Privacy Policy

This Policy applies to information we process when you:

• use the Liftx applications and services,
• visit our websites (including marketing pages), and/or
• contact our support team.

We collect information in three ways: (a) information you provide, (b) information collected automatically, and (c) information we receive from third parties (primarily exchanges you connect).

2.1 Information you provide

• Account information: email address and authentication data needed to create and secure your account.
• Security settings: information needed to enable security features such as MFA (for example, MFA configuration data).
• Support communications: messages and attachments you send to support. If support chat is available to guests, you may optionally provide an email address so we can follow up.
• Exchange connection data: exchange API credentials and related connection details you choose to link. We store API credentials encrypted at rest.

2.2 Information collected automatically

• Device and technical data: device type, operating system, app version, language settings, and similar device signals.
• Security and log data: IP address, user agent, timestamps, log-in events, and security-related events used to protect accounts and prevent abuse.
• Notifications data: device push token if you enable push notifications.

2.3 Information from third parties (exchanges you connect)

When you connect an exchange account at your direction, the exchange may provide data to the Service through its API. Depending on the exchange and the permissions you grant, this may include:

• account and exchange identifiers (non-secret identifiers),
• balances, positions, and order information (including order status updates),
• market data needed to display prices and order execution details.

2.4 Required and optional information

Some personal data is required to create an account and provide the Service (for example, your email address and authentication/session data). Other data is optional and depends on which features you choose to use:

• If you connect an exchange, exchange connection data and related trading/position/order data are required for that functionality.
• If you enable push notifications, we process a device push token.
• Support communications are voluntary, but we may need certain information to investigate and respond.

If you choose not to provide required information, we may not be able to provide some or all of the Service.

We use information to:

• provide and operate the Service and its features,
• authenticate users and maintain sessions,
• connect to third-party exchanges at your direction and within permissions you configure,
• store and display positions, orders, and trade history to provide monitoring, historical views, and calculations (for example, breakeven and performance metrics),
• provide customer support,
• protect the Service and users (security monitoring, abuse prevention, and incident response),
• comply with legal obligations and enforce our Terms.

You control exchange connections and trading data within the Service, including by disconnecting an exchange or deleting your account.

You may delete your Liftx account at any time:

• directly within the application by using the Delete Account option in account settings, or
• by contacting privacy@liftx.io if you are unable to access the application.

Account deletion disables access to the Service promptly and initiates deletion of associated personal and trading data in accordance with the retention periods described in this Policy. Liftx may retain limited information (such as security logs and support communications) where necessary to comply with law, investigate suspected fraud or security incidents, resolve disputes, or enforce agreements.

If you are in the EEA/UK/Switzerland, we process personal data under the following legal bases:

• Contract necessity – to provide the Service you request.
• Legitimate interests – to secure and improve the Service, prevent abuse, and protect users and our business.
• Consent – where required (for example, non-essential cookies/analytics on our marketing website, if enabled).
• Legal obligation – where applicable.

6.1 Essential cookies (today)

We use essential cookies and similar technologies only to support core functionality such as:

• keeping you signed in,
• maintaining security and preventing abuse,
• remembering critical preferences.

6.2 Analytics (marketing website; future)

We do not currently use third-party analytics in the trading Service.

If we enable analytics on our marketing website in the future (for example, Google Analytics), we will provide notice and, where required by law (such as in the EEA/UK), obtain consent for non-essential cookies/trackers.

We may share information:

7.1 With service providers

We use service providers that help us operate the Service (for example, cloud hosting, infrastructure, monitoring, and email delivery). They process personal data on our behalf under contractual protections.

We describe providers by category rather than listing every vendor. Provider categories may include:

• cloud hosting and infrastructure,
• monitoring and incident response tooling,
• email delivery and customer communications,
• customer support tooling (if enabled).

We maintain a list of subprocessors used to process personal data and will provide it on request by contacting privacy@liftx.io.

7.2 With exchanges you connect

We transmit requests to the exchanges you connect to (for example, to place or cancel orders). The exchange’s processing is governed by that exchange’s terms and policies.

7.3 For legal and safety reasons

We may disclose information if required by law or if we believe disclosure is necessary to:

• comply with lawful requests,
• protect the rights, safety, and security of Liftx, our users, and others,
• prevent fraud or security incidents.

7.4 Business transfers

If we are involved in a merger, acquisition, financing, reorganization, or sale of assets, information may be transferred as part of that transaction, subject to appropriate safeguards.

We do not sell personal information.

We use safeguards designed to protect information, including encryption in transit (e.g., HTTPS/WSS) and encryption at rest for sensitive secrets (such as exchange API credentials). We also use access controls and least-privilege practices.

No method of transmission or storage is 100% secure. You are responsible for maintaining the security of your exchange account and your exchange API keys.

We retain personal data only as long as necessary for the purposes described in this Policy. Typical retention periods are:

• Account data (email, account identifiers): retained while your account is active. If you delete your account, Liftx deletes this data within 30 days, subject to limited backup retention and limited post-deletion retention of certain security and support records as described below.
• Positions, orders, and trade history: retained while your account is active so you can view monitoring, execution status, and historical calculations. If you delete your account, Liftx deletes this data within 30 days, subject to limited backup retention.
• Exchange API credentials: retained until you disconnect the exchange or delete your account (plus limited backup retention).
• Security logs: typically retained for 180 days (longer if needed to investigate or respond to security incidents).
• Support communications: typically retained for 24 months after resolution.
• Backups: typically retained for up to 35 days and then overwritten.

