Privacy Policy

1. Who This Policy Applies To and Who Is Responsible

This Privacy Policy applies to personal data and related operational records processed through the platform for visitors, applicants, registered users, students, mentors, administrators, invite recipients, support contacts, and any other person whose information is handled in connection with the service.

The data controller or responsible operator for the service is the legal entity identified in the applicable registration flow, order form, invoice, or official support materials for the service. If the service is made available through a school, cohort, enterprise, or partner deployment, that organization may also issue additional privacy notices or act as a controller or joint controller for specific workflows.

2. How This Policy Works With Other Notices

This Privacy Policy should be read together with the Terms of Service, challenge rules, assignment rules, funded-account rules, prop-program rules, feature notices, and any other binding platform policies or regional privacy supplements.

Translations may be provided for convenience, but the English version controls to the extent permitted by law. Nothing in this section limits local-language or mandatory privacy-disclosure requirements that apply in your jurisdiction.

3. Categories of Personal Data We Process

Depending on how the service is used, we may process different categories of information. Not every category applies to every person at all times, and some categories arise only when optional or admin-enabled features are used.

• Identity and account data, including email address, first name, last name, username, user number, role, locale preference, avatar, onboarding state, access tier, invite status, and account lifecycle state.
• Authentication and security data, including password hashes, password timestamps, refresh-session records, email-verification records, password-reset records, Telegram-linking state, proof-of-work or reCAPTCHA verification state, device or browser signals, IP-related information, rate-limit data, and security logs.
• Learning and participation data, including assignment activity, enrollments, challenge participation, waitlist status, group membership, rankings, comments, badges, certificates, highlights, journals, notifications, support history, and related administrative records.
• Trading and analytics data, including demo balances, positions, orders, fills, wallet balances, chart interactions, profit and loss metrics, challenge outcomes, prop-program records, funded-account lifecycle data, credential-verification outcomes, reconciliation history, and related enforcement logs where relevant.
• Communications and user-submitted content, including support requests, mentor communications, admin communications, uploaded profile media, journal entries, notes, comments, form submissions, and any data voluntarily included in messages or attachments.
• Technical and usage data, including pages visited, feature interactions, errors, browser storage usage, account-selection state, locale storage, cookies, session identifiers, diagnostics, and performance or abuse-prevention telemetry needed to operate the service responsibly.
• Derived or inferred data, including abuse-risk indicators, eligibility decisions, verification outcomes, moderation flags, readiness states, ranking outputs, entitlement decisions, and other conclusions derived from raw platform data.

4. Sources of Information

We obtain information directly from you, automatically from your browser or device, from mentors and administrators acting inside the platform, from challenge or program operators, from messaging and email providers, from Telegram integrations, from market-data providers, from funded or exchange-side providers when enabled, and from logs or analytics produced during normal service operation.

Some records are created internally when the platform computes rankings, challenge states, access decisions, analytics, moderation outcomes, operational readiness, or abuse signals. Those system-derived results may be treated as platform records even if you disagree with them.

5. How We Use Information

We process information whenever reasonably necessary to operate, secure, maintain, improve, document, defend, and administer the platform and related services. Processing includes both ordinary feature delivery and exceptional or edge-case scenarios.

• Creating and managing accounts, authenticating sessions, verifying email ownership, enabling password recovery, and supporting Telegram-based sign-in or linking flows.
• Provisioning and operating assignments, demo accounts, challenge participation, mentor workflows, rankings, certificates, groups, prop programs, funded accounts, and related user features.
• Detecting, preventing, investigating, documenting, and responding to abuse, scraping, automation, credential stuffing, cheating, collusion, account sharing, suspicious access, fraud, rule breaches, and other policy violations.
• Monitoring service health, rate limits, delivery success, failures, retries, and platform reliability, including retaining evidence of failed or partial workflows.
• Communicating with users about security, verification, support, account status, policy enforcement, operational notices, password resets, and other transactional messages.
• Administering audits, legal holds, rights enforcement, risk review, internal governance, and preparation for disputes, investigations, or litigation.
• Improving product features, analytics, workflows, anti-abuse controls, and reporting using identifiable, pseudonymized, aggregated, or de-identified data where appropriate.

