-context behavioural advertising. This right is therefore not applicable but is preserved for you in case our practices ever change.
  • Right to Non-Discrimination — We will not discriminate against you for exercising any of these rights.

11.2 How to Exercise Your Rights. Send an email to legal@sovereigntrader.net with the subject "US Privacy Request" or use Settings → Delete Account in the web dashboard. We will verify your identity (typically via the email address or Telegram account associated with your subscription) and respond within 45 days.

11.3 Do Not Sell or Share. We do not sell personal information. We do not share personal information for cross-context behavioural advertising. We do not use personal information to train AI models — our AI sub-processors (OpenAI, Anthropic) contractually confirm they do not use API input for model training.

11.4 Sensitive Personal Information. Under CPRA (California), information about mental or physical health is classified as sensitive personal information. Where you voluntarily share such information in journal entries, we use it solely to deliver the coaching service you have subscribed to. You may limit our use of this data at any time by contacting us or by deleting your account via Settings → Delete Account.

Section 12 Changes to This Privacy Policy

12.1 We may update this Privacy Policy from time to time to reflect changes in our data practices, legal requirements, or Service features. Material changes will be communicated to you via the Telegram bot or the web dashboard at least fourteen (14) days before they take effect.

12.2 The "Effective Date" at the top of this document will be updated to reflect the date of the most recent version.

12.3 We encourage you to review this Privacy Policy periodically.

Section 13 Contact and Complaints

For any questions, concerns, or requests related to this Privacy Policy or the processing of your personal data, contact:

Rainer Arnst Software
Waldstr. 2
12621 Berlin, Germany
Email: legal@sovereigntrader.net

If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or the place of the alleged infringement. In Germany, this is the data protection authority (Datenschutzaufsichtsbehörde) of the federal state (Bundesland) in which the Operator is established.

This document was last updated on April 11, 2026 (v1.3). Please also review our Terms of Service.