Privacy Policy
Table of Contents
Key Points Summary
Before reading the full policy, here is a plain-language summary of the most important points:
| Topic | Summary | |---|---| | Who we are | Lexx Software Co. Ltd., a Maltese SaaS company providing a trading interface to cryptocurrency exchanges (Binance, OKX). We are not an exchange, custodian, or crypto-asset service provider. | | What data we collect | Account data (email, name), usage data, device/browser data, and analytics data via Google Analytics 4. | | Why we collect it | To provide our Service, manage your subscription, improve performance, and ensure security. | | Legal bases | Contract performance, legitimate interests, legal obligations, and consent (for analytics cookies). | | Third-party tools | Google Analytics 4 (GA4) only. No Google Ads, no Facebook Pixel, no other advertising trackers. | | International transfers | GA4 data may be transferred to Google servers outside the EEA under Standard Contractual Clauses (SCCs). | | Your rights | Access, rectification, erasure, restriction, portability, objection, and withdrawal of consent — all under GDPR. | | AI / Automated systems | Our RADAR system uses AI for market pattern detection. It does not process your personal data. | | Data protection authority | Information and Data Protection Commissioner (IDPC), Malta. | | Contact | legal@lexxsoft.com |
1. Introduction
Lexx Software Co. Ltd. ("Lexx", "we", "us", "our"), registered in Malta under company number C 100540, with its registered office at Office 2, Room 2, Blue Angel, Triq Belvedere, Gzira, GZR 1112, Malta, is the data controller responsible for your personal data.
This Privacy Policy explains how we collect, use, store, and protect your personal data when you visit our website at https://lexx-trade.com and use our SaaS trading interface services (collectively, the "Service").
We are committed to protecting your privacy in compliance with:
- Regulation (EU) 2016/679 — the General Data Protection Regulation ("GDPR")
- Malta Data Protection Act (Cap. 586 of the Laws of Malta)
- Regulation (EU) 2024/1689 — the EU AI Act (as applicable)
- Directive 2002/58/EC — the ePrivacy Directive
This Privacy Policy is written in accordance with GDPR Article 12 requirements: it is concise, transparent, intelligible, and easily accessible, using clear and plain language.
Please read this Privacy Policy carefully. By accessing or using the Service, you acknowledge that you have read and understood this policy. If you do not agree, please do not use the Service.
This Privacy Policy does not apply to:
- Information collected offline or through apps or websites not part of the Service
- Information collected by third parties, including through applications or content that may link to or be accessible through the Service
- The practices of cryptocurrency exchanges (Binance, OKX) that you connect to through our Service — those platforms have their own privacy policies
For questions about this policy, contact us at legal@lexxsoft.com.
2. Data Controller & Data Protection Contact
| Detail | Information | |---|---| | Data Controller | Lexx Software Co. Ltd. | | Registration Number | C 100540 (Malta) | | LEI | 984500EAD1O715C6C507 | | Registered Address | Office 2, Room 2, Blue Angel, Triq Belvedere, Gzira, GZR 1112, Malta | | Data Protection Contact | legal@lexxsoft.com |
We have voluntarily designated a Data Protection Contact to handle data protection inquiries. You may reach them at legal@lexxsoft.com for any questions regarding the processing of your personal data or to exercise your data protection rights.
3. Definitions
For the purposes of this Privacy Policy:
- "Personal Data" means any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
- "Processing" means any operation performed on personal data, as defined in GDPR Article 4(2).
- "Service" refers to the Lexx trading interface platform, including all associated websites, applications, and features operated by Lexx.
- "User" or "you" refers to any natural person who accesses or uses the Service.
- "RADAR" refers to our algorithmic and AI-powered market analysis system.
4. Personal Data We Collect
We collect personal data through two main channels: directly from you and automatically when you use the Service.