6. Legal Bases and Permission Structure

Where legal bases are required, we generally rely on one or more of the following: performance of a contract or pre-contractual steps, legitimate interests in operating and protecting the platform, compliance with legal obligations, protection of rights and safety, and consent where a specific activity legally requires it.

We do not rely on blanket consent-by-use as the sole basis for all processing. If a particular feature or technology requires consent under applicable law, we will seek that consent or provide the controls required for that deployment. If consent is withdrawn, some optional features may stop working, but required account and security processing may continue where another lawful basis applies.

7. Cookies, Local Storage, Session Storage, and Similar Technologies

The platform uses cookies, session storage, local storage, and comparable client-side mechanisms to authenticate users, maintain sessions, remember locale choices, preserve account-selection context, store watchlists or workflow state, support refresh-token flows, and improve stability and performance.

Some of these technologies are strictly necessary for security and core service functionality. Others may support diagnostics, support tooling, or optional third-party integrations when enabled. If applicable law requires consent or additional notice for a non-essential technology, we will provide the controls required for that deployment.

8. Authentication, Security, Fraud Prevention, and Logs

We process authentication and security data to protect accounts and the platform. This may include password hashing, session rotation and revocation, email-verification records, password-reset records, proof-of-work checks, reCAPTCHA state, rate limiting, device or browser signals, IP-based safeguards, structured auth-attempt logs, and abuse-detection telemetry.

Security-related records may be used to investigate suspicious access, prevent brute-force or automated attacks, enforce program rules, preserve evidence, and support audits, incident response, or litigation readiness.

9. Feature-Specific Processing Scenarios

Different feature families create different privacy implications. Processing may vary based on your role, challenge state, enrollment state, access tier, funded-account status, or whether optional integrations are enabled.

• Registration and verification workflows may retain incomplete submissions, proof-of-work or reCAPTCHA state, failed sign-in attempts, email-verification history, and password-reset events for integrity and abuse prevention.
• Challenges, assignments, groups, certificates, and tournaments may generate visible participation, progress, ranking, waitlist, and result records that mentors, admins, and eligible users can review as part of the feature design.
• Demo and simulated trading features may record balances, positions, orders, fills, chart interactions, journal activity, and performance analytics for scoring, review, and fraud detection.
• Prop and funded workflows may process provider references, encrypted credentials, credential-verification outcomes, reconciliation runs, lifecycle states, breach history, wallet balances, positions, live order records, and timeline data needed to operate those features.
• Notification and messaging features may process send attempts, failures, rate limits, delivery metadata, quiet-hours settings, timezone preferences, and message-routing state for troubleshooting, compliance, and service integrity.
• Telegram features may process login or link codes, onboarding details, contact information you submit through Telegram, support-thread messages, admin replies, broadcasts, and outbox-delivery records when those features are enabled.
• Uploaded media and profile content may be stored, cached, resized, served, migrated between storage backends, or deleted according to technical and operational needs.

10. Role-Based Visibility and Sharing Within the Platform

Information inside the platform is not necessarily private from all other platform actors. Depending on feature design and your role, mentors, administrators, group owners, challenge operators, eligible participants, or public viewers may see parts of your profile, progress, rankings, participation state, comments, certificates, challenge results, or related operational records.

Authorized admins and mentors may also access user contact, support, audit, compliance, or program records where reasonably necessary to operate the service, investigate abuse, respond to support requests, or manage provider-connected workflows. Some admin workflows may include access to user email addresses, linked Telegram usernames, and support-thread history when those features are enabled.

11. Service Providers, Sharing, and External Recipients

We may disclose information where reasonably necessary to operate the platform, protect rights, prevent abuse, support integrated workflows, preserve evidence, or comply with legal obligations.

• To infrastructure, hosting, database, storage, security, and software providers that support the platform.
• To email, messaging, anti-bot, Telegram, market-data, media-storage, and provider or exchange services where technical disclosure is necessary to deliver a requested feature.
• To mentors, administrators, operators, reviewers, or support staff who need access to manage users, assignments, challenges, groups, moderation actions, or funded-account operations.
• To auditors, advisers, insurers, purchasers, successors, counterparties, or affiliates during financing, diligence, restructuring, merger, acquisition, insolvency, or similar transactions, subject to appropriate safeguards where required.
• To law enforcement, regulators, courts, counterparties, or other parties where we believe disclosure is reasonably necessary to comply with law, preserve evidence, or reduce risk.
• In aggregated, statistical, de-identified, or otherwise non-personal form where we determine the data is no longer reasonably linked to a specific person.

