Privacy Policy

Last updated: April 27, 2026

This Privacy Policy explains how SignalFlow ("we", "us", or "our") collects, uses, and protects your information when you use the service at signalflow.fyi (the "Service"). SignalFlow is operated as an independent service by a solo developer; for any privacy question or data request, contact support@signalflow.fyi.

1. Information We Collect

We collect only what's needed to run the Service. Specifically:

• Account information. Your email address, a hashed password, and account preferences (notification settings, default risk parameters, etc.).
• Telegram session data. When you connect Telegram channels, we store the session credentials needed to read messages from those channels on your behalf. We only read messages from channels you explicitly connect.
• Broker credentials. The API tokens, login IDs, and server identifiers required for MetaAPI to execute trades on your connected MT4 or MT5 accounts. We do not store your broker password and we cannot withdraw funds.
• Trade activity. Signals parsed from your channels, the trades opened/closed on your behalf, position sizes, fill prices, P&L, and execution timestamps.
• Usage logs and diagnostics. IP address, user agent, page paths, error logs, and timestamps. Used for debugging, abuse prevention, and security.
• Billing information. If you subscribe, our payment processor (Stripe) collects payment details directly. We do not see or store your card number; we receive only subscription status and the last four digits.

2. How We Use Your Information

• To run the signal copying service and execute trades you've authorized.
• To parse incoming Telegram messages into structured trade instructions.
• To bill you for subscriptions and process refunds.
• To send service-critical emails (account, billing, security, outage notices).
• To detect and prevent fraud, abuse, and security incidents.
• To improve the Service — typically by reviewing aggregated logs and error patterns.

We do not use your data to train AI models, sell it to third parties, or build advertising profiles.

3. Legal Bases for Processing (GDPR / UK-GDPR)

If you are in the EEA, UK, or Switzerland, our legal bases for processing your data are:

• Contract — most processing (account, trade execution, billing) is necessary to deliver the Service you signed up for.
• Legitimate interests — abuse prevention, security logging, and product improvement.
• Legal obligation — tax records and responding to lawful requests from authorities.
• Consent — only where we explicitly ask for it (e.g., optional marketing emails, if we ever offer them).

4. Sub-Processors

We use the following third parties to operate the Service. Each is bound by their own terms and processes data only for the function described:

• MetaAPI (metaapi.cloud) — connects to your broker accounts and executes trades. Receives broker credentials and trade instructions.
• DigitalOcean — hosts our servers and database. Stores all user data at rest. Servers are located in the United States.
• Anthropic (Claude API) — parses raw Telegram signal text into structured trade instructions. Receives the message text from your connected channels at the moment of parsing. Anthropic does not retain API inputs for our usage tier and does not use them to train models.
• Telegram — origin of the signals you choose to copy. We use Telegram's API with the session you authorize.
• Stripe — handles subscription payments. Stripe collects and stores payment card details directly under its own privacy policy.

If we add or change a sub-processor, we'll update this list.

5. International Data Transfers

Our servers are located in the United States. If you access the Service from outside the US, your data is transferred to and stored in the US. Where applicable (transfers from the EEA, UK, or Switzerland), we rely on standard contractual mechanisms with our sub-processors, including Standard Contractual Clauses where available. By using the Service, you understand and consent to this transfer.

6. Data Retention

• Account data — kept while your account is active. Deleted within 30 days of account closure, except where we are legally required to retain records.
• Trade history — kept for 12 months for support and audit purposes, then deleted or anonymized.
• Usage logs — kept for 90 days, then rotated.
• Telegram session credentials — kept while your account is active; revoked and deleted on disconnection or account closure.
• Broker credentials — kept while your account is active; deleted on disconnection or account closure.
• Billing records — retained as required by tax law (typically 7 years).

7. Your Rights

Depending on where you live, you have the following rights regarding your personal data.

If you are in the EEA, UK, or Switzerland (GDPR / UK-GDPR)

• Access — request a copy of the data we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure — request deletion of your data, subject to legal retention obligations.
• Restriction — limit how we process your data.
• Portability — receive your data in a machine-readable format.
• Objection — object to processing based on legitimate interests.
• Withdraw consent — at any time, where consent is the legal basis.
• Lodge a complaint — with your local data protection authority.

If you are in California (CCPA / CPRA)

• Right to know what personal information we collect, use, and share.
• Right to delete personal information we hold about you.
• Right to correct inaccurate personal information.
• Right to opt out of the sale or sharing of personal information — we do not sell or share personal information.
• Right to non-discrimination for exercising your rights.

To exercise any of these rights, email support@signalflow.fyi. We'll respond within 30 days. We may need to verify your identity before acting on a request.

8. Security

We take reasonable steps to protect your data:

• All traffic uses TLS 1.2 or higher.
• Broker API credentials and Telegram session data are encrypted at rest.
• Account passwords are hashed with bcrypt; we never store plaintext passwords.
• Server access is restricted via SSH keys and firewall rules.
• We do not store payment card numbers.

No system is 100% secure, but we treat security as a first-class concern.

9. Data Breach Notification

If we discover a security breach that affects your personal data, we will notify affected users by email within 72 hours of confirming the breach, in line with GDPR Article 33–34 and applicable US state breach laws. The notice will explain what happened, what data was affected, what we're doing about it, and what (if anything) you should do.

10. Cookies

We use essential cookies only — for session management and keeping you logged in. We do not use tracking cookies, advertising cookies, or third-party analytics that profile you across sites.

11. Children

SignalFlow is not intended for users under 18. We do not knowingly collect data from minors. If you believe a minor has signed up, contact us and we'll delete the account.

12. Changes to This Policy

If we make material changes to this policy, we'll update the "Last updated" date and email registered users at least 14 days before the changes take effect. Minor edits (typos, clarifications) may go in without notice.

13. Contact

For privacy questions, data requests, or concerns, email support@signalflow.fyi.