4.1 Data You Provide Directly
| Data Category | Examples | When Collected | |---|---|---| | Account Data | Email address, username, display name, password (hashed) | Registration, account creation | | Profile Data | Display name, language preference, timezone | Account settings | | Subscription Data | Subscription plan, billing history, payment status | Purchasing a subscription | | Communication Data | Email correspondence, support tickets, feedback | When you contact us | | Exchange API Keys | Encrypted API keys for Binance/OKX | When you connect an exchange |
Important: We do not collect or store payment card details. All payment processing is handled by our third-party payment processor. We only receive confirmation of payment status.
4.2 Data Collected Automatically
| Data Category | Examples | Technology Used | |---|---|---| | Device Data | Browser type and version, operating system, screen resolution, device type | Server logs | | Connection Data | IP address, internet service provider, approximate location (country/city level) | Server logs | | Usage Data | Pages visited, features used, click patterns, session duration, referring URL | Server logs, GA4 | | Analytics Data | Aggregated usage patterns, user flow, engagement metrics | Google Analytics 4 | | Log Data | Server requests, error logs, access timestamps | Server infrastructure |
4.3 Data We Do NOT Collect
We want to be clear about what we do not collect:
- We do not collect financial transaction data from your exchange accounts
- We do not collect wallet addresses or cryptocurrency balances
- We do not require identity documents (no KYC/AML — we are a SaaS subscription service, not a financial institution)
- We do not collect data from children under 16 years of age
- We do not collect special categories of personal data (Article 9 GDPR)
4.4 Statutory and Contractual Requirements for Data Provision
Statutory and Contractual Requirements for Data Provision. The provision of certain personal data (such as your email address, display name, and payment information) is a contractual requirement necessary for the performance of our agreement with you. Without this data, we cannot create your account or provide the Service. Where we process data based on legal obligations (such as billing records for tax compliance), the provision of such data is a statutory requirement. You are not obliged to provide optional data (such as profile preferences), and the refusal to do so will not affect your ability to use the core Service.
5. Legal Basis for Processing
Under GDPR Article 6, we process your personal data only when we have a valid legal basis. The following table sets out each processing purpose, its legal basis, and the categories of data involved:
| Purpose | Legal Basis (GDPR Art. 6) | Data Categories | |---|---|---| | Account creation and management | Art. 6(1)(b) — Performance of a contract | Account Data, Profile Data | | Providing the Service (trading interface) | Art. 6(1)(b) — Performance of a contract | Account Data, Exchange API Keys, Usage Data | | Subscription management and billing | Art. 6(1)(b) — Performance of a contract; Art. 6(1)(c) — Legal obligation (tax and accounting records) | Account Data, Subscription Data | | Customer support | Art. 6(1)(b) — Performance of a contract | Account Data, Communication Data | | Service security and fraud prevention | Art. 6(1)(f) — Legitimate interests; Art. 6(1)(c) — Legal obligation | Device Data, Connection Data, Log Data | | Service improvement and performance monitoring | Art. 6(1)(f) — Legitimate interests | Usage Data, Log Data | | Website analytics (GA4) | Art. 6(1)(a) — Consent | Analytics Data, Device Data, Connection Data | | Service notifications (security alerts, maintenance) | Art. 6(1)(b) — Performance of a contract | Account Data | | Compliance with legal obligations | Art. 6(1)(c) — Legal obligation | Account Data, Subscription Data, Log Data | | Responding to legal requests | Art. 6(1)(c) — Legal obligation | Any data as legally required |
Legitimate Interests Assessment
Where we rely on legitimate interests (Art. 6(1)(f)), we have conducted a balancing test to ensure our interests do not override your fundamental rights and freedoms. Our legitimate interests include:
- Maintaining the security and integrity of the Service
- Preventing fraud and abuse
- Improving and optimizing the Service for all users
- Understanding how users interact with features to guide product development
You have the right to object to processing based on legitimate interests at any time (see Section 9.7).