Limited post-deletion retention: After account deletion, Liftx may retain limited security logs and support communications for the periods described above, and may retain certain records longer where required by law or to establish, exercise, or defend legal claims (for example, to investigate suspected fraud, security incidents, or to resolve disputes fairly). Retained records are not used to restore deleted accounts or to re-enable access to the Service.

We may process and store information in the United States, Europe, and Asia (for example, depending on infrastructure location and operational needs).

Where required for EEA/UK transfers, we rely on appropriate safeguards such as:

• EU Standard Contractual Clauses (SCCs) and
• the UK Addendum to the SCCs or the UK IDTA (as applicable).

You may request more information by contacting privacy@liftx.io.

Depending on your location, you may have rights to access, correct, delete, or export your personal data, and to object to or restrict certain processing.

To make a request, contact privacy@liftx.io. We may need to verify your identity before responding.

We do not use automated decision-making that produces legal or similarly significant effects about you (as defined under GDPR). We may use automated tools to detect and prevent fraud, abuse, and security threats.

We maintain internal privacy governance measures appropriate to the Service, including records of our processing activities and risk reviews for new features. Where required or appropriate, we conduct privacy impact assessments (such as Data Protection Impact Assessments) to evaluate and reduce privacy and security risks.

The Service is not directed to children. If you are under 18, do not use the Service.

We may update this Privacy Policy from time to time. The “Last updated” date indicates when changes were made. If changes are material, we will take reasonable steps to provide notice.

This section applies only if you are a California resident. It supplements the information in this Privacy Policy and is intended to provide disclosures required by the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”).

16.1 Categories of personal information we collect

Depending on how you use the Service, we may collect the following categories of personal information (as defined under the CCPA/CPRA):

• Identifiers: such as email address, account identifiers, IP address, and device/network identifiers.
• Internet or other electronic network activity information: such as device and technical data, log data, and security-related events.
• Commercial and financial activity information related to the Service: such as positions, orders, and trade history; trading configurations; and exchange connection data needed to operate the Service.
• Customer service communications: such as messages and information you send to support.

We may also process sensitive personal information (as defined under the CCPA/CPRA) to the extent necessary to provide and secure the Service, such as account authentication data, MFA secrets, and exchange API credentials.

16.2 Sources of personal information

We collect personal information from:

• you (for example, when you create an account, contact support, or connect an exchange),
• your devices and browsers (for example, through logs and security events), and
• third-party exchanges you connect, to the extent you authorize us to access exchange data through their APIs.

16.3 Purposes for collecting and using personal information

We collect and use personal information for the purposes described in this Privacy Policy, including to:

• provide and operate the Service,
• authenticate users and maintain sessions,
• connect to exchanges at your direction and within the permissions you configure,
• store and display positions, orders, and trade history for monitoring and calculations (for example, breakeven),
• provide customer support,
• protect the Service and users (security monitoring, abuse prevention, and incident response),
• comply with legal obligations and enforce our Terms.

16.4 Disclosure of personal information

We may disclose personal information for business purposes to the categories of recipients described in this Privacy Policy, including:

• service providers (for example, hosting, infrastructure, and communications providers),
• exchanges you connect (to process requests you initiate and to retrieve account data you authorize),
• professional advisors and authorities (as required by law), and
• parties involved in a corporate transaction (subject to appropriate safeguards).

16.5 Sale or sharing of personal information

Liftx does not sell personal information.

Liftx also does not share personal information for cross-context behavioral advertising (as that term is defined under the CCPA/CPRA).

If our practices change, we will update this Privacy Policy and provide any required opt-out mechanisms.

16.6 Sensitive personal information

We use and disclose sensitive personal information only as reasonably necessary to provide the Service, maintain account security, prevent fraud and abuse, and comply with law. We do not use sensitive personal information to infer characteristics about you.

16.7 California privacy rights

Subject to certain legal limitations and verification requirements, California residents may have the right to:

• Know/Access: request information about the personal information we collect, use, and disclose.
• Delete: request deletion of personal information.
• Correct: request correction of inaccurate personal information.
• Opt out: opt out of the sale or sharing of personal information (if applicable).
• Limit: limit the use and disclosure of sensitive personal information (where applicable).
• Non-discrimination: not be discriminated against for exercising privacy rights.

16.8 How to exercise your rights

To submit a request, contact us using one of the following methods:

• Email: privacy@liftx.io
• Mail: Jointl Inc., 600 N Broad St Ste 5, Ste 2120, Middletown, 19709, Delaware, USA

We may need to verify your identity before completing your request. You may use an authorized agent where permitted by law; we may require proof of authorization and may also require you to verify your identity directly.

16.9 Retention

We retain personal information as described in Section 9 (Data Retention).

16.10 Financial incentives

We do not offer financial incentives or price or service differences in exchange for the collection, retention, or sale/sharing of personal information.