Privacy policy
What RSForex Bot collects, why, and — just as important — what it never collects. The platform is designed to be PII-minimized.
Risk disclosure. Trading involves risk. RSForex Bot does not guarantee profits, account growth, or prop-firm outcomes. Users remain responsible for their own broker, prop-firm, account settings, and trading decisions. Past performance does not guarantee future results.
1. Who we are and what this covers
This policy explains what personal data the operator of RSForex Bot (the "data controller" for the purposes of the GDPR and UK GDPR, and the "business" for the purposes of the CCPA/CPRA) collects through the RSForex Platform, the customer dashboard, the support chat, and the MT5 executor — and why we process it, on what legal basis, how long we keep it, who we share it with, and what rights you have over it.
We have designed the platform to minimize personal data: sensitive identifiers such as your license key, your MT5 login, and your IP address are stored only in hashed (one-way, non-reversible) form, and card numbers never reach our servers. This section lists every category we actually hold, in plain English, noting where a value is hashed or otherwise minimized. If you believe anything here is inaccurate, tell us — an accurate description of our real practices is something we take seriously.
2. Data we collect
We collect the following categories of personal data. Items marked "hashed" are stored using a one-way function (bcrypt or SHA-256) so the original value cannot be recovered from what we hold.
- Account data. Your email address, a hashed version of your password (bcrypt — we never store or see your plaintext password), your account role and status, and the date you registered. Your email is your login identity and our channel for license, billing, and safety notifications.
- Subscription and billing data. Your plan, subscription status, price, trial and billing-period dates, payment status, and a payment-method reference string (for example "Visa ending 4242"). We also keep invoice records — invoice ID, amount, and status. We do not store card numbers (see "What we never collect").
- License data. A hashed version of your license key (SHA-256 — the plaintext key is never stored) and a masked display version (for example showing only the last characters) so you can identify your license without us holding it in full.
- Device and activation data. A hardware fingerprint (a device identifier) and device name for each device you activate, plus the activation's first-seen and last-seen timestamps. This enforces the per-seat device binding described in the Terms.
- Broker-account data. A hashed version of your MT5 login (the raw login number is not stored), your broker name, server name, account type, account currency, account size, and leverage, together with a compatibility report (checks on symbol, spread, and lot settings). This confirms the executor is running on an approved, compatible account.
- Configuration data. The strategy version and risk preset assigned to your account, with timestamps, so we can deliver and support the correct configuration package.
- Trading telemetry. Closed-trade results reported by the executor: ticket number, symbol, side (buy/sell), volume, profit or loss, a win/loss flag, and the times the trade opened and closed. This describes what the software did on your account, so we can support it and maintain the strategy.
- Heartbeat and status data. Periodic check-ins from the executor containing a hashed version of your IP address (the raw IP is not stored), the software version, a status value, and a timestamp. These confirm the software is running and licensed.
- Support and chat data. If you use the support chat or contact support, we store the conversation: your name and email as entered in the chat (including if you are not logged in), the message text, and a link to your user account where one exists. This lets us answer you and keep a record of the resolution.
- Security and administrative logs. Abuse alerts (for example, signals of key sharing or tampering) and audit logs of administrative actions, which record the acting administrator's email, the action taken, and the target of the action. These protect customer accounts and the integrity of the platform.
3. What we never collect
- No card numbers. Payments are processed by Stripe. RSForex Bot does not store full credit card numbers. Stripe stores your card details under its own PCI-compliant systems and privacy policy; full card or bank numbers never touch our servers — we only receive a reference and status.
- No MT5 passwords — ever. The executor runs inside your own MetaTrader 5 terminal. Neither your master password nor your investor password is requested by, transmitted to, or stored by the platform at any time.
- No withdrawal access, no customer funds. We never collect withdrawal credentials, bank logins, or seed phrases, and we never hold customer funds. The platform has no mechanism to move money into or out of your trading account.
- No raw broker logins or raw IP addresses. Your MT5 login and your IP address are stored only in hashed form, used for account binding and abuse prevention. We do not keep the originals.
- Nothing unrelated. No browsing history across other sites, no advertising profiles, no contact lists, no files on your device, and no data unrelated to operating your license, subscription, and support.
4. Why we process it, and on what legal basis
Under the GDPR and UK GDPR we must have a lawful basis for each purpose. We rely on the bases shown in brackets below.
- Providing the service (performance of a contract). Creating and operating your account, validating your license on its bound broker account and device, delivering encrypted configuration and updates, and running the executor and dashboard you subscribed to.
- Support (performance of a contract). Answering your questions and resolving issues through the support chat and email, and keeping a record of what was resolved.
- Billing (contract and legal obligation). Processing subscriptions, renewals, and refunds through our payment processor, and keeping invoice and payment records required by tax and accounting law.
- Abuse prevention and safety (legitimate interest). Detecting key sharing, device swapping, and tampering, and operating the remote safety controls that protect customer accounts and the product. We balance this against your rights and use hashed identifiers where we can.
- Product improvement (legitimate interest). Reviewing trading telemetry — including in aggregated, anonymized form across users — to maintain and improve the strategy and its risk controls.
- Communications (contract and consent). Service, license, and safety notifications are part of operating the product (contract). Any optional marketing email is sent only with your consent and can be opted out of at any time.