6. Analytics & Third-Party Services
6.1 Google Analytics 4 (GA4)
We use Google Analytics 4 ("GA4"), provided by Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland), to understand how users interact with our Service.
What GA4 collects:
- Page views, session duration, and user flow
- Device and browser information
- Approximate geographic location (country/city level, derived from IP address)
- Engagement events (clicks, scrolls, form interactions)
Privacy safeguards we have implemented:
- IP anonymization is enabled by default in GA4
- Advertising features are disabled — we do not use remarketing, demographics, or interest reporting
- Data sharing with Google for advertising purposes is disabled
- Data retention in GA4 is set to 14 months
- Google Signals is disabled
- GA4 operates on a consent-only basis — analytics cookies are set only after you provide explicit opt-in consent
Legal basis: Consent (GDPR Art. 6(1)(a)). You can withdraw your consent at any time through our cookie consent banner or by contacting us.
For more information about how Google processes data, see:
6.2 No Other Third-Party Trackers
We do not use any other third-party analytics, advertising, or tracking services. Specifically:
- No Google Ads or Google Tag Manager (for advertising)
- No Facebook Pixel or Meta tracking
- No advertising networks or retargeting services
- No social media tracking pixels
- No third-party A/B testing tools that process personal data
7. Cookies
We use cookies and similar technologies to operate the Service and, with your consent, to collect analytics data. A cookie is a small text file stored on your device by your browser.
For comprehensive details about the specific cookies we use, their purposes, durations, and how to manage them, please see our Cookie Policy.
Categories at a glance:
| Category | Consent Required | Purpose | |---|---|---| | Strictly Necessary | No (always active) | Essential Service functionality, security, session management | | Functional | Yes (opt-in) | User preferences such as language and theme | | Analytics | Yes (opt-in) | GA4 website analytics |
You can manage your cookie preferences at any time through our cookie consent banner or your browser settings.
8. Sharing of Personal Data
We do not sell, rent, or trade your personal data. We share personal data only in the following limited circumstances:
8.1 Service Providers
| Provider | Purpose | Data Shared | Safeguards | |---|---|---|---| | Google Ireland Limited | Website analytics (GA4) | Analytics Data (anonymized IP, usage patterns) | Standard Contractual Clauses, Data Processing Agreement | | Stripe, Inc. | Subscription payment processing | Payment confirmation status only (no full card numbers stored by LEXX) | PCI DSS Level 1 compliance, Standard Contractual Clauses, DPA | | Amazon Web Services, Inc. (AWS) | Infrastructure and data storage | All Service data (encrypted at rest and in transit) | EU-based servers (Frankfurt, Ireland), Standard Contractual Clauses, DPA | | Freshworks Inc. (Freshdesk) | Customer support ticket management | Support ticket content, email associated with ticket | Standard Contractual Clauses, Data Processing Agreement |
All service providers are bound by data processing agreements in accordance with GDPR Article 28.
8.2 Legal Obligations
We may disclose your personal data if required to do so by law or in response to valid requests by public authorities (e.g., a court order or government request). This includes:
- Compliance with a legal obligation under EU or Maltese law
- Protection of our legal rights, property, or safety
- Detection, prevention, or investigation of fraud or illegal activity
- Prevention of death or imminent bodily harm
8.3 Business Transfers
If Lexx is involved in a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred as part of that transaction. We will notify you before your personal data becomes subject to a different privacy policy. The acquiring entity will be informed of its obligations under applicable data protection law.
8.4 Aggregated and Anonymized Data
We may share aggregated, de-identified data that cannot reasonably be used to identify you for any business purpose, including statistical analysis and service improvement.
9. Your Rights Under GDPR
As a data subject under the GDPR, you have the following rights. You can exercise any of these rights by contacting us at legal@lexxsoft.com.
9.1 Right to Be Informed (Articles 13–14)
You have the right to clear, transparent, and easily understandable information about how we use your personal data. This Privacy Policy fulfills that obligation.
