GDPR Notice
This GDPR Notice provides additional information for users in the European Economic Area (EEA), the United Kingdom (UK), and Switzerland. For purposes of EU GDPR / UK GDPR, the controller is Jointl Inc. (Delaware File Number 7856607, incorporated 2020/02/17, 600 N Broad St Ste 5, Ste 2120, Middletown, 19709, Delaware, USA).
It supplements our Privacy Policy: https://liftx.io/privacy
1. GDPR Contact (Internal)
We have an internal privacy lead responsible for privacy and GDPR-related inquiries for Liftx.
You can contact our GDPR/privacy lead at privacy@liftx.io.
2. Categories of Personal Data
Depending on how you use the Service, we may process:
- Account and identifiers: email address, account ID, authentication and session data.
- Security and technical data: IP address, user agent, device information, timestamps, and security-related events.
- Support communications: messages you send to support and information you choose to provide.
- Exchange connection data: exchange API credentials and connection details you provide. API credentials are encrypted at rest.
- Trading and history data: positions, orders, and trade history received from exchanges (and related trading configuration and strategy parameters) stored to provide monitoring, execution support, historical views, and calculations such as breakeven.
3. Purposes and Legal Bases
We process personal data to provide and secure the Service, operate exchange connections you request, respond to support requests, and comply with legal obligations. Legal bases include:
- Contract necessity (Art. 6(1)(b)) – to provide the Service you request.
- Legitimate interests (Art. 6(1)(f)) – security, abuse prevention, and service reliability.
- Consent (Art. 6(1)(a)) – where required (for example, non-essential cookies/analytics on our marketing website, if enabled).
- Legal obligation (Art. 6(1)(c)) – where applicable.
4. International Transfers and Processing Locations
We may process personal data in the United States, Europe, and Asia (for example, depending on infrastructure location and operational needs).
Where required for international transfers (including transfers from the EEA/UK to third countries), we rely on appropriate safeguards such as:
- EU Standard Contractual Clauses (SCCs), and
- the UK Addendum to the SCCs or the UK International Data Transfer Agreement (IDTA) (as applicable).
You may request more information by contacting privacy@liftx.io.
5. Your Rights
Subject to applicable law, you may have rights to:
- access and obtain a copy of your data,
- correct inaccurate data,
- request deletion,
- restrict or object to certain processing,
- receive data portability (in certain circumstances),
- withdraw consent where processing is based on consent.
To exercise these rights, you may use the applicable controls within the Service (including account deletion features where available) or contact privacy@liftx.io. We may need to verify your identity before responding.
6. Complaints
You may lodge a complaint with your local data protection authority. If you are in the UK, you may contact the Information Commissioner’s Office (ICO). In Switzerland, you may contact the Federal Data Protection and Information Commissioner (FDPIC). We encourage you to contact us first so we can try to resolve your concern.
7. GDPR Processing Table
| Purpose | Data categories | Legal basis (EEA/UK) | Retention | Recipients | Locations / Transfers |
|---|---|---|---|---|---|
| Account creation, authentication, sessions | Email, account ID, auth/session tokens, device data | Contract | While active; delete/anonymize within 30 days after deletion; backups up to 35 days | Infrastructure/hosting providers | Processing in USA/Europe/Asia; transfers safeguarded (SCCs + UK Addendum/IDTA as applicable) |
| Security and MFA | IP, user agent, login events, security events, MFA configuration | Legitimate interests | Security logs typically 180 days (longer for incidents) | Security/infra providers | USA/Europe/Asia; safeguarded transfers as applicable |
| Exchange connectivity | Exchange API credentials (encrypted), exchange identifiers | Contract | Until disconnected or account deletion; delete within 30 days; backups up to 35 days | Connected exchanges (as directed); infra providers | USA/Europe/Asia; safeguarded transfers as applicable |
| Monitoring and history features | Positions, orders, trades, timestamps, strategy parameters, derived metrics (e.g., breakeven) | Contract | While active; delete within 30 days after account deletion; backups up to 35 days | Infra providers; connected exchanges | USA/Europe/Asia; safeguarded transfers as applicable |
| Customer support | Support messages, optional guest email, attachments you provide | Contract / Legitimate interests | Typically 24 months after resolution | Email/support tooling providers (if used) | USA/Europe/Asia; safeguarded transfers as applicable |
| Legal compliance and enforcement | Relevant account data, logs, communications | Legal obligation / Legitimate interests | As required by law or to establish/defend legal claims | Authorities (as required), legal advisors | USA/Europe/Asia; safeguarded transfers as applicable |
| Marketing website analytics (future) | Cookie/analytics identifiers (if enabled) | Consent (where required) | Typically 6–24 months depending on configuration | Analytics provider (if enabled) | USA/Europe/Asia; consent + safeguards as applicable |
Post-deletion retention notice: After account deletion, Liftx may retain limited security logs and support communications for the periods specified above, and certain records longer where required by law or to establish, exercise, or defend legal claims. Retained records are not used to restore deleted accounts or to provide the Service.
Last updated: January 18, 2026