We do not sell your personal data, and we do not share it with third parties for their own advertising or for cross-context behavioral advertising, as those terms are used in the CCPA/CPRA.
5. Third parties we share data with
We share personal data only with the service providers ("processors") needed to run the platform, under contracts that restrict them to providing the service to us. We do not sell it. The main recipients are:
- Stripe (payments). When card payments are enabled, we send your email to Stripe so it can create your customer record and process the payment; Stripe stores and processes your card data under its own terms and privacy policy (see stripe.com/privacy). We receive back a payment-method reference and status, not your card number.
- AI support chat. Our support chat is assisted by an AI provider. The messages you send, and the name and email you enter in the chat, are processed to generate replies and are stored as part of your conversation history. Do not enter passwords or other secrets into the chat.
- Infrastructure providers. Hosting, email delivery, and similar infrastructure providers process data only as needed to operate the platform on our behalf.
We may also disclose data where required by law, to respond to a lawful request from a public authority, to enforce our Terms, or to establish, exercise, or defend legal claims. If the business is involved in a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction, and we will notify you before your data becomes subject to a different privacy policy. We keep an internal record of the processors and sub-processors we use and will provide details of the current ones on request.
6. Cookies and local storage
The platform does not use third-party advertising or tracking cookies. It uses first-party browser localStorage for two strictly functional purposes: to hold your authentication token so you stay signed in, and to hold a chat identifier so your support conversation stays connected to you. These are necessary to provide the service you have requested and are not used for advertising or cross-site tracking.
If we ever adopt analytics or any non-essential storage, we will disclose it here and — where the law (including the EU ePrivacy rules) requires consent — ask for your consent first.
7. Data retention
- Account, license, subscription, and broker-account data is retained while your subscription is active and for a limited period afterwards, for billing, dispute-resolution, and legal-compliance purposes.
- Invoice and payment records are retained for the period required by applicable tax and accounting law.
- Trading telemetry, heartbeat data, and activation history are retained only as long as needed for support, safety, and abuse prevention, after which they are deleted or irreversibly aggregated.
- Support conversations and audit logs are retained for a limited period for quality, security, and legal-defense purposes.
- Aggregated or anonymized data that can no longer be linked to you is not personal data and may be retained.
8. International data transfers
Our processors (including Stripe and our hosting and AI providers) may process data in countries outside your own, including outside the EEA or the UK. Where personal data is transferred internationally, we rely on recognized safeguards — such as the European Commission's standard contractual clauses, the UK international data transfer addendum, or an adequacy decision — so that your data remains protected to a standard consistent with your home jurisdiction. You can ask us for information about the safeguards that apply to a given transfer and the countries in which your data is processed.
9. Your rights (GDPR, UK GDPR, CCPA/CPRA, and similar laws)
Depending on where you live, you have some or all of the following rights over your personal data:
- Access / right to know — request a copy of the personal data we hold about you and how we use it.
- Rectification / correction — have inaccurate or incomplete data corrected.
- Deletion — request erasure of your personal data ("right to be forgotten" / CCPA right to delete), subject to records we must keep by law.
- Portability — receive your data in a structured, commonly used, machine-readable format.
- Objection and restriction — object to, or ask us to restrict, processing based on legitimate interests.
- Withdraw consent — where processing is based on consent, withdraw it at any time without affecting processing already carried out.
- Opt out of sale/sharing — we do not sell or share personal data in the CCPA/CPRA sense, so there is nothing to opt out of; we honor this right by not doing it.
- Non-discrimination — exercising your rights will not result in worse service or pricing (CCPA/CPRA).
- Complain — lodge a complaint with your local data-protection authority (for example, your EU supervisory authority or the UK ICO).
To exercise any right, email us from your account email address (see Contact). We verify your identity before acting, respond within the timelines the law requires, and confirm when the request is complete. California residents: because we do not sell or share personal information as the CCPA/CPRA defines those terms, we do not provide a separate "Do Not Sell or Share My Personal Information" link.
10. How we protect it
We protect personal data with defense-in-depth measures appropriate to the risk: encrypted transport, signed and encrypted configuration delivery, account and device binding, one-way hashing of passwords, license keys, MT5 logins, and IP addresses instead of storing the originals, access limited to what operating the platform requires, and audit logging of administrative actions. No security measure can guarantee absolute protection. If a security incident affects your personal data, we will notify you and the relevant supervisory authority where and within the time the law requires.
11. Children
The platform is not intended for anyone under 18, and leveraged trading is not suitable for minors. We do not knowingly collect personal data from children. If you believe a minor has provided us data, contact us and we will delete it.
12. Consent, controller, and changes
You accept this policy at signup, together with the Terms of Service and Risk Disclosure. If it changes materially, we will notify you via the platform or by email before the changes take effect, and the "last updated" date at the top of this page will reflect the revision. The operator of RSForex Bot is the data controller for the personal data described here, and you can reach us on any data-protection matter — including to exercise your rights or to identify our data-protection contact — at the address in the Contact section below.
13. Contact
Privacy questions, rights requests, and deletion requests: [email protected] — email from your account address so we can verify identity. This policy is accepted at signup together with the Terms of Service and Risk Disclosure.