9.2 Right of Access (Article 15)
You have the right to obtain confirmation of whether we process your personal data and, if so, to receive a copy of that data along with supplementary information about the processing.
9.3 Right to Rectification (Article 16)
You have the right to have inaccurate personal data corrected and incomplete personal data completed.
9.4 Right to Erasure (Article 17)
You have the right to request deletion of your personal data where:
- The data is no longer necessary for the purpose it was collected
- You withdraw consent (where consent was the legal basis)
- You object to processing and there are no overriding legitimate grounds
- The data has been unlawfully processed
- Erasure is required by EU or Maltese law
Exceptions: We may retain data where processing is necessary for compliance with legal obligations, the establishment, exercise, or defence of legal claims, or for archiving purposes in the public interest.
9.5 Right to Restriction of Processing (Article 18)
You have the right to request restriction of processing where:
- You contest the accuracy of the data (for the period we verify accuracy)
- The processing is unlawful and you prefer restriction over erasure
- We no longer need the data but you require it for legal claims
- You have objected to processing pending verification of legitimate grounds
When processing is restricted, we may store the data but will not process it further without your consent, except for legal claims or protection of rights.
9.6 Right to Data Portability (Article 20)
You have the right to receive your personal data in a structured, commonly used, and machine-readable format (e.g., JSON or CSV), and to transmit that data to another controller, where:
- Processing is based on consent or contract performance, and
- Processing is carried out by automated means
9.7 Right to Object (Article 21)
You have the right to object, on grounds relating to your particular situation, to processing of your personal data based on our legitimate interests (Art. 6(1)(f)). Upon receiving your objection, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for legal claims.
Where we process your personal data for direct marketing purposes, you have the right to object at any time, and we will stop processing for that purpose immediately.
9.8 Right to Withdraw Consent (Article 7(3))
Where we process your personal data based on your consent (e.g., analytics cookies), you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.
How to withdraw consent:
- Adjust your cookie preferences via the cookie consent banner on our website
- Contact us at legal@lexxsoft.com
- Disable cookies in your browser settings (see our Cookie Policy for instructions)
9.9 Rights Related to Automated Decision-Making (Article 22)
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significant effects concerning you. See Section 11 for details on our RADAR AI system.
Exercising Your Rights
- How to submit a request: Email us at legal@lexxsoft.com with a clear description of the right you wish to exercise.
- Identity verification: We may ask you to verify your identity (e.g., by confirming your registered email address) to prevent unauthorized access.
- Response time: We will respond to your request within one month, in accordance with Article 12(3) GDPR. This period may be extended by a further two months where necessary, taking into account the complexity and number of requests. We will inform you of any extension and the reasons within the initial one-month period.
- No fee: Exercising your rights is free of charge. We may charge a reasonable fee for manifestly unfounded or excessive requests, or refuse to act on them (Article 12(5)).
- Complaints: If you are unsatisfied with our response, you may lodge a complaint with the IDPC (see Section 14).
10. International Data Transfers
Lexx is established in Malta (EU/EEA). We store and process the majority of your personal data within the European Economic Area.
10.1 Transfers Outside the EEA
When we use Google Analytics 4, analytics data may be processed by Google on servers located outside the EEA (including in the United States). We ensure that such transfers are subject to appropriate safeguards:
| Recipient | Transfer Destination | Safeguard Mechanism | Reference | |---|---|---|---| | Google Ireland Limited / Google LLC | United States and other countries | Standard Contractual Clauses (SCCs) adopted by the European Commission, supplemented by additional technical measures | Commission Decision (EU) 2021/914 | | Stripe, Inc. | United States | Standard Contractual Clauses (SCCs), PCI DSS Level 1 | Commission Decision (EU) 2021/914 | | Freshworks Inc. (Freshdesk) | United States / EU | Standard Contractual Clauses (SCCs) | Commission Decision (EU) 2021/914 |
10.2 Safeguard Measures
For all international transfers, we ensure at least one of the following safeguards applies:
- Adequacy Decision: The European Commission has determined that the recipient country ensures an adequate level of data protection (GDPR Art. 45)
- Standard Contractual Clauses: We use EU-approved SCCs (GDPR Art. 46(2)(c))
- Supplementary measures: Where necessary, we implement additional technical and organizational measures following EDPB Recommendations 01/2020
You may request a copy of the transfer safeguards by contacting us at legal@lexxsoft.com.