12. International Transfers

Information may be processed or stored in countries other than the country where you live. Those jurisdictions may provide privacy protections that differ from your home jurisdiction.

Where required, we may use contractual, organizational, or technical safeguards for international transfers, such as provider commitments, standard contractual protections, access controls, or region-specific deployment choices. Additional information about transfer safeguards may be provided in a regional notice or on request where required by law.

13. Retention, Deletion, and Backup Copies

We retain information for as long as reasonably necessary for service delivery, account recovery, abuse prevention, audit integrity, legal compliance, dispute resolution, security review, backup cycles, and business continuity. Different records are retained for different periods.

Short-lived security records such as verification codes and password-reset tokens are generally kept only for their validity period and a reasonable audit window. Session and refresh-token records may persist while a session is active and for a revocation or recovery window. Trading, challenge, support, audit, funded, and compliance records may be kept for longer periods where reasonably necessary for program integrity, legal obligations, fraud prevention, or dispute handling.

Deletion in one layer of the system does not necessarily mean immediate removal from every replica, log, cache, archive, or backup. If you request deletion or close an account, residual copies may persist for legal, technical, anti-abuse, archival, or disaster-recovery reasons until the relevant retention cycle expires.

14. Security Measures and Incident Response

We use administrative, organizational, and technical safeguards intended to reduce risk, such as authentication controls, selective encryption, role-based access, audit logging, abuse controls, and operational monitoring. However, no system is perfectly secure, available, or error-free.

If we detect a security incident, we may investigate, preserve evidence, rotate credentials or sessions, restrict access, and notify affected persons or authorities where required by applicable law.

15. Automated Decisions, Rankings, Eligibility, and Human Review

The platform uses rule-based and partially automated systems to produce rankings, challenge and assignment outputs, anti-abuse signals, access-entitlement outcomes, eligibility flags, funded-workflow controls, and other operational states.

Some significant decisions may also involve human review, especially for support, moderation, fraud investigation, funded-account administration, compliance, or dispute handling. If applicable law gives you a right to request review of a qualifying automated decision, you may use the official privacy or support contact identified by the operator on the platform or in the applicable service materials to make that request.

16. Your Rights, Choices, and Request Handling

Depending on your jurisdiction, you may have rights to request access, correction, deletion, restriction, objection, portability, withdrawal of consent, or complaint review. Those rights are not absolute. We may refuse, limit, defer, or condition a request where permitted by law, where identity cannot be verified, where records must be retained, or where compliance would jeopardize security, evidence preservation, or the rights of others.

To submit a privacy-related request, use the official privacy or support contact identified by the operator on the platform or in the applicable service materials. We may request clarification, narrowing, or additional identity verification. Rights requests do not suspend legitimate security reviews, moderation actions, fraud checks, account restrictions, or evidence-preservation obligations.

17. Children, Minors, and Education or Partner Deployments

The platform is not intended for unsupervised use by children and is not designed as a child-directed service. If local law requires parental, guardian, school, institution, or employer authorization for a user's age group or deployment type, responsibility for obtaining that authorization lies with the relevant user or organization.

If we reasonably believe a user should not have used the service without additional authorization, we may restrict access, request confirmation, suspend processing, or remove relevant data where appropriate. Additional privacy terms may apply where the platform is deployed through a school, cohort, enterprise, or partner arrangement.

18. Changes to This Privacy Policy

We may revise this Privacy Policy to reflect product changes, legal developments, operational decisions, security needs, or business priorities. For material changes, we will provide notice through the platform, email, or another reasonable channel where practical.

Unless a later date is stated, the revised Privacy Policy takes effect on the date identified in the notice or publication. Where applicable law requires fresh consent for a new processing activity, we will request that consent before relying on it.

19. Contact and Complaints

Questions, complaints, or requests relating to this Privacy Policy should be submitted through the official privacy or support contact identified by the operator on the platform or in the applicable service materials. Communications may be retained as support, compliance, security, and legal records.

If your jurisdiction grants a right to complain to a regulator or supervisory authority, you may do so at any time. We also welcome the opportunity to review and address privacy concerns directly where practical.