11. Automated Decision-Making & AI Systems
11.1 RADAR — AI-Powered Market Analysis
Our RADAR system uses a combination of algorithms and artificial intelligence for market pattern detection and analysis. RADAR:
- Analyzes publicly available market data, price movements, and trading volumes
- Checks news and information sources for non-trading risks (e.g., exchange hacks, fraud indicators, regulatory actions)
- Works within our algorithmic infrastructure using market data only
11.2 No Processing of Personal Data
RADAR does not process, access, or interact with your personal data. Specifically:
- RADAR does not receive, access, or analyze any User personal data
- RADAR does not make decisions about individual Users
- RADAR does not create profiles of individual Users
- RADAR does not interact with clients directly
- RADAR operates exclusively on aggregated, publicly available market data
11.3 EU AI Act Classification
LEXX provides this disclosure as part of its commitment to responsible AI governance in accordance with Regulation (EU) 2024/1689 (EU AI Act). This means:
- We inform you that AI-generated content and outputs exist within the Service
- RADAR is not classified as a high-risk AI system, as it does not process personal data, does not make decisions with legal or significant effects on individuals, and does not fall within Annex III high-risk categories
- We maintain documentation of RADAR's design, capabilities, and limitations
11.4 No Automated Individual Decision-Making
We do not engage in automated decision-making based solely on automated processing (including profiling) that produces legal effects or similarly significant effects concerning you, as described in GDPR Article 22. No decisions about your account, subscription, access, or service delivery are made by automated means without human involvement.
12. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes described in this policy, or as required by law. The following table sets out our retention periods:
| Data Category | Retention Period | Basis | |---|---|---| | Account Data | Duration of account + 3 years after deletion | Contract performance; legitimate interests (fraud prevention); Maltese commercial law | | Profile Data | Duration of account; deleted upon account deletion | Contract performance | | Subscription & Billing Data | 7 years from end of financial year in which transaction occurred | Malta Companies Act, Cap. 386; EU VAT Directive 2006/112/EC; Maltese tax obligations (Income Tax Act, Cap. 123; VAT Act, Cap. 406) | | Exchange API Keys | Duration of account; securely deleted upon account deletion or key revocation | Contract performance | | Communication Data (support tickets) | 3 years after ticket resolution or account deletion, whichever is later | Legitimate interests (service improvement, legal claims) | | Server Logs | 90 days | Legitimate interests (security, debugging) | | Analytics Data (GA4) | 14 months (configured in GA4) | Consent | | Cookie Consent Records | 3 years | Legal obligation (ePrivacy Directive compliance, demonstrating consent) | | Contractual Records | 6 years after contract termination | Maltese statute of limitations (prescription period under the Civil Code, Cap. 16) |
Deletion and Anonymization
When the retention period expires:
- Personal data is securely deleted or irreversibly anonymized
- Backup copies are purged within 90 days of the primary deletion
- We use industry-standard secure deletion methods
You may request earlier deletion of your data by exercising your right to erasure (Section 9.4), subject to any legal obligations that require continued retention.
13. Data Security
We implement appropriate technical and organizational measures to protect your personal data, in accordance with GDPR Article 32:
Technical measures:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Encrypted storage of exchange API keys
- Regular security testing and vulnerability assessments
- Access controls and role-based permissions
- Automated intrusion detection and monitoring
- Regular security patches and updates
Organizational measures:
- Access to personal data limited to authorized personnel on a need-to-know basis
- Employee confidentiality obligations
- Incident response procedures for data breaches
- Regular review and update of security measures
Data breach notification: In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will:
- Notify the IDPC within 72 hours of becoming aware of the breach (GDPR Art. 33)
- Notify you without undue delay where the breach is likely to result in a high risk to your rights and freedoms (GDPR Art. 34)
Your responsibilities:
- Keep your account credentials confidential
- Control access to your email and devices
- Notify us immediately if you suspect unauthorized account access
- If you share access to your account with third parties, you are responsible for their actions
14. Complaints & Dispute Resolution
14.1 Contact Us First
If you have a concern about how we handle your personal data, we encourage you to contact us first so we can try to resolve the matter:
- Email: legal@lexxsoft.com
- Post: Data Protection Contact, Lexx Software Co. Ltd., Office 2, Room 2, Blue Angel, Triq Belvedere, Gzira, GZR 1112, Malta
14.2 Supervisory Authority
You have the right to lodge a complaint with a supervisory authority, in particular in the EU/EEA Member State of your habitual residence, place of work, or place of the alleged infringement (GDPR Art. 77).
Our lead supervisory authority is:
Information and Data Protection Commissioner (IDPC) Level 2, Airways House, High Street, Sliema SLM 1549, Malta Phone: +356 2328 7100 Email: idpc.info@idpc.org.mt Website: https://idpc.org.mt
14.3 Consumer Dispute Resolution
If you have a data protection complaint that we cannot resolve, you may contact the IDPC directly (see Section 14.2) or the consumer protection authority in your Member State.
15. Children's Privacy
The Service is not intended for, and we do not knowingly collect personal data from, children under the age of 16.
If you are under 16, do not use the Service or provide any personal data to us.
If we learn that we have inadvertently collected personal data from a child under 16 without verified parental consent, we will take steps to delete that data as quickly as possible. If you believe we may have collected data from a child under 16, please contact us at legal@lexxsoft.com.
16. Links to Third-Party Services
The Service may contain links to third-party websites and services, including cryptocurrency exchanges (Binance, OKX). We are not responsible for the privacy practices, content, or security of those third-party services.
We encourage you to read the privacy policy of any third-party service before providing personal data to them. Specifically:
Our Privacy Policy applies solely to information collected through our Service.
17. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make changes:
- We will update the "Last Updated" date at the top of this policy
- For material changes, we will notify you by email or through a prominent notice on the Service before the changes take effect
- Where required by law (e.g., if we expand the types of personal data collected or introduce new processing purposes), we may ask for your explicit consent to the updated policy
Changes take effect on the date stated in the notification. Where changes require your consent under applicable law, we will seek it before implementation. We encourage you to review this policy periodically.
Previous versions of this policy are available upon request at legal@lexxsoft.com.
18. Governing Law & Jurisdiction
This Privacy Policy and any disputes arising from it are governed by the laws of Malta, without regard to its conflict-of-law provisions.
Any disputes relating to this Privacy Policy that cannot be resolved amicably shall be submitted to the exclusive jurisdiction of the courts of Malta, without prejudice to your right to lodge a complaint with a supervisory authority under GDPR Article 77 or to seek a judicial remedy under GDPR Article 79 in the Member State of your habitual residence.
Nothing in this Privacy Policy limits any rights you may have under applicable EU consumer protection legislation, including the EU Consumer Rights Directive (Directive 2011/83/EU).
19. Contact Us
If you have any questions about this Privacy Policy, your personal data, or wish to exercise any of your rights, please contact us:
| Channel | Details | |---|---| | Legal & Privacy | legal@lexxsoft.com | | Support | support@lexxsoft.com | | General | office@lexxsoft.com | | Postal Address | Data Protection Contact, Lexx Software Co. Ltd., Office 2, Room 2, Blue Angel, Triq Belvedere, Gzira, GZR 1112, Malta |